Mailing List CGatePro@mail.stalker.com Message #102445
From: Paul Chauvet <chauvetp@newpaltz.edu>
Subject: Re: Device incapable of SMTP Auth (again)
Date: Fri, 09 Sep 2011 10:49:38 -0400 (EDT)
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Zimbra 7.1.1_GA_3213 (ZimbraWebClient - SAF3 (Mac)/7.1.1_GA_3196)
Hi Tom,

What you're planning is how we've had things setup for about seven years on CGP here.  The only systems that end up in the Client IP list are a few systems which are incapable of SMTP Auth, and our other mail servers (including our inbound antispam/antivirus servers).

The only difference we have here is that connections from outside for our users pass through the spam filtering servers which are external to the CGP box.  


Paul Chauvet
UNIX & Linux Systems Administrator
Computer Services
State University of New York at New Paltz

Phone: (845) 257-3828
chauvetp@newpaltz.edu



Ok,

So I asked this question a while back and am now coming back to it. I
need to allow a device that is not capable of SMTP AUTH to send mail via
our CGP Server. One suggestion is to set up a second CGP server that
only accepts mail from that device, but I would rather avoid that added
complexity.

Currently, we have:

1.) "Force SMTP AUTH" set to "Everybody".
2.) "Delay Prompt" set to 23s for non-client senders.
3.) LAN addresses defined and set to be treated as clients.
4.) WAN Addresses for other locations set as clients.

If I were to Change the "Force SMTP AUTH" to "Non-clients", the device
in question should be able to send mail. My concern is that any
compromised client or or bad-actor who has access to the LAN could then
send SPAM via our server.

So, my plan was to:

1.) Remove all defined Client IP addresses.
2.) No longer treat all LAN Addresses as Clients.
3.) Set "Force SMTP AUTH" to "Non-Clients"
4.) Add the device's IP address to the Client IP list.

This should effectively mean that everyone/thing other than the device
in question will be required to use SMTP AUTH. Of course, I quickly
realized that this would result in all of our users (except that one
device) being subject to the SMTP prompt delay, but I think that I can
work around that by making certain that all users connect to port 587 or
465.

So, I have a few questions:

1.) Does anyone have a better suggestion here?
2.) I see that the "Relay: To Any IP Address" setting has been set to
"clients" for some reason. Unless I am mistaken, this means that any
device with a client IP can use our host as an open relay if I change
"Force SMTP AUTH" to "Non-Clients".
3.) However, if I change "Force SMTP AUTH" to "Non-Clients" and change
"Relay: To Any IP Address" to "Nobody",
compromised-machines/malware/bad-actors on the LAN will not be able to
use the host as an open relay, but then the device I am trying to use
will not be able to send to non-local addresses, correct?

Another suggestion was to create another domain that only has the
device's IP Address listed as a client, does not accept incoming mail,
relays only for clients, and does not require AUTH. Perhaps this is
simpler? Can this be done without creating a user in that domain?

My apologies for the long post, but I keep stumbling over the various
moving parts here and I was hoping someone out there might be able to
slice through it for me.

Tom

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster