Howdy all, I just wanted to follow up and say that I implemented my idea tonight from an IP that does not have a dns entry, and it appeared to work properly. Now, all I have to do is monitor my logs closely to see if I broke anything. Basically, what I did was to move the dracd rules for dialup users from the recommended place to just above the dns checks. In effect, the check_relay ruleset now looks like so: <snip> # anything originating locally is ok # check IP address R$* $: $&{client_addr} R$@ $@ RELAYFROM originated locally R0 $@ RELAYFROM originated locally R$=R $* $@ RELAYFROM relayable IP address R$* $: $>LookUpAddress <$1> <?> <$1> <+Connect> R<RELAY> $* $@ RELAYFROM relayable IP address R<$*> <$*> $: $2 R$* $: [ $1 ] put brackets around it... R$=w $@ RELAYFROM ... and see if it is local # allow recent POP/IMAP mail clients to relay R$* $: $&{client_addr} R$+ $: $(drac $1 $: ? $) R? $: R$+ $@ RELAYFROM # check client name: first: did it resolve? R$* $: < $&{client_resolve} > R<TEMP> $#error $@ 4.7.1 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr} R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name} R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name} R$* $: <?> $&{client_name} <snip> Just wanted to let people know in case anyone else runs into this problem. Will ---------- Forwarded Message ---------- Date: Friday, 06 July, 2001 08:26 -0400 From: "William K. Hardeman" <[EMAIL PROTECTED]> To: Cyrus-Imap Mailing List <[EMAIL PROTECTED]> Subject: (OT) check_relay DNS rules and dracd with cyrus & sendmail Howdy all, I have a more or less off topic question about a situation my boss ran into the other day when he was travelling. He accessed our mailserver from a dialup account or from the company he was visiting (I'm not sure), which worked fine, of course. The problems arose when he tried to send an email to someone outside the company. We're using Gary Mills' DRACD for pop-before-smtp relay authentication, which he expected (and I, quite honestly) would allow him to send emails. Normally it does, but when he tried the other day, he got a message about the DNS address associated with the IP address he was assigned being possibly forged, and not allowing the email through. I was wondering if anyone has any thoughts they'd care to share on whether it is safe to move the DRACD rules to a point in the check_relay ruleset above where it does the DNS checks. My thinking on this is that, since the user has already authenticated themselves as being a valid user, they should be allowed to send, even though their DNS entries would not normally allow them to do so. We have several people who travel, and we're concerned this situation might arise again, and we need to have something in place where these users won't be blocked from sending emails. Does anyone have any suggestions on what we could do? Thanks in advance, Will ---------------------------------------------------------------------------- William K. Hardeman [EMAIL PROTECTED] http://www.wkh.org Always listen to experts. They'll tell you what can't be done and why. Then do it. --Robert A. Heinlein ---------- End Forwarded Message ---------- ---------------------------------------------------------------------------- William K. Hardeman [EMAIL PROTECTED] http://www.wkh.org Always listen to experts. They'll tell you what can't be done and why. Then do it. --Robert A. Heinlein