Allowing e-mails to be relayed from a dynamic IP
in [Postfix]
|
Prev: Stopping spam from a specifig subnet (relayed through afreemail provider)
Next: Stopping spam from a specifig subnet (relayed through a freemailprovider)
From: "Mike A. Leonetti" on 5 May 2010 13:03 I want to relay messages coming through a server with a dynamic IP (Exchange) through my postfix. My postfix my smtpd_recipient_restrictions already has a "hash:/etc/postfix/allowed_relays" option on it, and I've tried adding the Dynamic DNS name that resolves to that IP address and put it in the list but it still gave me an "relay access denied" error. Is there another way to do it? Thanks.
From: Nataraj on 5 May 2010 13:31 Mike A. Leonetti wrote: > I want to relay messages coming through a server with a dynamic IP > (Exchange) through my postfix. > > My postfix > my smtpd_recipient_restrictions already has a > "hash:/etc/postfix/allowed_relays" option on it, and I've tried adding > the Dynamic DNS name that resolves to that IP address and put it in the > list but it still gave me an "relay access denied" error. Is there > another way to do it? > > Thanks. > Commonly this is done us using SASL authentication, ideally with TLS for added security. See the relevant documentation in http://www.postfix.org/docs.html The first round I used Cyrus SASL, but I went to dovecot with my last upgrade and it was much less work to get running and has performed reliably. With dovecot, you also install it with the dovecot pop/imap server since they are integrated, but the SASL functionality is available for other purposes. Nataraj
From: "Mike A. Leonetti" on 5 May 2010 13:39 On 05/05/10 13:31, Nataraj wrote: > Mike A. Leonetti wrote: >> I want to relay messages coming through a server with a dynamic IP >> (Exchange) through my postfix. >> >> My postfix >> my smtpd_recipient_restrictions already has a >> "hash:/etc/postfix/allowed_relays" option on it, and I've tried adding >> the Dynamic DNS name that resolves to that IP address and put it in the >> list but it still gave me an "relay access denied" error. Is there >> another way to do it? >> >> Thanks. >> > Commonly this is done us using SASL authentication, ideally with TLS > for added security. See the relevant documentation in > http://www.postfix.org/docs.html > The first round I used Cyrus SASL, but I went to dovecot with my last > upgrade and it was much less work to get running and has performed > reliably. With dovecot, you also install it with the dovecot pop/imap > server since they are integrated, but the SASL functionality is > available for other purposes. > > > Nataraj > Thanks for the reply, Nataraj. I did see that online and the server does have SASL Auth working, but we are having a difficult time getting it to try and provide a username/password on the Exchange server so I was wondering if there was a way to get around that.
From: Nataraj on 5 May 2010 14:06 Mike A. Leonetti wrote: > >> > Thanks for the reply, Nataraj. > > I did see that online and the server does have SASL Auth working, but we > are having a difficult time getting it to try and provide a > username/password on the Exchange server so I was wondering if there was > a way to get around that. > Personally, I have more experience with replacing exchange servers than with making them work, however I would think that recent versions of exchange would support SASL authentication. If you really can't implement authentication, I can think of a few other ideas. I'm guessing that this situation might be internal to your organization. If you DNS is fairly secure and the exchange server updates dynamic DNS reliably, you could check that somehow. Alternatively you could run an SMTP submission server on another port and protect it with a dynamically updated firewall list, or something like fwknop, but you would probably be challenged with getting the client to authenticate with FWKNOP. These later approaches could have tiny holes in them, depending in the freqency with which your dynamic ip address changes and how quickly you verify on the new ip address, but if this is within your corporate network it might not be too bad. Nataraj
From: Noel Jones on 5 May 2010 14:11
On 5/5/2010 1:06 PM, Nataraj wrote: > Mike A. Leonetti wrote: >> >> Thanks for the reply, Nataraj. >> >> I did see that online and the server does have SASL Auth working, but we >> are having a difficult time getting it to try and provide a >> username/password on the Exchange server so I was wondering if there was >> a way to get around that. > Personally, I have more experience with replacing exchange servers than > with making them work, however I would think that recent versions of > exchange would support SASL authentication. If you really can't > implement authentication, I can think of a few other ideas. > > I'm guessing that this situation might be internal to your organization. > If you DNS is fairly secure and the exchange server updates dynamic DNS > reliably, you could check that somehow. Alternatively you could run an > SMTP submission server on another port and protect it with a dynamically > updated firewall list, or something like fwknop, but you would probably > be challenged with getting the client to authenticate with FWKNOP. These > later approaches could have tiny holes in them, depending in the > freqency with which your dynamic ip address changes and how quickly you > verify on the new ip address, but if this is within your corporate > network it might not be too bad. > > Nataraj > Also, if the exchange server is a box under your control you can use a VPN. OpenVPN is pretty easy to set up and works under Windows and virtually every flavor of *nix. http://openvpn.net/index.php/open-source.html |