Loading ...
Sorry, an error occurred while loading the content.
 

Re: master.cf question with SASL

Expand Messages
  • mouss
    ... good. ... open relay is when you relay mail for strangers . if you relay mail for your users, that s not open relay. relay control is done in
    Message 1 of 3 , Sep 1, 2008
      Jake Vickers wrote:
      > I currently have all my users using the submission port for outgoing
      > mail.

      good.

      > They cannot send on port 25 at this time, and according to all of
      > the online tests I have tried I am not an open relay or backscatter
      > sprayer.
      > My master.cf currently shows:
      >
      > smtp inet n - - - - smtpd
      > -o smtpd_use_tls=no
      > -o smtpd_sasl_auth_enable=no
      > -o content_filter=smtp-amavis:[127.0.0.1]:10024
      >
      > If I change smtpd_sasl_auth_enable to yes, it allows some devices
      > (handhelds, Treo, etc.) to send on port 25 if authenticated, but I want
      > to make sure that this does not turn me into a relay or anything before
      > doing so. I have attempted to relay through it while it's enabled, and
      > they were denied. I decided to err on the side of caution and check
      > with the experts here before "just doing it" in case there were any
      > pitfalls or gotchas I do not know about.
      >


      open relay is when you relay mail for "strangers". if you relay mail for
      your users, that's not open relay.

      relay control is done in smtpd_recipient_restrictions. a common
      sasl-enabled setup looks like this:

      smtpd_recipient_restrictions =
      permit_mynetworks
      permit_sasl_authenticated
      reject_unauth_destination
      ...

      so relay is allowed from mynetworks and for authenticated senders. if
      all your users must authenticated, then configure mynetworks to only
      include those servers that need to relay without authentication. For
      example:

      mynetworks = 127.0.0.1

      if you have internal machines that need to relay via port 25 and can't
      (or shouldn't) authenticate, then add them to mynetworks.
    • Jorey Bump
      ... In addition to what mouss said, be sure to allow only secure authentication mechanisms, so that passwords aren t sent in the clear. You indicate this is
      Message 2 of 3 , Sep 1, 2008
        Jake Vickers wrote, at 09/01/2008 10:08 AM:
        > I currently have all my users using the submission port for outgoing
        > mail. They cannot send on port 25 at this time, and according to all of
        > the online tests I have tried I am not an open relay or backscatter sprayer.
        > My master.cf currently shows:
        >
        > smtp inet n - - - - smtpd
        > -o smtpd_use_tls=no
        > -o smtpd_sasl_auth_enable=no
        > -o content_filter=smtp-amavis:[127.0.0.1]:10024
        >
        > If I change smtpd_sasl_auth_enable to yes, it allows some devices
        > (handhelds, Treo, etc.) to send on port 25 if authenticated, but I want
        > to make sure that this does not turn me into a relay or anything before
        > doing so. I have attempted to relay through it while it's enabled, and
        > they were denied. I decided to err on the side of caution and check
        > with the experts here before "just doing it" in case there were any
        > pitfalls or gotchas I do not know about.

        In addition to what mouss said, be sure to allow only secure
        authentication mechanisms, so that passwords aren't sent in the clear.
        You indicate this is for road warriors, who may not always be on a
        secure network. Ideally, you'll want to encrypt the entire
        communication, if the target devices support it.
      Your message has been successfully submitted and would be delivered to recipients shortly.