分类:
2008-08-21 09:44:58
What we'd like to do is allow mail relaying from a selected group of IP addresses only. If you've just been reading the , you know that we do this be setting the environment variable RELAYCLIENT in qmail-smtpd's environment only when the connection is coming from one of our IP addresses. Here's how to do it.
First, list in control/rcpthosts all of the domains that your server is hosting (i.e. those listed in control/locals and control/virtualdomains). Also list any domains for which your server is acting as secondary mail exchanger. The domains in control/rcpthosts are the domains for which your server will always accept incoming mail, no matter where it's coming from. You must have a rcpthosts file; otherwise your server will relay mail for anyone.
Then, you'll need to download and install a copy of Dan Bernstein's ucspi-tcp package. The current version is available from .
You can read about all of the programs in the package at . The particular program we'll be using here is tcpserver, which accepts incoming network connections, sets various environment variables, and then runs a program of your choice.
Now we'll set up the rules file that tcpserver will use to determine whether to set RELAYCLIENT. In our fictional network, we have a single /24 block of addresses, 192.168.10.0/24. Create a file in /etc (or /usr/local/etc, or wherever else you prefer) called tcp.smtp. The file should read as follows:
192.168.10.:allow,RELAYCLIENT=""
:allow
These rules say: "If the connection is from 192.168.10.*, allow it and set RELAYCLIENT; otherwise allow the connection (but don't set RELAYCLIENT)." Note that the last ":allow" line is redundant, since the default is to allow any connection. But it helps illustrate what we're doing: we want to allow anyone to connect to our server, but set RELAYCLIENT (and thus allow unrestricted relaying) only if the connection is from 192.168.10.*.
Now we'll compile this rules file into a cdb file (do this in the directory in which you created the tcp.smtp file):
# tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp
To accept SMTP connections with tcpserver, using these access control rules, run tcpserver like so:
# tcpserver -x/etc/tcp.smtp.cdb -u102 -g101 0 smtp /var/qmail/bin/qmail-smtpd &
Replace 102 with your qmaild user ID and 101 with your nofiles group id, and make sure the path to your tcp.smtp.cdb file is correct.
NOTE: If you're already starting your qmail-smtpd service in a script that runs as part of your boot process, don't start it again with the above tcpserver line; just make sure that your script includes the -x/etc/tcp.smtp.cdb option.
That's it! Just replace the IP addresses in the example with your real IP addresses. Note that you can have more than one line in your rules file, to allow relaying from various addresses:
192.168.10.:allow,RELAYCLIENT=""
172.16.:allow,RELAYCLIENT=""
10.0.10.100:allow,RELAYCLIENT=""
:allow
