Re: relay controls
see also 'morercpthosts'. 'Chris Johnson' writes: > On Thu, Jan 25, 2001 at 11:26:09AM -0700, Dan Egli wrote: >> rcpthosts is no good. We want to accept mail for ALL domains. This is a >> primary mail server for many virtual domains. I need to be able to send to >> any domain in existance. such a rcpt hosts file would be HUGE! > > You should try reading the FAQ and other documentation (like the link I sent in > my previous message). You must use rcpthosts; the situation you're describing > is common and is well covered by the documentation. > > Chris - Paul Theodoropoulos [EMAIL PROTECTED] Senior Unix Systems Administrator Syntactically Subversive Services, Inc. http://www.anastrophe.net Downtime Is Not An Option
Re: relay controls
Dan Egli <[EMAIL PROTECTED]> wrote: > rcpthosts is no good. We want to accept mail for ALL domains. This is a > primary mail server for many virtual domains. I need to be able to send to > any domain in existance. such a rcpt hosts file would be HUGE! You're suffering from a common misunderstanding. rcpthosts doesn't really list all the domains you want to be able to send mail to; it lists the domains which you are willing to relay mail to from anyone in the world. Short answer: read Life with Qmail, djb's FAQ, www.qmail.org. Hint: only your domains should be in rcpthosts in most situations. Then to allow your company machines to use it as a smart relay, you use tcpserver to set the RELAYCLIENT for those (and only those) IPs. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: relay controls
On Thu, Jan 25, 2001 at 11:26:09AM -0700, Dan Egli wrote: > rcpthosts is no good. We want to accept mail for ALL domains. This is a > primary mail server for many virtual domains. I need to be able to send to > any domain in existance. such a rcpt hosts file would be HUGE! So what? qmail has no problems with huge files. Mine has some 60,000 records. What you describe is a relay open mailserver, and that's what you have now. \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
Re: relay controls
On Thu, Jan 25, 2001 at 11:26:09AM -0700, Dan Egli wrote: > rcpthosts is no good. We want to accept mail for ALL domains. This is a > primary mail server for many virtual domains. I need to be able to send to > any domain in existance. such a rcpt hosts file would be HUGE! You are not understanding, it seems. You are mixing up two concepts. Concept one is rcpthosts. rcpthosts specifies which domains *your server* handles. rcpthosts should contain all domains for which you want to receive mail *from* the Internet. Do not care about outside domains your users want to mail to, right now. Concept two is tcprules. tcprures specifies which IP-blocks are allowed to use your server to send to anywhere on the Internet. I hope this clears it up a bit. Greetz, Peter.
Re: relay controls
On Thu, Jan 25, 2001 at 11:26:09AM -0700, Dan Egli wrote: > rcpthosts is no good. We want to accept mail for ALL domains. This is a No you don't. You want to accept mail for a small subset of the known domains in the universe. > primary mail server for many virtual domains. I need to be able to send to > any domain in existance. You said receive above and send here. Which are you talking about? The direction *is* important as they are handled by separate mechanisms within qmail. rcpthosts is for inbound mail that your server delivers. RELAYCLIENT stuff in tcpserver is used to identify which IP addresss can use your server as a sending relay for any domain. > such a rcpt hosts file would be HUGE! So? Having a huge file is not a problem for qmail. Is it hard for you to create it? Check out the man page for qmail-newmrh. qmail especially knows how to handle a large list of domains efficiently. Regards. > > -Original Message- > From: Chris Johnson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 25, 2001 11:17 AM > To: Dan Egli > Cc: '[EMAIL PROTECTED]' > Subject: Re: relay controls > > > On Thu, Jan 25, 2001 at 10:39:26AM -0700, Dan Egli wrote: > > We have a QMAIL server that our previous sysadmin left in open relay > > mode. I am trying to close the security holes, but I don't understand > Qmail > > worth a damb (having used sendmail and being groomed on sendmail my entire > > unix life). > > > > I have a tcprules file the directory it appears my predecessor left the > > setup files in, and