Printable Version of Topic
Click here to view this topic in its original format
XMail Forum > Documentation and Knowledge Base > Smtp Relay And Spam


Posted by: hschneider Nov 3 2002, 10:50 AM
Scenario:
You want to run a public SMTP with a secured relay.

Solutions:

Generally:
- For your LAN users you CAN (if you want) set smtprelay.tab to the scope of your subnet. Members of that subnet are then able to relay without authentication.
- Domain members outside that scope MUST HAVE a valid user account in the XMail domain.
- Do NOT use mail-auth in your server.tab. This blocks all mails from other SMTPs, because they cannot
authenticate with your system. This authentication scheme is meant for private or complex public infrastructures. So make sure #"SmtpConfig" "mail-auth" remains commented out in your server.tab.

Pop_before_SMTP:
- When your users poll mail, they do a POP_before_SMTP, which authenticates them as valid users.
- XMail then opens the SMTP relay for a short time frame (900 sec by default) and only for that user.
- Make sure that #"EnableAuthSMTP-POP3"[TAB]0 is commented out with a # in your server.tab.

SMTP AUTH:
- Set "SMTP Server requires authentication" on your mail client.
- XMail automatically handles that client request and sends mail only to authenticated users.
- Make sure that "EnableAuthSMTP-POP3"[TAB]0 is NOT commented out with a # in your server.tab.

You can also allow both: Pop_before_SMTP and SMTP Auth for a more loose security policy.
If possible, you should prefer SMTP Auth only, since it is more secure.

Conclusion:
A spammer can only use the server's relay, if he has the username and password of a valid domain account or another backdoor.

To check your relay:
Use the following services:
http://www.mail-abuse.com/support/an_sec3rdparty.html
(just telnet to relay-test.mail-abuse.org from your server)
or if you want to test any other server go to:
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

Posted by: Bhozar Apr 11 2003, 12:05 PM
Useful guide. I just set smtp.ipmap.tab as
"0.0.0.0" "0.0.0.0" "ALLOW" 1

I make all internal network users authenticate to send email. It alows me to make a virus checking gateway on the internal network. If I was to allow relay for the internal network all spammers could send through the Sophos virus gateway.

Posted by: hschneider Apr 11 2003, 12:26 PM
Sorry -- this shot was too quick. Mistake by me.
If you deny this, you forbid access for other SMTPs. Then they might blacklist you.

So please leave
"0.0.0.0" "0.0.0.0" "ALLOW" 1

If smtprelay.tab is cleared and your clients use SMTP auth, everything is OK.
To veryfy, you can use the relay test under "usefule links"


Posted by: vld Apr 30 2003, 04:26 PM
If I leave smtp.ipmap.tab totally blank (empty file) is the same as "0.0.0.0" "0.0.0.0" "ALLOW" 1 ?
Thanks.

Posted by: hschneider Apr 30 2003, 06:33 PM
Yes, and this is OK for a public SMTP server.

If you limit this to e.g. the scope of your LAN, then XMail will deny mails from other SMTP servers and clients (it sends "Server doesn't like your IP" then). Since that point it's only a matter of time until you get blacklisted.

Posted by: vld Apr 30 2003, 10:16 PM
thanks! smile.gif

Posted by: blackz May 29 2003, 02:33 AM
sad.gif I want that who have our mail server account to use the smtp server, and don't want to change their email client setting(maybe there are 1000+ users). So I do with the pop-before-smtp. But I found that everyone can use our mail server to send mail. Do you have some suggest?

THX!!!

Posted by: dfitch May 29 2003, 05:00 AM
Clear the smtprelay.tab

D

Posted by: blackz May 29 2003, 05:08 AM
biggrin.gif ok, it's work.

Thank you!

Posted by: Jordan Dec 6 2003, 01:23 AM
I've got the server set up how it was explained in the first post of this message, however when i try to log-in to send mail it doesnt seem to work. my client just hangs until it gives me an error without and error message. Am i missing something?

Posted by: hschneider Dec 6 2003, 09:14 AM
Do a
telnet client_ip 25
then cut and paste the following:
CODE

helo TBIRD
Mail from: <maildiag@marketmix.com>
Rcpt to: <maildiag2@marketmix.com>
data  
from: <maildiag@marketmix.com>
to: <maildiag2@marketmix.com>
subject: test  


This is a test ...  

.
quit


Just replace sender and recipient, but leave all <> intact.
What does the server reply ?

Powered by Invision Power Board (http://www.invisionboard.com)
© Invision Power Services (http://www.invisionpower.com)