On Thu, 17 Aug 2006, Chris Thielen wrote:
So it seems the root of my problem is that users are connecting to the office
smtp server (also our primary MX) without authentication. That seems to be a
legitimate hit for the dynamic ip lists. However it is also the only
legitimate smtp server for these people to use. I guess the fix is to
*require* authentication for users, but then I don't think I could use that
same server for MX.
No, you can. You can tell sendmail (assuming it's sendmail)
to accept a message if it's authenticated OR if the recipient
is local.
If I recall correctly, the way this works is that sendmail by
default understand the "if it's for a user at a local domain,
accept it" part. Then all you have to do is add authentication
for users and it understands the other part as well.
If you want local users inside your office LAN to be able to
send out messages for other people, then you can add some
entries to /etc/mail/access like this:
192.168.1 RELAY
192.168.2 RELAY
192.168.3 RELAY
192.168.4 RELAY
Then, whenever someone connects from, say, 192.168.2.99,
even without authenticating they can send to anybody and the
server will relay it. But if someone connects from 10.20.30.40
without authenticating, sendmail will only deliver the message
if it's local.
Basically, by default you give want to give people access to
do nothing but submit messages that will be delivered locally
on the server. Then, people connecting from the wide open
Internet will be able to do that, but won't be able to relay
through your machine. Then anyone who authenticates or anyone
who is on a local, trusted network can send messages that are
destined for elsewhere and will be relayed by the mail server.
- Logan