acording to the runline in PS (I still cannot find > where > > he is actually launching tcpserver for smtp but it is running) the file > > should be /var/service/qmail-smtpd/tcprules.cdb > > > > This file does exist, and it is readable, containing the following rule: > > > > 127.0.0.1:allow,RELAYCLIENT="" > > 209.254.33.:allow,RELAYCLIENT="" > > > > yet if I jump onto a machine that is not in these rules, and I telnet into > > port 25, I can setup a mail from outside the realm to outside the realm. > > Does /var/qmail/control/rcpthosts exist? If not, you should create it, and > you > should put in it a list of domains for which you're willing to receive mail, > one per line. > > See http://web.infoave.net/~dsill/lwq.html for lots of good qmail > information. > > Chris
Re: relay controls
Dan Egli <[EMAIL PROTECTED]> wrote: > > We have a QMAIL server that our previous sysadmin left in open relay > mode. I am trying to close the security holes, but I don't understand Qmail > worth a damb (having used sendmail and being groomed on sendmail my entire > unix life). Post the output of `qmail-showctl`. Your tcpserver invocation didn't seem to set the RELAYCLIENT variable for inappropriate IP addresses, altough the text you posted isn't what tcpserver uses -- it uses a compiled version of that. It's probably a matter of rcpthosts. The command above will tell us. Charles -- --- Charles Cazabon<[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. ---
Re: relay controls
On Thu, Jan 25, 2001 at 10:39:26AM -0700, Dan Egli wrote: > This file does exist, and it is readable, containing the following rule: > 127.0.0.1:allow,RELAYCLIENT="" > 209.254.33.:allow,RELAYCLIENT="" > yet if I jump onto a machine that is not in these rules, and I telnet into > port 25, I can setup a mail from outside the realm to outside the realm. > > I do not understand Qmail at all so I need some major help here. Do you have a file called /var/qmail/control/rcpthosts if that file does not exist your mailserver is relay open. $ man qmail-smtpd (located in /var/qmail/man) [ ... ] rcpthosts Allowed RCPT domains. If rcpthosts is supplied, qmail-smtpd will reject any envelope recipient address with a domain not listed in rcpthosts. Exception: If the environment variable RELAYCLIENT is set, qmail-smtpd will ignore rcpthosts, and will append the value of RELAYCLIENT to each incoming recipient address. rcpthosts may include wildcards: heaven.af.mil .heaven.af.mil Envelope recipient addresses without @ signs are always allowed through. [ ... ] \Maex -- SpaceNet AG| Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen| Fax: +49 (89) 32356-299 Stress is when you wake up screaming and you realize you haven't fallen asleep yet.
Re: relay controls
On Thu, Jan 25, 2001 at 11:26:09AM -0700, Dan Egli wrote: > rcpthosts is no good. We want to accept mail for ALL domains. This is a > primary mail server for many virtual domains. I need to be able to send to > any domain in existance. such a rcpt hosts file would be HUGE! You should try reading the FAQ and other documentation (like the link I sent in my previous message). You must use rcpthosts; the situation you're describing is common and is well covered by the documentation. Chris
Re: relay controls
On Thu, Jan 25, 2001 at 10:39:26AM -0700, Dan Egli wrote: [snip] > I have a tcprules file the directory it appears my predecessor left the > setup files in, and acording to the runline in PS (I still cannot find where > he is actually launching tcpserver for smtp but it is running) the file > should be /var/service/qmail-smtpd/tcprules.cdb tcpserver is running from /var/service/qmail-smtpd/run. /var/service is your service directory, as used by svscan (which is also running, probably). Read up on it at http://cr.yp.to/daemontools.html > This file does exist, and it is readable, containing the following rule: > > 127.0.0.1:allow,RELAYCLIENT="" > 209.254.33.:allow,RELAYCLIENT="" ok. Here's the fix. - rename the file to 'tcprules' instead of 'tcprules.cdb' - add a line at the bottom that just says ':allow' - type 'tcprules tcprules.cdb tcprules.cdb.tmp < tcprules' - Done. Hopefully. Some recommended reading for you: http://www.lifewithqmail.org/ http://www.qmail.org/ (with links to all kinds of documentation) http://cr.yp.to/ (with the author's documentation for qmail, including a FAQ). Greetz, Peter.
