Hi Osvaldo



Securing email servers and how to depends on your setup and what you are
using.



The only quick way I can see to allow only local domains to send/relay is to
use a wrapper similar to qmail-scanner.pl.

This script would look in all control files if a senders domain is local
and then pass the connection on to qmail-queue



Second more fancy way would be to replicate and modify the VALIDRCPTTO
<http://qmail.jms1.net/patches/validrcptto.cdb.shtml> patch to check
senders email address against a cdb file.

And call it VALIDSENDER patch J but for obvious reasons, keep the copyright
notices and honour the creators with a tribute

In addition to this share the patch with the rest of the world.





First I would recommend to run 3 smtp services.



Service 1 only incoming emails, no relay on 1.1.1.1:25 which is in your DNS
mx records

Service 2, relay on auth only on 2.2.2.2:25 (if you like to be more fancy
chose another port and ssl auth).

Service 3, local host only , listening on 127.0.0.1:25



Pop3 should be on 2.2.2.2:110 so your customers don’t get confused what dns
name to use



1. mx.domain.com --> incoming only, tcp.cdb file
:allow,QMAIL_QUEUE=”/var/qmail/bin/qmail-scanner”, AUTH=”0” (or simscan)
only

2. mail.domain.com à relay only on auth, tcp.cdb file :allow, AUTH=”1”
and so on

3. localhost à anything goes for localhost, , tcp.cdb
127.0.0.:ALLOW,RELAYCLIENT=””,QMAIL_QUEUE-“/var/qmail/qmail-queue”





There is a bit more to it but that should get you started





regards

Torsten





From: Shepherd Nhongo [mailto:shepherdzw-***@public.gmane.org]
Sent: 10 February 2011 18:15
To: qmr-iGp6mRlwfsr/sFSC9fAAV0B+***@public.gmane.org
Subject: Re: [qmr] public smtp?





On Thu, Feb 10, 2011 at 7:56 PM, Osvaldo Rivas <spadons-***@public.gmane.org> wrote:

My /etc/tcp.smtp say:



127.:allow,RELAYCLIENT=""

:-)



The above looks good. How is your network setup like ? Is this mail server
acting as the gateway ? It's better to use tcpdumb on your gateway to check
for the culprits talking via port 25.As a safe practice i would advise you
to block all other ip's on your subnet from sending emails to www and only
allow your mail server(s) to do this task. From there you can test the
effectiveness of this task by trying to telnet to an external server's port
25.



I use iptables to achieve this



On Thu, Feb 10, 2011 at 6:18 PM, Osvaldo Rivas <spadons-***@public.gmane.org> wrote:

Mr. was a victim of an attack. As I saw in the logs was used my qmail server
to spam. I wonder how I can do to prevent addresses that are not local
accounts from sending mail through of my smtp.



What does your /etc/tcp.smtp say?



I hear suggestions of safety measures should I take.

Thanks
--
Shepherd Nhongo

Do not Queue mail with SENDMAIL, send mail with QMAIL

Mobile +267 74476040