Les Mikesell wrote:
I think I missed how you keep this from being an open relay if
someone finds the ssl port. Can you at least cover that part?
Do you require a matching client cert for stunnel? I don't
see how you can require smtp auth for connections coming from
the local host without breaking other stuff.
It's not connecting via localhost, it is connecting via the public IP
address.
ASCII art time:
port 465 SSL ==> stunnel ==> port 25 SMTP on public IP address
The key is that this qpsmtpd instance is set to require AUTH for any
address not in the relayclients. What I did in the end was add the
public IP address to the norelayclients file (since I already have our
public class-C in the relayclients).
Localhost port 25 is a straight qmail-smtpd instance, so local apps
don't have to worry about AUTH.
And you don't need a client cert (at least not the way that I set it
up). It will require anyone connecting via SMTPS to trust the cert the
first time...
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5748
