Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] Directory listing....
On Tue, Feb 05, 2002 at 03:23:07PM -0500, Mike Garabedian wrote:
> okay...when I add the mail domain I am a part of to the rcpthosts file, I
> can no longer send mail to anyone outside of that, for instance, I am at
> john.com, if I edit the file I can no longer send anyting to duke.edu. I
> want to be able to send mail anywhere from anywhere as long as I have a
> valid account on the system. How do I do it.
correct me were I am wrong.

a) you can setup some pop-before-relay, think there are some "patches"
around for sendmail, postfix and qmail (or does one of them has native
support?); dont remember the keyword to lookup with google right now.

b) you can setup some authentification with the smtp protocol itself.
I did normal smtp, not relaying anything to anybody, and additionally
smtp tls, which _requires_ certificates I created myself; has the
additional effect that users can sign (S/MIME) their mail (ok, allmost
nobody knows my CA). both done with postfix, nothing to do with pop.

so everybody on the net can sent email to my domain(s). but only users
whom I certified can sent/relay.

they have to set this up in their favorite mail agent, wich can be
awesome, if they do not know what you are talkin 'bout, but at least the
most common windos clients support it, iirc. and linux boxes do, too,
though I set this up on a "single" user machine only (my home box),
telling postfix to use thisnthat certificate when using tls with that
specific relay, so I cannot say whether end user agents support this
(they have to support direct smpt and tls with certificate).

c) you can do relaying from localhost only, then advise your users to
use ssh to tunnel the ports to your mailserver. then you have to give
them a valid shell, which may be a security risk. you can do it with
key based authentification, no password, and forced command (sleep 600 or
something).

d)
there where at least two more options I cannot remember right now

hope it helps.
lars

< Previous Next >