Anti Relaying delivery rules

[platon]

Hello together,
I am trying to to setup the Netscape Anitrelay Plugin.
I was successful in installing it and even running.
But the probelm is am able to send to those poeple only where whose domain i have added in delivery rules
--------------------------------------------------------------
installed version nms 4.15 sp 7
--------------------------------------------------------------
please help me !!!

thanks

 

[pixboy]

How do you want it configured? I have 4.15 set up on a RedHat machine, and it will relay mail if you match a listed IP address, are sending to a local domain, or successfully authenticate. (That last part was a little tricky to set up, since the setting in Netscape Console is really backward from what I'd expect.)

Here's what my antirelay.conf file looks like (with a few obvious changes to protect the innocent, plus comments to help understand):

# Anti-relay configuration file for server whatever.localdomain.com
resolvehostnames:1
# Not sure you need that one, but it's there ...
useauthinfo:1
# Allows the use of SMTP AUTH
advertiseauthinfo:0
# Prevents the server from saying something like "Why don't you try AUTHing?" if you're prevented from relaying

# We accept mail addressed to these recipients:
delivery:*@localdomain.com
# Just list your local domains

# We relay messages coming from these hosts:
submission:*.localdomain.com
# would allow anyone who reverse lookups to *.localdomain.com
submission:127.0.0.1
# to allow the server to send mail itself
submission:1.2.3.*
# allows relaying from IP addresses in 1.2.3.*
submission:4.5.6.7
# allows relaying only from IP 4.5.6.7
# add more IPs as you need

That's it. Pretty simple. You may need to stop and start SMTP if you make changes to the configuration of the SMTP service itself. (If you make changes to antirelay.conf, you don't need to restart SMTP.)

Hope this helps!

 

[platon]

hello pixboy,
how did you make the smtp working with the user authentication. ( I have 4.15 set up on a RedHat machine, and it will relay mail if you match a listed IP address, are sending to a local domain, or successfully authenticate. (That last part was a little tricky to set up, since the setting in Netscape Console is really backward from what I'd expect.)

could you tell me about.

greetings guenter

 

[pixboy]

Probably the best source of information for NMS 4.1 is the administrator's guide. You can download the PDF version here:

http://docs-pdf.sun.com/816-6044-10/816-6044-10.pdf

Or view the HTML version online at:

http://docs.sun.com/db/doc/816-6044-10

Just look for "auth". It takes some fiddling to get it to work, but it does work. The biggest thing I had problems with was the backward nature of the encryption length. In my mind, it made sense to require an encrypted password. So in Netscape Console, I told it to require a 40-bit encrypted password. Then it'd never work. After I told it to require a zero-bit encrypted password (yes, that doesn't really make sense, but you get the idea), then it worked. Otherwise, it never did any AUTH at all.

Let me know if you need some more pointers. The administrator's guide is pretty good. Just remember that after you make config changes, you probably have to bounce the service itself.

 

[platon]

hello pixboy,
thanks for the links. i dried a lot of the possibilities, but it doesn't work at all. i dried also your solution with the zero bit encrypted password. starting and stopping the services after the difrent changes. without any succes. for your understanding my situation we have installed the server as following:
our single mail server nms 4.15 has just a few clients (8) with the client domains.
the server works with the ube plugin and the antirelay
plugin.
the antirealy plugin works fine. but the probelm is i am able to send to those poeple only to the domains which i have added in delivery rules. so if a client send's mail for the domain @xyz.com and we didn't "register" that domain in the delivery rules the client couldn't send the mail.
so my idea was, to force an client authentication for the smtp service.
i did it once over the messaging server >> smtp services (checkbox allow password login) also i tried it do to this over the console.
i just have one group which is allowed to send to certain people. and the checkbox .. only allow senders with smtp authentication is activ.
in the moment i have no idea for blocking a unauthorised access to our smtp service on the protocol level. the ube filter works fine, no person (just those which are listed in the ube configuration) could send thru our server.
may you understand me a bit better.
thanks for any suggestion

guenter

 

[pixboy]

Hmm ... Do you have any sort of packet sniffing software (such as Ethereal or tcpdump on a Linux/Unix box)? The way I was finally able to pin down that the AUTH features weren't working was to capture a transaction between me and the server.

The e-mail client that's making the connection to the server needs to send an EHLO, not HELO as the first command. If it doesn't, it can't AUTH. If the server gets a HELO first, it doesn't do the ESMTP stuff like AUTH.

That's probably a place to start.

Where are you getting rejected? Is it after the message is accepted by the SMTP server? If that's the case, it may be something with the UBE filters. You _may_ need to list the domains in the UBE filter. The older (3.6) version of NMS we use in production has to have every domain we handle mail for listed in a filter. Otherwise, it'll reject the message. The messages are (unfortunately) accepted first, then rejected -- post-SMTP accept. NMS 4.15 can do that at the protocol level, so if you're trying to relay illegally, it'll reject before you even send the data.

In NMS 3.6, here's two sample filter lines for the domains:

:ChkRcpt Channel-To:envonly "[.@] (domain1|domain2|domain3|domain4)\.com>" !JUMP "Bounce2"
Host-From:envonly       ".*"    JUMP    "someotherplace"
:Bounce1        Host-From:envonly       ".*"    REJECT  "1 - no relaying, only mail destined for MyCompany and its email users is accepted by this mail server"

 

[spinny]

If you are using Outlook or Outlook Express for your mail you also have to tell the mail client to "use authentication" when sending mail. Netscape does this automatically. In Outlook Express the setting is under account, then click the advanced tab (if I remember correctly).

Good luck....