Howdy all,
I just wanted to follow up and say that I implemented my idea tonight from
an IP that does not have a dns entry, and it appeared to work properly.
Now, all I have to do is monitor my logs closely to see if I broke anything.
Basically, what I did was to move the dracd rules for dialup users from the
recommended place to just above the dns checks. In effect, the check_relay
ruleset now looks like so:
<snip>
# anything originating locally is ok
# check IP address
R$* $: $&{client_addr}
R$@ $@ RELAYFROM originated locally
R0 $@ RELAYFROM originated locally
R$=R $* $@ RELAYFROM relayable IP address
R$* $: $>LookUpAddress <$1> <?> <$1> <+Connect>
R<RELAY> $* $@ RELAYFROM relayable IP address
R<$*> <$*> $: $2
R$* $: [ $1 ] put brackets around it...
R$=w $@ RELAYFROM ... and see if it is local
# allow recent POP/IMAP mail clients to relay
R$* $: $&{client_addr}
R$+ $: $(drac $1 $: ? $)
R? $:
R$+ $@ RELAYFROM
# check client name: first: did it resolve?
R$* $: < $&{client_resolve} >
R<TEMP> $#error $@ 4.7.1 $: "450 Relaying temporarily
denied. Cannot resolve PTR record for " $&{client_addr}
R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name
possibly forged " $&{client_name}
R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name
lookup failed " $&{client_name}
R$* $: <?> $&{client_name}
<snip>
Just wanted to let people know in case anyone else runs into this problem.
Will
---------- Forwarded Message ----------
Date: Friday, 06 July, 2001 08:26 -0400
From: "William K. Hardeman" <[EMAIL PROTECTED]>
To: Cyrus-Imap Mailing List <[EMAIL PROTECTED]>
Subject: (OT) check_relay DNS rules and dracd with cyrus & sendmail
Howdy all,
I have a more or less off topic question about a situation my boss ran into
the other day when he was travelling. He accessed our mailserver from a
dialup account or from the company he was visiting (I'm not sure), which
worked fine, of course. The problems arose when he tried to send an email
to someone outside the company.
We're using Gary Mills' DRACD for pop-before-smtp relay authentication,
which he expected (and I, quite honestly) would allow him to send emails.
Normally it does, but when he tried the other day, he got a message about
the DNS address associated with the IP address he was assigned being
possibly forged, and not allowing the email through.
I was wondering if anyone has any thoughts they'd care to share on whether
it is safe to move the DRACD rules to a point in the check_relay ruleset
above where it does the DNS checks. My thinking on this is that, since the
user has already authenticated themselves as being a valid user, they
should be allowed to send, even though their DNS entries would not normally
allow them to do so. We have several people who travel, and we're concerned
this situation might arise again, and we need to have something in place
where these users won't be blocked from sending emails.
Does anyone have any suggestions on what we could do?
Thanks in advance,
Will
----------------------------------------------------------------------------
William K. Hardeman
[EMAIL PROTECTED]
http://www.wkh.org
Always listen to experts. They'll tell you what can't be done and why. Then
do it.
--Robert A. Heinlein
---------- End Forwarded Message ----------
----------------------------------------------------------------------------
William K. Hardeman
[EMAIL PROTECTED]
http://www.wkh.org
Always listen to experts. They'll tell you what can't be done and why. Then
do it.
--Robert A. Heinlein
