-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
> 1. Is it correct to say that qmail will be using
> /var/spool/pop3/etc/tcp.smtp.cdb to decide who
> can and who cannot connect to send e-mail,
> thus ignoring rcpthosts?
To clear things up:
tcp.smtp.cdb decides who will be able to send e-mail without any checks
on what the DESTINATION domain is.
E.g. my IP address 212.55.198.205 is not listed in C so I could only
send a mail to somebody in one of the domains listed in your rcpthost
file. But somebody with IP-Address 194.72.80.162 could send an email to
whatever destination address (s)he wants to, because RELAYCLIENT=""
tells qmail-smtpd to ignore rcpthosts for this connection.
> 2. Does vpopmail accept POP3 connections from
> anywhere, as there is no -x option?
Yes!
> 3. Does the lack of :deny in C: mean that the
> machine is an open relay? (If I add :deny and
No. A simple allow or deny just tells tcpserver to accept or reject a
connection, even before there qmail-smtpd gets a chance to find out
where I want to send an e-mail to.
> rebuild the CDB, then nothing can make SMTP
> connections except the hosts in the file, which
As you experienced itself :deny will block any connection attempt.
:allow tells tcpserver to accept the connection. But then qmail-smtpd
will accept or reject the mail depending on whether the destination is
contained in rcpthosts or whether RELAYCLIENT is set, as I have
explained before.
> The thing is, I believe that qmail should be using
> rcpthosts to decide who can relay (rcpthosts contains
> a list of the virtual domains hosted there). Also, the
No. You cannot decide who is able to relay based on hostnames, but only
on the IP Address of who connects to the SMTP port.
> file /var/spool/pop3/etc/tcp.smtp.cdb is supposed to
> contain those IPs that are allowed to initiate POP3
> connections.
No. If you really need to restrict, who can connect to your POP3 server, then
you need another cdb (e.g. tcp.pop3.cdb) where you would list the IPs who
are allowed to connect as 1.2.3.4:allow (there is no need for the RELAYCLIENT
thing) and a final :deny line, to disallow access to the POP3 server for
everybody else.
> 4. So am I right to assume I should take the -x option
> from A: and put it into B: instead? That way qmail will
No. Removing -x from A would mean, that the RELAYCLIENT variable would
be never set, and thus qmail-smtpd would only accpt mail for your
domains, and nobody would be allowed to relay.
Adding the -x to B wouldn't change anything, because it allows
connection to everybody, and only sets RELAYCLIENT for some IPs, but the
POP3 daemon doesn't behave any different whether RELAYCLIENT is present
or not.
claudio
- --
Claudio Nieder, Kanalweg 1, CH-8610 Uster, Tel +41 79 357 6743
yahoo messenger: claudionieder aim: claudionieder icq:42315212
mailto:[EMAIL PROTECTED] http://www.claudio.ch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8CPYXKS3qZW4vY9IRAtuNAJwN9SFJYDXIniDh6KJ+XCKf+OQMxQCg0GnD
DL6YM7E2tb9IVYmjyrdxRnk=
=jpqM
-----END PGP SIGNATURE-----
