Re: preventing relaying from outside?

Ira Abramov <ira-nospam-qmail-archives@xxxxxxxx> · Thu, 02 Oct 1997 09:48:14 +0200 (IST)

On Thu, 2 Oct 1997, torben fjerdingstad wrote:

> allow relaying
>  from our nets to our nets.
>  from our nets to all outside nets.
>  from all outside nets to our nets.
> deny relaying
>  from all outside nets to all outside nets
> 
> Netmasks are necessary, because we have some subnets of a class B net
> and some subnets of a class C net.
> 
> I don't see how that can be achieved with qmail.

another case of not reading the docs through. Qmail was built to do JUST
THAT. rcpthosts doesn't default to allow but to block. you put only the
hosts for which you want to RECIEVE fo (for instance your main mail
server), that will block all mail coming from uunet with an envelope
recipient for, say, AOL, since aol is not in your rcpthosts. so far so
good?

second part is getting your internal network to be able to send mail to
the world through that gateway, your user wants to mail that AOL server,
but aol is not in your RCPTHOSTS (naturally), that's when the FAQ comes
and explains how to set RELAYCLIENTS in your tcp wrapper (either tcpd or
tcpcontrol), and allow that user to send mail out.

if you are an ISP you might consider the following though: your users may
be spammers themselves, and use OTHER ISP's RELAYS! block outgoing
sessions to port 25 of remote machines except for your mail gateway, they
will have to send through you, you'll have the logs if needed. if you want
to be REALLY fascistic, I'd make sure outgoing mail has a from as well as
return addresses of your local domain(s) only, other messages will either
bounce or get the header rewritten to the local domain...

good luck :)

-------------------------------------------------------------------------
Ira Abramov <ira(a)scso.com>  (mail ira-pgp(a)scso.com for the PGP key)