Re: [vchkpw] smtp-auth and rblsmtpd
Thanks for the info. Trey Nolen - Original Message - From: "John Simpson" <[EMAIL PROTECTED]> To: Sent: Saturday, August 18, 2007 7:28 PM Subject: Re: [vchkpw] smtp-auth and rblsmtpd
Re: [vchkpw] smtp-auth and rblsmtpd
On 2007-08-17, at 2113, Trey Nolen wrote: I would suggest starting another instance of qmail-smtpd on port 587 that does not use the rbls, and has its own tcp.submpt.cdb that allows anyone to connect, but does not ever set RELAYCLIENT. This allows all addresses, but will only allow relay for authenticated users. Port 587, is the default port for this kind of operation. Thanks. We will start that, too. But, we do have a number of clients that are ALREADY using port 25 for smtp-auth. Is there any way to keep them from being affected by the rblmtpd? For instance, is there a way to pass a variable to tcpserver if the connection is authenticated via smtp-auth? no, because there's no way for tcpserver to know whether or not a valid AUTH command will be sent. remember that qmail-smtpd would be accepting the AUTH command, and rblsmtpd runs before qmail-smtpd does. the correct answer is to create one or more AUTH-only SMTP services, preferably also "encrypted only" for security, and tell your users that they must use those instead. i'm not sure which patches you're using, but my combined patch has support for both of these features (i.e. it won't accept any MAIL commands until a valid AUTH command has been sent, and it won't accept any AUTH commands unless the connection is secured.) i *think* both of these features are available in other patches but i will admit that i'm not 100% familiar with them- i'm sure if you can tell us which patches you're using, somebody on the list will be able to give you some quick directions for how to set this up. if you're not married to any particular patch, here's the info regarding mine. do your research and make see if it will work for you, if so you're (obviously) welcome to use it. http://qmail.jms1.net/patches/combined.shtml http://qmail.jms1.net/smtp-service.shtml http://qmail.jms1.net/tls-auth.shtml | John M. Simpson--- KG4ZOW ---Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | | http://video.google.com/videoplay?docid=-1656880303867390173 | PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] smtp-auth and rblsmtpd
On 8/17/2007 9:13 PM, Trey Nolen wrote: being affected by the rblmtpd? For instance, is there a way to pass a variable to tcpserver if the connection is authenticated via smtp-auth? Not without patching. the process goes like this: user -> tcpserver -> rblsmtpd -> qmail-smtpd (with smtp-auth) so, rblsmtpd has already intercepted your user before he's had the change to talk to qmail-smtpd and auth. there is at least one patch that puts rblsmtpd functionality inside qmail-smtpd for this purpose, but i'm having a hard time finding it. Based on http://lists.ziobudda.net/pipermail/qmail-it/2007-April/001698.html, I'm making an educated guess that the patch is at: http://lists.ziobudda.net/pipermail/qmail-it/attachments/20070410/7d59066d/qmail-dnsbl.bin -- Jeremy Kister http://jeremy.kister.net./
Re: [vchkpw] smtp-auth and rblsmtpd
I would suggest starting another instance of qmail-smtpd on port 587 that does not use the rbls, and has its own tcp.submpt.cdb that allows anyone to connect, but does not ever set RELAYCLIENT. This allows all addresses, but will only allow relay for authenticated users. Port 587, is the default port for this kind of operation. Thanks. We will start that, too. But, we do have a number of clients that are ALREADY using port 25 for smtp-auth. Is there any way to keep them from being affected by the rblmtpd? For instance, is there a way to pass a variable to tcpserver if the connection is authenticated via smtp-auth? Trey Nolen
Re: [vchkpw] smtp-auth and rblsmtpd
Trey Nolen wrote: We have been using smtp-after-pop for a long time, but are also using smtp-auth for some purposes. When users authenticate via POP, a line like the following gets added to open-smtp: ww.xx.yy.zz:allow,RELAYCLIENT="",RBLSMTPD="",WHITELIST="" 1187395788 This keeps the users from being affected by rblsmtpd. We added sorbs to our rblsmtpd to block "dynamic IP pools", but it seems to be blocking our users that use smtp-auth. Our smtp-after-pop users work fine using the same dynamic IPs. We have some users that need to be able send via our servers but that do not have a POP account to authenticate against. Is there a way to get smtp-auth excluded from the rblsmtpd blocks? I would suggest starting another instance of qmail-smtpd on port 587 that does not use the rbls, and has its own tcp.submpt.cdb that allows anyone to connect, but does not ever set RELAYCLIENT. This allows all addresses, but will only allow relay for authenticated users. Port 587, is the default port for this kind of operation. My run file for the submission port is: #!/bin/sh QMAILUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l 0 \ -x /mail/etc/tcp.submission.cdb -c "$MAXSMTPD" \ -u "$QMAILUID" -g "$NOFILESGID" 0 587 \ /var/qmail/bin/qmail-smptd \ /mail/bin/vchkpw /bin/true 2>&1 /mail/bin/ is my ~vpopmail/bin, in absolute terms.