Allow IP Block to send mail through my SMTP server
- Thread starter keefe007
- Start date
squirrelhost
Verified User
you'd need to modify your exim configuration
to allow relaying. grep for relay in your
/etc/exim.conf where you'll find all
you need. hosts can be specified using
CIDR notation, i.e. 1.2.3.4/24 etc..
to allow relaying. grep for relay in your
/etc/exim.conf where you'll find all
you need. hosts can be specified using
CIDR notation, i.e. 1.2.3.4/24 etc..
nobaloney
NoBaloney Internet Svcs - In Memoriam †
A bit simplistic, squirrelhost.
Sure you can add another IP# or IP#s to the line:
with this format:
but that's not going to open up all relaying; if you read the default exim.conf file carefullly you'll see there are still certain tests before relaying is allowed; failing those tests results in relaying not being allowed.
Of course you could specify auth_relay_hosts similarly, but even that will result in relaying being denied under certain conditions.
So a bit of rewriting of the ACL logic is required...
but ...
keefe007,
I'm not going to ask why an ISP would prefer this setup; do they require eveyone in the world to make changes affecting the security of their mailserver? Or just you? Doesn't make much sense unless you explain exactly what you and the ISP are trying to do.
Sooner or later if you open up an IP block to relaying you're going to have a problem. And it's not the ISP that's going to be held responsible; it's you.
Jeff
Sure you can add another IP# or IP#s to the line:
Code:
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
Code:
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1 : 12.34.56.78Of course you could specify auth_relay_hosts similarly, but even that will result in relaying being denied under certain conditions.
So a bit of rewriting of the ACL logic is required...
but ...
keefe007,
I'm not going to ask why an ISP would prefer this setup; do they require eveyone in the world to make changes affecting the security of their mailserver? Or just you? Doesn't make much sense unless you explain exactly what you and the ISP are trying to do.
Sooner or later if you open up an IP block to relaying you're going to have a problem. And it's not the ISP that's going to be held responsible; it's you.
Jeff
This ISP currently uses a third-party service for their email hosting. The third-party hosting service will only relay email for domains it hosts, whether the sending users are authenticated or not.
The ISP has customers who have webhosted and/or client exchange servers which need to send mail out via an STMP server. They would like a mail server that these users can use to send out mail out without being authenticated(because not all clients/applications support authentication).
The ISP has customers who have webhosted and/or client exchange servers which need to send mail out via an STMP server. They would like a mail server that these users can use to send out mail out without being authenticated(because not all clients/applications support authentication).
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Sounds like the excuse Verizon used to give before they saw the light and realized they were losing all their business clients.
They say this to force their clients into buying webhosting from them.
If they're not allowing anyone access to your server on port 587, they don't deserve to be an ISP. I'd bet they are allowing it, since if they're not they're going to find themselves being blocked from a big piece of the Internet as "RFCl-ignorant".
So install SpamBlocker 2, and let your clients use authenticated SMTP on port 587.
If any of your clients are using mail programs that are so RFC-ignorant as to not know how to do authentication I'd find them highly suspect, and dangerous, since their RFC-ignorant mail programs are going to be hacked and you're going to be blamed for the traffic.
What you're saying is that your ISP doesn't want to be responsible for possible spam originating on their network; instead they want you to be responsible for it.
Oh well.
Do what makes your customers happy. Be aware of the dangers.
Jeff
They say this to force their clients into buying webhosting from them.
If they're not allowing anyone access to your server on port 587, they don't deserve to be an ISP. I'd bet they are allowing it, since if they're not they're going to find themselves being blocked from a big piece of the Internet as "RFCl-ignorant".
So install SpamBlocker 2, and let your clients use authenticated SMTP on port 587.
If any of your clients are using mail programs that are so RFC-ignorant as to not know how to do authentication I'd find them highly suspect, and dangerous, since their RFC-ignorant mail programs are going to be hacked and you're going to be blamed for the traffic.
What you're saying is that your ISP doesn't want to be responsible for possible spam originating on their network; instead they want you to be responsible for it.
Oh well.
Do what makes your customers happy. Be aware of the dangers.
Jeff
How do I accomplish setting up the mail server to allow this block to be relayed without authentication?
There are *many* devices in the world that don't support smtp auth. Things like Raid Cards, DVR servers, APC Masterswitches, etc, and many other devices that only let you give it an SMTP server to send out alerts. Additionally, exchange doesn't support relaying through a mail server which requires auth and in-house Exchange servers are popular here.
I agree with you that people should make these clients/devices support auth, but they don't and we have to work around this. This is the reason most ISP's still run mail servers that will relay for anything within their IP space. Even SBC still has one.
