From owner-freebsd-security Fri May 18 12: 2:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 5E11437B424 for ; Fri, 18 May 2001 12:02:19 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4IJ1pN55847; Fri, 18 May 2001 15:01:51 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 18 May 2001 15:01:47 -0400 (EDT) From: Rob Simmons To: Olivier Nicole Cc: huacheng@public.guangzhou.gd.cn, freebsd-security@FreeBSD.ORG Subject: Re: AUTH and sendmail In-Reply-To: <200105181518.WAA12362@bazooka.cs.ait.ac.th> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 If you have a firewall, it should be setup to block internal IPs coming in through the external interface. If you also only allow port 25 on your mx servers, it is safe to put all your internal IPs in /etc/mail/access as open relays. Spammers wouldn't be able to spoof one of your internal IPs since the firewall would drop it. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 18 May 2001, Olivier Nicole wrote: > Hi, > > Funny enough I worked on that last week and finished buddling a web > age for my users today (http://www.cs.ait.ac.th/laboratory/email/) > > I use poprelayd, from http://poprelay.sourceforge.net (with some > little modif) that is a perl script that reads /var/log/maillog (it > goes fine with the newsyslog) and extract pop/imap authetication > information. > > The it adds a temporary open relay for the client IP in a table, for > 15 minutes, as mail prgram typically check email every 10 minutes, > relay is open as long as the mail program is running. There could be a > 15 minutes window where someone else could connect using the same IP > and could use your email server as an open relay... risk is very > unlikely. > > Advantage: it working with plain pop or imap, so basically any client. > > Olivier > > > we found use 4.3freebsd sendmail default setup is a safer choice for our > > mailserver. But we have many staff outside want to access our mailserver by > > dialup, but with default sendmail conf they can't relay the mail they sent > > when they stay outside. (use pop3 receive mail not problem), now we > > advise staff outsite use our mailserver receive mail but use local ISP's > > mailserver send mail. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7BXGfv8Bofna59hYRA3nbAJ4lvskjb2PF0k/cEz1yHoNVPGqJBACfSzSq FBXFcUy9ouV0ghH0rVdEKi0= =8cBp -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message