Koozali.org: home of the SME Server

Want open relay in v7pre3

cozmos9

Want open relay in v7pre3
« on: March 02, 2006, 08:59:25 PM »
Anyone have suggestions on how to run an open relay in v7?  I have 2 closed gateway servers which feed the main internal server.  The main server is an open relay in server-only mode and behind a firewall, ie, other than the local users and remote vpn users, the server is inaccessible.  So, being an open relay for spammers is not a concern.

From forum postings, it appears tcprules no longer govern smtp connections.  I would hate to plug all possible external connection points into the local networks setting.  There's got to be an easier way.

Any suggestions would be appreciated.

Jean

Offline gordonr

  • *
  • 646
  • +0/-0
    • http://www.smeserver.com.au/
Re: Open relay in v7pre3
« Reply #1 on: March 04, 2006, 10:14:16 PM »
Quote from: "cozmos9"

I would hate to plug all possible external connection points into the local networks setting.  There's got to be an easier way.

You could create a custom template for /var/service/qpsmtpd/config/relayclients, or you could simply use a very wide netmask on the Local Networks panel. The latter would also allow access to other services which may not be desired.

Of course, only do either of these if you are certain that you cannot be used as a relay from external networks! (I know that you stated you were o.k.)

P.S. could you edit your post to say that you *want* to allow relaying from non-local, protected networks. We do not *have* an open relay - you want to create one.
............

cozmos9

Want open relay in v7pre3
« Reply #2 on: March 05, 2006, 04:05:46 AM »
Thanks for the suggestion, Gordon.  I am going to do a 0.0.0.0/0.0.0.0 entry in the local networks panel.  It is less than optimal since the fine grain control over the various types of connections is gone.

When tcprules were in effect in prior versions, I would do a complete allow preceded by denys where appropriate.  This way, I was able to give smtp relay to individual vpn users, then block out other subnets on the company WAN whose security implementations I didn't trust.

Sorry about the title.  I don't want to give the wrong impression either!

Jean

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Want open relay in v7pre3
« Reply #3 on: March 05, 2006, 05:47:50 AM »
Quote from: "cozmos9"
Anyone have suggestions on how to run an open relay in v7?  I have 2 closed gateway servers which feed the main internal server.  The main server is an open relay in server-only mode and behind a firewall, ie, other than the local users and remote vpn users, the server is inaccessible.


I can't imagine any legitimate circumstance when you would want an open relay. From what you've described you don't need an open relay - you just need relaying from local networks (your VPN users will have local network addresses).

cozmos9

Want open relay in v7pre3
« Reply #4 on: March 05, 2006, 08:26:29 AM »
Quote
(your VPN users will have local network addresses).


Actually, no.  I have an older Sonicwall appliance which does not assign NATed addresses to vpn traffic.  So, my remote users will register whatever address their hotel wifi assigns, for instance.

I know open relays are frowned upon as a rule.  However, if the relay is not exposed to the external network, what's the harm?  My open relay server has been in operation for 5-6 years (various versions of sme) and not once had a problem.  For the last year or so, I've been transitioning users to SSMTP.  Now that v7 has that built in, I may just make it mandatory for all field users.