Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Block all but 1 host and still allow authenticated users?

Status
Not open for further replies.
zinjanthropus

zinjanthropus

MIS
Jul 27, 2004
3
CA
I am using SMTP authentication for my users which are all external.
What I want to do is block all mail hosts from sending incoming except another external gateway mail server I have.
Can this be done without blocking my users also?
I quess what I need to do is deny everyone and allow that host mail.domain.com.
Will my users still be able to connect?
I guess what I am wondering is can SMTP authentication override whatever white or blacklist I need?
 
Sort by date Sort by votes
Hmm,
The proposed ruleset is
"Allow relay for a specific IP"
"Allow 127.0.0.1"
"Allow everybody who can authenticate on any IP"
"Deny everybody who cannot authenticate on any IP"

You could try building it this way

# allow trusted IP to relay
10.1.1.1:allow,RELAYCLIENT=""
# allow localhost to reay
127.0.0.:allow,RELAYCLIENT=""

The problem now is that the last two rules conflict. You cannot say "allow everyone to connect but I don't want everyone to connect who cannot authenticate". Remember that the issue here is that you are telling "tcpserver" what it is allowing to connect to qmail-smtpd. qmail-smtpd is the service that does the password checking. Thus you either allow every IP to reach you or you don't - irrespective of authentication.

My recommendation is that you do NOT define a public MX (DNS) record for this particular server. This will allow you to add the third line to tcp.smtp
:allow

This will require authenticated connections but will not be selective about the IP they originate from.

The "private" mail server will now accept mail from your trusted IP, localhost, and any clients/hosts that know the server IP to be an SMTPD server for your domains.

The only material downside to this is if you are sending outbound mail directly from this machine. Many Internet MTAs will complain that they do not like mail being sent to them from hosts with no MX record - this is synonymous with zombie cable/dsl hosts spewing spam.

You would fix this my having your outgoing mail relayed through a trusted ISP's SMTPd or through an SMTPd that you run that does have an MX record.








Internet Directory
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PatrickRoggers
  • Locked
  • Helpful tip
Groupwise to Office 365 migration - Easy and Affordable solution
Replies
0
Views
6K
PatrickRoggers
PatrickRoggers
OldGuy56
  • Locked
  • Question
Anyone Still Using Eudora? Embedded Image Problem
Replies
0
Views
5K
OldGuy56
OldGuy56
JK824
  • Locked
  • Question
migrating Eudora 7.0.1.9 to Windows 10 Pro - big problems
Replies
0
Views
6K
JK824
JK824
traubman
  • Locked
  • Question
Windows 10 Update Affects Eudora Address Book
Replies
0
Views
5K
traubman
traubman
costellr
  • Locked
  • Question
Groupwise and MS Dynamics
Replies
0
Views
73
costellr
costellr

Part and Inventory Search

Sponsor

Back
Top