Blok all mail on smtp accept auth or from ip

2006-10-24 Thread Didier Gehéniau 
Hi all,

We have a central mailserver that receives internet mail. Decentralized mail
servers pull the internet mail from this server with fetchmail.

On the decentralized mail servers (that are connected to the internet) I
want to blok all smtp connection (also for mails send to local receipents)
accept when the user is authenticated or if the ip from witch the mail is
send is accepted.

I use tcpserver:

Run:

#!/bin/sh
exec 21 \
envdir ./env \
sh -c '
case $REMOTENAME in h) H=;; p) H=p;; *) H=H;; esac
case $REMOTEINFO in r) R=;; [0-9]*) R=t$REMOTEINFO;; *) R=R;; esac
exec \
envuidgid qmaild \
softlimit ${DATALIMIT+-d$DATALIMIT} \
/usr/bin/tcpserver \
-vDU$H$R \
${LOCALNAME+-l$LOCALNAME} \
${BACKLOG+-b$BACKLOG} \
${CONCURRENCY+-c$CONCURRENCY} \
-xtcp.cdb \
-- ${IP-0} ${PORT-25} \
/var/qmail/bin/qmail-smtpd
'

Tcp:

Allowed ip 1:allow,RELAYCLIENT=
Allowed ip 2:allow,RELAYCLIENT=
:allow,SMTPAUTH=
:deny

Any solutions?

Regards,

Didier

Re: Spam problems smtp proxy or patch

2006-10-24 Thread Nicolas de Bari Embriz Garcia Rojas 
Thanks, I will try both, currently I am also testing qconfirm/ask/ 
tdma to see with one works better with qmail-ldap.


regards.

On Oct 24, 2006, at 8:39 AM, Felipe Augusto van de Wiel wrote:


Hey!

On 10/23/2006 03:41 PM, Nicolas de Bari Embriz Garcia Rojas escreveu:
Hi, currently I am using simscan/spamassasin/tarpit/auth/SSL,  
also  have integrated spamassasin to ldap and set  max recipients  
on 2 but   there is always an smart and patience user that start  
sending spam,  they use the webmail or an even a client like  
outlook/kmal/mail and  start to send email one by one.
So i was thinking  on a solution like some other sites do, to  
limit  the outgoing msg per day but is just that I would like to  
know how do  they do it so i can implement it.


I just remember that eMPF is worth to take a look:

http://www.inter7.com/?page=empf



regards.


Kind regards,

--
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)





PGP.sig
Description: This is a digitally signed message part

Re: Spam problems smtp proxy or patch

2006-10-24 Thread Nicolas de Bari Embriz Garcia Rojas 
For a quick fix  I installed spamguard ( http://www.enderunix.org/ 
spamguard) and is starting to give some results, currently It has  
helpme to identifiy the spamers and the program it self based on  
threshold values moves does users to the /var/qmail/control/badmailfrom.


regards.

On Oct 24, 2006, at 8:27 AM, Felipe Augusto van de Wiel wrote:


On 10/23/2006 03:41 PM, Nicolas de Bari Embriz Garcia Rojas escreveu:
Hi, currently I am using simscan/spamassasin/tarpit/auth/SSL,  
also  have integrated spamassasin to ldap and set  max recipients  
on 2 but   there is always an smart and patience user that start  
sending spam,  they use the webmail or an even a client like  
outlook/kmal/mail and  start to send email one by one.
So i was thinking  on a solution like some other sites do, to  
limit  the outgoing msg per day but is just that I would like to  
know how do  they do it so i can implement it.


I found [1]this on qmail.org.

1. http://spamthrottle.qmail.ca/


There is even a qmail-ldap patch. If it solve your problem,
maybe you can make some comments so we can request the nice qmail-ldap
guys to integrate it in the qmail-ldap patch. :-)



regards.


Kind regards,

--
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)





PGP.sig
Description: This is a digitally signed message part

anonymous bind for qmailgroup entries?

2006-10-24 Thread Robert Müller 
Hi all,

I'm using qmail-ldap on different servers since about more than one
year. Now I've set up a new one with virtual users environment. My
qmail-installation uses a dedicated account for retrieving
LDAP-attributes and I have set the LDAP ACL very restrictive to prevent
users from seeing other accounts. Mail delivery for normal qmailusers
works very well, but I observe a strange problem with qmailgroups. The
following is derived from slapd's logfile:
qmail binds correctly as the dedicated user to search the mail address.
After the entry with the corresponding address is found, it retrieves
all LDAP Attributes for a normal qmailuser within the existing bind and
therefore succeeds with delivery.
But for a qmailgroup entry  it unbinds and rebinds anonymously and is
then not able to read the attribute entry and all other attributes
since this is prohibited by my LDAP-ACLs for anonymous binds.

Can anyone of you experts tell me if this is desired behaviour and why?
Or did I miss a simple configuration option?
Any help greatly appreciated,

Thanks,

Robert

-- 
Robert Müller
Thinxsolutions Müller,Bender,Guth GbR
Maarweg 139
50825 Köln

Fon: +49 221 3550353 0
Fax: +49 221 3550353 99
Mob: +49 179 5303775

[EMAIL PROTECTED]
http://www.thinxsolutions.de

Re: anonymous bind for qmailgroup entries?

2006-10-24 Thread Claudio Jeker 
On Tue, Oct 24, 2006 at 06:43:17PM +0200, Robert Müller wrote:
 Hi all,
 
 I'm using qmail-ldap on different servers since about more than one
 year. Now I've set up a new one with virtual users environment. My
 qmail-installation uses a dedicated account for retrieving
 LDAP-attributes and I have set the LDAP ACL very restrictive to prevent
 users from seeing other accounts. Mail delivery for normal qmailusers
 works very well, but I observe a strange problem with qmailgroups. The
 following is derived from slapd's logfile:
 qmail binds correctly as the dedicated user to search the mail address.
 After the entry with the corresponding address is found, it retrieves
 all LDAP Attributes for a normal qmailuser within the existing bind and
 therefore succeeds with delivery.
 But for a qmailgroup entry  it unbinds and rebinds anonymously and is
 then not able to read the attribute entry and all other attributes
 since this is prohibited by my LDAP-ACLs for anonymous binds.
 
 Can anyone of you experts tell me if this is desired behaviour and why?
 Or did I miss a simple configuration option?
 Any help greatly appreciated,
 

Most of the time this happen because ~control/ldappassword is not readably
by the user which runs the qmail-group command.
This is why ~control/ldapgrouplogin and ~control/ldapgrouppassword exist.
Especally it makes it possible to use a different user for the normal mail
lookup then for the group lookups. group lookups only need read access to
some fields (e.g. userPassword is not needed) allowing stricter ACL rules.
Additionally it makes it possible to tune the limits in slapd.

-- 
:wq Claudio