RE: relay controls
rcpthosts is no good. We want to accept mail for ALL domains. This is a primary mail server for many virtual domains. I need to be able to send to any domain in existance. such a rcpt hosts file would be HUGE! -Original Message- From: Chris Johnson [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 25, 2001 11:17 AM To: Dan Egli Cc: '[EMAIL PROTECTED]' Subject: Re: relay controls On Thu, Jan 25, 2001 at 10:39:26AM -0700, Dan Egli wrote: > We have a QMAIL server that our previous sysadmin left in open relay > mode. I am trying to close the security holes, but I don't understand Qmail > worth a damb (having used sendmail and being groomed on sendmail my entire > unix life). > > I have a tcprules file the directory it appears my predecessor left the > setup files in, and acording to the runline in PS (I still cannot find where > he is actually launching tcpserver for smtp but it is running) the file > should be /var/service/qmail-smtpd/tcprules.cdb > > This file does exist, and it is readable, containing the following rule: > > 127.0.0.1:allow,RELAYCLIENT="" > 209.254.33.:allow,RELAYCLIENT="" > > yet if I jump onto a machine that is not in these rules, and I telnet into > port 25, I can setup a mail from outside the realm to outside the realm. Does /var/qmail/control/rcpthosts exist? If not, you should create it, and you should put in it a list of domains for which you're willing to receive mail, one per line. See http://web.infoave.net/~dsill/lwq.html for lots of good qmail information. Chris
Re: relay controls
On Thu, Jan 25, 2001 at 10:39:26AM -0700, Dan Egli wrote: > We have a QMAIL server that our previous sysadmin left in open relay > mode. I am trying to close the security holes, but I don't understand Qmail > worth a damb (having used sendmail and being groomed on sendmail my entire > unix life). > > I have a tcprules file the directory it appears my predecessor left the > setup files in, and acording to the runline in PS (I still cannot find where > he is actually launching tcpserver for smtp but it is running) the file > should be /var/service/qmail-smtpd/tcprules.cdb > > This file does exist, and it is readable, containing the following rule: > > 127.0.0.1:allow,RELAYCLIENT="" > 209.254.33.:allow,RELAYCLIENT="" > > yet if I jump onto a machine that is not in these rules, and I telnet into > port 25, I can setup a mail from outside the realm to outside the realm. Does /var/qmail/control/rcpthosts exist? If not, you should create it, and you should put in it a list of domains for which you're willing to receive mail, one per line. See http://web.infoave.net/~dsill/lwq.html for lots of good qmail information. Chris
relay controls
I am quite a new Qmail user, and so I'm looking for some help here. We have a QMAIL server that our previous sysadmin left in open relay mode. I am trying to close the security holes, but I don't understand Qmail worth a damb (having used sendmail and being groomed on sendmail my entire unix life). I have a tcprules file the directory it appears my predecessor left the setup files in, and acording to the runline in PS (I still cannot find where he is actually launching tcpserver for smtp but it is running) the file should be /var/service/qmail-smtpd/tcprules.cdb This file does exist, and it is readable, containing the following rule: 127.0.0.1:allow,RELAYCLIENT="" 209.254.33.:allow,RELAYCLIENT="" yet if I jump onto a machine that is not in these rules, and I telnet into port 25, I can setup a mail from outside the realm to outside the realm. I do not understand Qmail at all so I need some major help here. Thanks!