0

I'm looking for a way to disable Qmail relaying for everyone, but allow one certain group of hosts to do so. These hosts all use the same identifying rDNS entry.

In Exchange 2003, Postfix, Exim and cPanel this can be achieved pretty easily. However, the only to do this with Qmail is to do this based on IP's.

The IP's however tend to change. These changes can occur at any time, and it is impossible to keep all the servers up-to-date to the new IP's.

Running a script that resolves the hostname and whitelists them accordingly is my last-resort option, but this is not fool-proof.

Does anyone know whether this is possible and if so, how?

Thanks!

  • Why don't you just use smtp authentication? Then it doesn't matter if the sender ip is changing. – moo Jun 11 '10 at 14:03

2 Answers2

0

If you're running qmail in the Life With qmail way using tcpserver to spawn the qmail-smtp process, you can add a rule to your /etc/tcp.smtp file telling it to accept connections based on the rDNS of the connecting host:

=rdns.of.host:allow,RELAYCLIENT=""

The '=' tells tcpserver you want to check against the name of the server instead of the usual IP address. If your clients resolve with a unique host name, but the domain is the same, you can specify just the domain portion and tcpserver will successively compare the suffixes of the resolved name with rules you've defined.

For example, if the client resolves to client1.example.com and you have a rule '=example.com:allow,RELAYCLIENT=""' then tcpserver will first check client1.example.com which will not match, but then it will try example.com which will match and allow the relay.

Here's the documentation for tcprules and how they are interpreted.

http://cr.yp.to/ucspi-tcp/tcprules.html

David Smith
  • 418
  • 3
  • 5
0

You should accept the answer of David Smith because it's totally correct. However I'd like to point out some additions.

First: You wrote that "These hosts all use the same identifying rDNS entry". That is really bad practice as your reverse lookups are not consistent in that case: The reverse lookup of an IP address will not necessarily resolve back to the IP in question, rendering the reverse lookup nearly useless, both in its sense and in practice.

Second: I really wonder about the described scenario where IP addresses of users being allowed to relay change often, but every new IP is getting a reverse lookup matching your relay rule. If there is "some" technique automatically setting PTR records for the IPs in question, the same technique should be usable to automatically add them to the list of allowed relayers.

In any case, you should better use IP based relaying instead of relying on the hostname. The reason for that is that anybody who controls PTR records for some IP address space can easily invent hostnames matching your relay rule with a faked record. This means that anybody pretending to be allowed to relay will be allowed to relay.

If you're running qmail under tcpserver you can work around this by setting the -P option (paranoid mode). It automatically ignores the reverse lookup of an IP address if the hostname resulting from the lookup does not resolve back to the connecting IP. Beware that this option ("paranoid mode") is off by default - and it will not work with your "all IP addresses have the same reverse lookup". As I said, it's bad practice anyway, and breaking tcpserver's paranoid mode is a good example.

Jonas
  • 243
  • 1
  • 5