Re: [courier-users] RE: SMTP authentication on a per hosted domain basis
Brought to you by:
mrsam
From: Tim H. <ti...@br...> - 2004-08-12 03:28:03
|
cant you just setup an ip address that only accepts connections from the = barracuda on port 25, rejects all others and doesn't require auth? ---- Original Message ---- From: Keith Willis To: cou...@li... Sent: Wednesday, August 11, 2004 10:12 PM Subject: [courier-users] RE: SMTP authentication on a per hosted domain basis=20 > Thanks for the answer, and I understand your point, but I think I > wasn't clear on what I was looking for.=20 >=20 > Let me provide an example. >=20 > I currently host about 30 domains. Most of the domains use SMTP > authentication for relaying, and some have IPs in the smtpaccess > file. =20 >=20 > What I would like to do is that if someone tries to send email to > domain xyz.com courier rejects the email unless they use > authentication. However, domain ABC.com does not require > authentication so any email directed to it could come in normally. =20 >=20 > The reason for this is somewhat complex. We have a Barracuda > SPAM/virus firewall appliance (we are resellers for those of you > reading this - shameless plug). In essence, it is our only MX record > for many of the domains. For these domains, I want to require the > email to originate from the Barracuda firewall (it does support SMTP > authentication for delivery). For the domains that do not use the > Barracuda, they need to accept email normally. Also, users that are > sending mail from the Internet with dynamic IP addresses need to be > able to relay to courier with SMTP authentication so I cannot simply > block port 25 on the mail server IP. Some SPAMMERS bypass the > Barracuda and send directly to the mail server nullifying the value > of the Barracuda in many cases. =20 >=20 > My thinking is that if I could require SMTP authentication for > domains, only users that are authenticated could send email to > certain domains. =20 >=20 > For example, if user ge...@xy... attempts to relay, he would be > authenticated. If email from the Internet is destined for xyz.com, > it would have to hit the Barracuda and be filtered before arriving at > xyz.com (still delivered with SMTP authentication). Mail to xyz.com > that is not authenticated will not deliver. =20 >=20 > However, if abc.com does not pay for the Barracuda service, I want > mail to deliver normally to them whether we use SMTP authentication > for relaying or not. =20 >=20 > Does this make sense? Perhaps there is a way to do this with > maildrop or some other scripting means???=20 >=20 > ----------------------------- > Keith Willis, President > Talon Computer Consulting, Inc. > http://www.taloncc.com >=20 > *Developers of phpCourier: http://phpcourier.sourceforge.net > Open-Source (free) Fully functional account administration system for > courier-MTA =20 >=20 > -----Original Message----- > From: cou...@li... > [mailto:cou...@li...] On Behalf Of Sam > Varshavchik =20 > Sent: Wednesday, August 11, 2004 7:37 PM > To: cou...@li... > Subject: [courier-users] Re: SMTP Authentication by Domain >=20 > Keith Willis writes: >=20 >> =AB HTML content follows =BB >>=20 >> Greetings! >>=20 >>=20 >>=20 >> Does anyone have any idea how to setup SMTP authentication on a per >> hosted >> domain basis? >>=20 >>=20 >>=20 >> For example, I want certain domains to require SMTP authentication >> while >> others do not. Is there a way to do this in courier?? >=20 > There is no telepathic way for a server to determine with 100% > certainty=20 > what "domain" the connecting client belongs to. On the Internet, > nobody=20 > knows that you're a dog. Anyone can try connecting to any server, and > pretend to be anyone else. >=20 > Thus, taking it for granted that something like this could be done, > all that=20 > someone has to do is to pretend that he belongs to one of the special > domains that do not require authentication, and that's it. >=20 > Authenticated SMTP is used only for granting mail relaying > privileges. In=20 > this context, the actual domain is irrelevant. Either the connecting > IP=20 > address is defined in your smtpaccess file as one that has relaying > privileges, or the connecting client must provide a valid userid and > password, in order to receive relaying privileges. |