There are *many* devices in the world that don't support smtp auth. Things like Raid Cards, DVR servers, APC Masterswitches, etc, and many other devices that only let you give it an SMTP server to send out alerts. Additionally, exchange doesn't support relaying through a mail server which requires auth and in-house Exchange servers are popular here.
I agree with you that people should make these clients/devices support auth, but they don't and we have to work around this. This is the reason most ISP's still run mail servers that will relay for anything within their IP space. Even SBC still has one.
squirrelhost
Verified User
you can modify exim.conf,
as I said - isn't simplistic at all.
and one of the changes would
need to specify the Ip block, but
there's of course a little more to do,
no-one says there isn't.
look for all instances of relaying
control in the exim.conf and you
can figure out what to do.
and authentication can be switched
off for relaying hosts, it can be switched off
for all hosts, or some hosts.
exim is a really simple MTA with a
quite simple configuration, which
probably explains it's popularity.
as I said - isn't simplistic at all.
and one of the changes would
need to specify the Ip block, but
there's of course a little more to do,
no-one says there isn't.
look for all instances of relaying
control in the exim.conf and you
can figure out what to do.
and authentication can be switched
off for relaying hosts, it can be switched off
for all hosts, or some hosts.
exim is a really simple MTA with a
quite simple configuration, which
probably explains it's popularity.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I shall leave that for someone else to respond.keefe007 said:
And these devices can either be configured to use an MTA (mail server) on their own system, or to use a mailserver on the system hosting the email address they're trying to send to; either of which will work in your scenario.
In-house MS Exchange servers are popular eveywhere. That doesn't mean they aren't severely broken. Knowledgeable Exchange admins know how to resolve the difficulty by having a smarthost on the same system.
Sure. You're making my point. What an ISP needs to do is relay for it's own users no matter their return address.
ISPs that don't have to learn the hard way that they lose users that way.
I still don't understand the specific scenario you have that requires you do what you do.
Are you the ISP? If so you probably need something a lot more customized than DA provides you with.
We're in the business of server administration and customization; we'd be happy to write you a custom exim.conf file. You can probably find someone on the exim-users list to help you.
Jeff
Listen, I'm just trying to get this ISP get this done. It doesn't matter if you, I, or anyone else thinks its the right/wrong way - they want it done.
Firstly, none of these devices have MTA's available on their own system, which is why we are trying to create one. Secondly, how exactly are devices that don't support smtp-auth and don't support pop(therefore don't support pop-before-smtp) going to authenticate to be able to send mail through the system hosting the email address?
This is exactly what they are trying accomplish. How can this be done with DA?
The ISP currently has NO mail server setup on their network because they are hosting @ispdomain.com email with Godaddy. (Obviously against my advisement)
This is the reason why they are needing something to do the relaying for all other mail coming from within their network.
Firstly, none of these devices have MTA's available on their own system, which is why we are trying to create one. Secondly, how exactly are devices that don't support smtp-auth and don't support pop(therefore don't support pop-before-smtp) going to authenticate to be able to send mail through the system hosting the email address?
This is exactly what they are trying accomplish. How can this be done with DA?
The ISP currently has NO mail server setup on their network because they are hosting @ispdomain.com email with Godaddy. (Obviously against my advisement)
This is the reason why they are needing something to do the relaying for all other mail coming from within their network.
Last edited:
nobaloney
NoBaloney Internet Svcs - In Memoriam †
You don't need to be authorized to send email to an address on the server that hosts that address. You just connect via port 25 and send the email. If the address exists on that server it will be accepted and delivered. If this didn't work than no mailserver would be able to accept email for it's own addresses.
I think I'm beginning to understand. The ISP is using DA and needs to configure the exim mail server on DA to act as it's mailserver.
Are you the ISP? Or working on a DA server for the ISP?
If you read the last two paragraphs of my last post again you'll see I've already written that in this situation you need a customized exim.conf file designed for an ISP.
That's very different from what DA does.
Yes, you can have a custom exim.conf file written that will work for both.
Teaching you how to do it is well beyond the scope of the DA forum.
You can hire someone, get someone to do it at no charge, or learn how to do it yourself. A good place to start is probably with the Exim book from AITCambridge (I think that's the publisher's name; I don't have my notes handy). Definitely NOT the exim book from O'Reilly; it's for an older version of Exim.
You can even attend Exim classes; I know they hold them regularly in the UK, and I believe they've held one in the U.S.
And of course you can write the exim-users mailing list; they were very helpful to me when i was using exim; hopefully they can be helpful to you as well.
