[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
mike said:
> On 08/07/04 17:47:14, alan wrote:
>> On 2004.07.08 09:41 mike wrote:
>>> G'day all,
>>>
>>> I have the following...
>>>
>>> inet
>>> |
>>> |
>>> firewall--dmz
>>> |
>>> |
>>> smtp
>>>
>>>
>>> email comes in and is routed to my dmz sendmail which does spam
>>> blocking etc, once it gets through there it's forwarded to my
>>> on smtp (which does a load of stuff other than email).
>>>
>>> The issue is that if someone sends an email to either a user that
>>> does not exist on smtp or trys the relay mail it bounces.
>>>
>>> The smtp in the dmz just forwards everything using the smarthost
>>> feature in sendmail to smtp.
>>> smtp bounces it back to dmz with either user known or relaying
>>> denied.
>>> I then have to go and delete the stuff from dmz every so often. I
>>> suppose I could just .forward the email to /dev/null, but there
must
>>> be a better solution.
>>>
>>
>> Hi Mike,
>>
>> I would have the non-existant users go to /dev/null but there isn't
>> much you can do about the relay bounces. In my experience
(currently
>> 4 web/mail servers ) most mail thats trying for relay is spam with
a
>> spoofed header, so you end up with exactly the same amount of
>> Postmaster Notify messages as you are getting bad relays.
>>
>> Can't you block port 25 for every one except your required ip(s) ?
>>
>> Cheers
>
>
> Hmm... try that again...
>
> Ah!
>
> I have just discovered something....
>
> Same setup above...
>
> Mail comes into mik@xxxxxxxxxxxxx, this address does not exist, so
it
> try to
> reply to the user that it does not exist, but the smtp server behind
> the firewall
> thinks this is relaying because the mail came from the smtp server
in
> the DMZ.
>
> Does this mean that if I allow 10.whatever.it.is to relay then the
> message will go back out, but if do this will I become an open
relay?
>
> --
> 'ooroo
>
> Mike...(:)-)
I think that having 2 smtp servers doing the same job is both confusing and unnecessary. You would be better using the dmz/firewall to pass requests for port 25 through to the main server for handling there. I think sendmail (for example) needs a username and pass by default, in order to relay, at least in any version within the last year or so. Also, in that scenario, all the bad bounces would be contained on one machine, and you could filter them with procmail per user.
alan
-- 'ooroo
Mike...(:)-) --------------------------------------------------- Email: mike@xxxxxxxxxxxxx o You need only two tools. o ///// A hammer and duct tape. If it /@ `\ /) ~ doesn't move and it should use > (O) X< ~ Fish!! the hammer. If it moves and `\___/' \) ~ shouldn't, use the tape. \\\ ---------------------------------------------------
-- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.