Smtp Relay And Spam, How to secure your SMTP server

Scenario:
You want to run a public SMTP with a secured relay.

Solutions:

Generally:
- For your LAN users you CAN (if you want) set smtprelay.tab to the scope of your subnet. Members of that subnet are then able to relay without authentication.
- Domain members outside that scope MUST HAVE a valid user account in the XMail domain.
- Do NOT use mail-auth in your server.tab. This blocks all mails from other SMTPs, because they cannot
authenticate with your system. This authentication scheme is meant for private or complex public infrastructures. So make sure #"SmtpConfig" "mail-auth" remains commented out in your server.tab.

Pop_before_SMTP:
- When your users poll mail, they do a POP_before_SMTP, which authenticates them as valid users.
- XMail then opens the SMTP relay for a short time frame (900 sec by default) and only for that user.
- Make sure that #"EnableAuthSMTP-POP3"[TAB]0 is commented out with a # in your server.tab.

SMTP AUTH:
- Set "SMTP Server requires authentication" on your mail client.
- XMail automatically handles that client request and sends mail only to authenticated users.
- Make sure that "EnableAuthSMTP-POP3"[TAB]0 is NOT commented out with a # in your server.tab.

You can also allow both: Pop_before_SMTP and SMTP Auth for a more loose security policy.
If possible, you should prefer SMTP Auth only, since it is more secure.

Conclusion:
A spammer can only use the server's relay, if he has the username and password of a valid domain account or another backdoor.

To check your relay:
Use the following services:
http://mail-abuse.org/tsi/ar-test.html
(just telnet to relay-test.mail-abuse.org from your server)
or if you want to test any other server go to:
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

Useful guide. I just set smtp.ipmap.tab as
"0.0.0.0" "0.0.0.0" "ALLOW" 1

I make all internal network users authenticate to send email. It alows me to make a virus checking gateway on the internal network. If I was to allow relay for the internal network all spammers could send through the Sophos virus gateway.

Sorry -- this shot was too quick. Mistake by me.
If you deny this, you forbid access for other SMTPs. Then they might blacklist you.

So please leave
"0.0.0.0" "0.0.0.0" "ALLOW" 1

If smtprelay.tab is cleared and your clients use SMTP auth, everything is OK.
To veryfy, you can use the relay test under "usefule links"

If I leave smtp.ipmap.tab totally blank (empty file) is the same as "0.0.0.0" "0.0.0.0" "ALLOW" 1 ?
Thanks.

Yes, and this is OK for a public SMTP server.

If you limit this to e.g. the scope of your LAN, then XMail will deny mails from other SMTP servers and clients (it sends "Server doesn't like your IP" then). Since that point it's only a matter of time until you get blacklisted.

thanks!

I want that who have our mail server account to use the smtp server, and don't want to change their email client setting(maybe there are 1000+ users). So I do with the pop-before-smtp. But I found that everyone can use our mail server to send mail. Do you have some suggest?

THX!!!

Clear the smtprelay.tab

D

ok, it's work.

Thank you!

I've got the server set up how it was explained in the first post of this message, however when i try to log-in to send mail it doesnt seem to work. my client just hangs until it gives me an error without and error message. Am i missing something?

Do a
telnet client_ip 25
then cut and paste the following:

Just replace sender and recipient, but leave all <> intact.
What does the server reply ?