I already wrote that we're in the business of doing custom exim configurations (among other things) so it's likely we're not going to at no charge either write a customized exim.conf file for you, or teach you on this forum (which would be the wrong place for it) how to do it yourself.
Perhaps someone else will respond and help you.
Just don't forget that you have to accomplish this without breaking the DA-required functionality.
Jeff
squirrelhost
Verified User
the exim docs list which controls are
available:
The options described in this chapter control three stages of checking that are applied to an incoming SMTP message:
1. At the start of an SMTP connection, a check on the remote host is made, leading to one of the following conclusions:
1. No mail whatsoever is acceptable from the remote host.
2. The remote host is permitted to send messages to local recipients only, but is not permitted to use the local host as a relay.
3. The remote host is permitted to send messages to local recipients, and can also use the local host as a relay to certain specified domains only.
4. The remote host is permitted to send mail to any recipient.
each of these is described in detail, and
in your case you'd want number 3.
all the docs are online at www.exim.org
(there are printed handbooks too )
available:
The options described in this chapter control three stages of checking that are applied to an incoming SMTP message:
1. At the start of an SMTP connection, a check on the remote host is made, leading to one of the following conclusions:
1. No mail whatsoever is acceptable from the remote host.
2. The remote host is permitted to send messages to local recipients only, but is not permitted to use the local host as a relay.
3. The remote host is permitted to send messages to local recipients, and can also use the local host as a relay to certain specified domains only.
4. The remote host is permitted to send mail to any recipient.
each of these is described in detail, and
in your case you'd want number 3.
all the docs are online at www.exim.org
(there are printed handbooks too )
nobaloney
NoBaloney Internet Svcs - In Memoriam †
If you're not the ISP then I'm confused.
Is the ISP using DA?
If not, are you using your server for their email?
You can see how it's done by looking at the code in exim.conf that handles the POP before SMTP authentication; it would work the same way but the IP#s wouldn't expire.
I'll probably never put the code into SpamBlocker, but I may add it and an interface to the upcoming commercial MailBlocker Pro.
Jeff
Is the ISP using DA?
If not, are you using your server for their email?
You can see how it's done by looking at the code in exim.conf that handles the POP before SMTP authentication; it would work the same way but the IP#s wouldn't expire.
I'll probably never put the code into SpamBlocker, but I may add it and an interface to the upcoming commercial MailBlocker Pro.
Jeff
squirrelhost
Verified User
my mailserver is behind a firewall, and
I relay through a netbsd server running sendmail.
i've no interest in the MTA people sending
me are using - my yahoo mail (they've
customised qmail on their servers), they
can happily get through to my mailserver.
anyone using webmail on the mailserver
can mail the world if they like.
this is quite normal.
I relay through a netbsd server running sendmail.
i've no interest in the MTA people sending
me are using - my yahoo mail (they've
customised qmail on their servers), they
can happily get through to my mailserver.
anyone using webmail on the mailserver
can mail the world if they like.
this is quite normal.
nobaloney
NoBaloney Internet Svcs - In Memoriam †
MailBlocker pro will include:
SpamBlocker totally configurable by domain
VirusBlocker totally configurable by domain
Plugin based interface
But I don't see it as a good solution for an ISP unless they also need DA for webhosting.
Personally, for a mailserver configurable for an ISP, I'd start with Virtual Exim (Vexim).
Jeff
SpamBlocker totally configurable by domain
VirusBlocker totally configurable by domain
Plugin based interface
But I don't see it as a good solution for an ISP unless they also need DA for webhosting.
Personally, for a mailserver configurable for an ISP, I'd start with Virtual Exim (Vexim).
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I don't know yet 
.
Jeff
.Jeff
>>Is there a way I can allow a specific IP block to always
>>be able to send mail through a DirectAdmin mail server?
>>I am working with an ISP that would like this setup.
We are an ISP and do the exact thing you request with DA and exim.
First modify exim.conf as so:
Then create a file called:
/etc/virtual/relay_ips
Make sure the owner of this new file is mail. Restart exim. Should allow all IP's in "relay_ips" to relay without authentication. Make sure you only put trusted IP's in there! No guarantee given or implied but it has worked just fine for us.
Matthew
>>be able to send mail through a DirectAdmin mail server?
>>I am working with an ISP that would like this setup.
We are an ISP and do the exact thing you request with DA and exim.
First modify exim.conf as so:
Then create a file called:
/etc/virtual/relay_ips
Make sure the owner of this new file is mail. Restart exim. Should allow all IP's in "relay_ips" to relay without authentication. Make sure you only put trusted IP's in there! No guarantee given or implied but it has worked just fine for us.
Matthew