March 3rd, 2005, 09:15 PM
Network configurations for a mailserver
I've searched on Google and the forums of AO for mailservers and network configurations but still can't find what I'm looking for.
If I want to run a mailserver at my own domainname, behind a firewall / NAT router, I probably have to add some portmapping configs to my firewall / router. My question is: isn't this an open relay server? because if there's one thing that I don't want, it's an open relay. What configurations do I have to make in my network to run a "non open relay" mailserver and is this possible.
March 3rd, 2005, 09:31 PM
I guess that all depends on what mailserver you are running and what services you are offering... and to whom...the internet, your lan, the everyone group
to reduce your risk...only accept connections from authenticated users, and have a strong password policy...
How people treat you is their karma- how you react is yours-Wayne Dyer
March 3rd, 2005, 09:41 PM
As long as it requires authentication before sending it's not an open relay. Authentication is usually the same as your pop account.
You can use Sam Spade or even telnet to check and see if it’s open.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
March 3rd, 2005, 09:45 PM
99% of all available mail servers out there, even the free ones, offer the ability to prevent realy completely and/or authorized relay from certain subnets.
The whole relay issue is very simple. A mail server should only accept mail for transfer to it's own domain(s) from the public internet. Thus, if your domain is mydomain.net and I try to send mail to yahoo.com from my home address I should receive a "500 relaying denied". However if I send an email to firstname.lastname@example.org I should receive a "250 recipient ok" message.
The _only_ port you require to have forwarded on your firewall is port 25 which needs to be forwarded to the mailserver's internal IP. Nothing else is required to be opened. outgoing mail will go anyway. You need to test it first if this is a home connection because some ISP's are blocking port 25 inbound to their customers, (Comcast doesn't).
If you want to provide yourself webmail, (assuming your mail server provides it), you can usually select a port of your own for the web server to operate on. You would then also need to forward that port through the firewall too.
At home I use this. It has stacks of features including spam filtering and relay prevention. I like it and it seems to be fairly free of vulnerabilities/attacks which is nice too.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 4th, 2005, 02:17 AM
Concretely, in postfix for example, it would mean making sure the following variables are defined:
mydomain = yourdomain.net
mynetworks = 192.168.0.0/24
so only hosts in the 192.168.0.0/24 subnet can relay mails through your server to addresses other than @yourdomain.net..
Now as was also said, it's possible to make use of authentication mechanisms like POP berfore SMTP or SMTP AUTH (check out cyrus sasl) but they require more configuration and are generaly not needed unless you need to use your smtp as a relay from the internet or don't trust your internal users....
Credit travels up, blame travels down -- The Boss