From owner-freebsd-config Thu Jun 20 18:58:30 2002 Delivered-To: freebsd-config@freebsd.org Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id 77A5C37B41B for ; Thu, 20 Jun 2002 18:58:25 -0700 (PDT) Received: from pool0544.cvx21-bradley.dialup.earthlink.net ([209.179.194.34] helo=mindspring.com) by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17LDgs-0003lz-00; Thu, 20 Jun 2002 18:58:22 -0700 Message-ID: <3D128817.13F28B4F@mindspring.com> Date: Thu, 20 Jun 2002 18:57:43 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Adrian Cc: freebsd-config@freebsd.org, jgatsby@charter.net Subject: Re: Allowing sendmail to relay References: <001501c21863$13fef4a0$8d96c518@charter.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-config@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Adrian wrote: > I can`t seem to send mail without being on the machine. How do I set the > config to let my users check there mail in the same domain. I have a mobile > sales force. Checking their mail is no problem. Sendmail is not even involved. I suppose that what you really want is not actually checking, but to allow your mobile users to send their outbound email when they check their POP3 email, from an outside system. The canonically correct thing to do is to have the outbound mail relay depend on the mobile salesforce's connection to the Internet, so that when they are local, they relay through your mail server, and when they are on the road, they relay mail through the ISP mail server for the ISP from which they are obtaining their dialup service. Unfortunately, this is not supported by most mail clients, because the people who write email clients live n buildings with T3 lines, and never have to worry about this sort of problem themselves. The most common soloution is to take advanatage of the fact that most (70%) of mail clients will pull email down before attempting to send it, and therefore, if you establish a relationship between your SMTP server and POP3 server called "Relay after POP", then what you will do is permit the IP address of a client that has successfully authenticated to your POP3 server to relay mail through the SMTP server, for a period of, say, 10 minutes. If the attempt to send mail fails after that, they just click their "Get Msg" or "Check Mail" or "Exchange Mail" (or whatever) button, and they are reauthorized to the SMTP server for relay for another 10 minutes. This is not the best solution, since you will have to modify your POP3 server (or, if you are lucky, just the PAM module for the connection accounting, assuming that the POP3 server uses PAM; since APOP requires knowledge of the unencrypted password to generate the MD5 hash of the password and the date stamp, this is unlikely). The POP3 server will have to modify the contents of the relay allow by IP file for whatever mail server software you are using, and, potentially, kick that software in the head to tell it to acknowledge the change gto the file. Because hash files can't delete entries, this will have to be a plain text file, so it won't scale to a huge number of users. Another alternative is to support SMTP AUTH. THis assumes that you mail client is capable of authenticating to your SMTP server (e.g. Netscape supports this), and it assumes that you SMTP server supports SMTP AUTH (Sendmail supports this). If you are using sendmail, you will have to recompile it from ports to make it work, even though all the components are shipped by default as part of FreeBSD. The reason for the recompile being needed is [No good technical reason; perhaps to promote Microsoft over BSD]. In any case, then your mobile users can indicate their identity the the SMTP server, which will permit them to relay. You DO *NOT* want to support relaying for your entire domain, or for just anyone. If you do it by domain name, all a SPAM'mer has to do is claim to be a user at your domain name to be able to relay outbound SPAM. If this happens, then you are really in trouble: your IP will get blacklisted, and you will get all sorts of angry mail from people who are too dumb to read headers properly, or who will blame you anyway because you permitted the relay to occur. In preference order: 1) Relay through the ISP that you are connected through - not really an option, because most people who write email clients are outside their own target market 2) SMTP AUTH 3) SMTP Relay after POP There are scripts and patches for #3 around the net, which will show up if you do a search for "relay after pop". I don't have any (sorry) because I think it's an incredibly bad idea to open race windows intentionally. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-config" in the body of the message