Re: Confusion in getting relay prevention to work

Top Page
Delete this message
Reply to this message
Author: F. Jacot Guillarmod
Date:  
To: John Henders
CC: exim-users
Subject: Re: Confusion in getting relay prevention to work
John Henders writes:
>
> On Thu, Sep 25/97, "F. Jacot Guillarmod" <Jacot@???> wrote:
> >
> > So, to simplify the description of the setup, we have:
> >
> >     exim.ru.ac.za as the MX target and outgoing SMTP gateway for

> >
> >         novella.ru.ac.za and
> >         novellb.school.za

> >
> > which means we want exim.ru.ac.za to accept relaying from anywhere
> > destined for either novella or novellb (because it is an MX target for
> > these systems), but to prevent relaying to anywhere else.


Extract from the relevant configuration file:

=====
relay_domains = "*.ru.ac.za:*.aau.org:aau.org:*.ls:griff.saprep.ecape.school.za:*.issi.co.za:*.ac.ng:*.catpe.alt.za:*.vghs.ecape.school.za:bberry.alt.za:chobe.bw"
relay_domains_include_local_mx

sender_host_accept_relay = "*.ru.ac.za:*.aau.org:aau.org:*.ls:griff.saprep.ecape.school.za:*.issi.co.za:*.ac.ng:*.catpe.alt.za:*.vghs.ecape.school.za:bberry.alt.za:chobe.bw"
=====

And here's the result of a test - a forgery from within the "ru.ac.za" zone:

=====
Script started on Thu Sep 25 22:22:41 1997

[hippo[22:22]~> telnet quagga smtp
Trying 146.231.128.2 ...
Connected to quagga.ru.ac.za.
Escape character is '^]'.
220 quagga.ru.ac.za ESMTP Exim 1.71 #4 Thu, 25 Sep 1997 22:22:57 +0200
helo junk.com
250 quagga.ru.ac.za: Hello ccfj at junk.com [146.231.128.1]
mail from: joe@???
250 <joe@???> is syntactically correct
rcpt to: ccfj@???
250 <ccfj@???> is syntactically correct
rcpt to: ccfj@???
250 <ccfj@???> is syntactically correct
rcpt to: randy@???
250 <randy@???> is syntactically correct
quit
=====

This had me going for a while with a sense of deja vu, until I thought
about it and tried a second test from a system in a different zone:

=====
Script started on Thu Sep 25 22:44:21 1997
pineapple:~>telnet quagga.ru.ac.za smtp
Trying 146.231.128.2...
Connected to quagga.ru.ac.za.
Escape character is '^]'.
220 quagga.ru.ac.za ESMTP Exim 1.71 #4 Thu, 25 Sep 1997 22:44:47 +0200
helo pineapple.uni.net.za
250 quagga.ru.ac.za: Hello pineapple.uni.net.za [155.232.248.15]
mail from: ccfj@???
250 <ccfj@???> is syntactically correct
rcpt to: ccfj@???
250 <ccfj@???> is syntactically correct
rcpt to: randy@???
550 relaying to <randy@???> prohibited by administrator
quit
221 quagga.ru.ac.za closing connection
Connection closed by foreign host.
pineapple:~>exit
Script done on Thu Sep 25 22:46:19 1997
=====

which is a bit more like it. I'll leave aside the problem of why the forgery
is unquestioningly accepted during the first test, other than to mention pop :-(

I have the horrible feeling that some of my previous configs might have been OK
after all, but then inadequately or misleadingly tested.

Many thanks for the helpful responses...

-- 
F.F. Jacot Guillarmod - Information Technology - Rhodes University - Grahamstown
      Internet: Jacot@???  Phone: +27 461 318284 Fax: +27 461 27764
   The views expressed above are not necessarily those of Rhodes University


--
* This is sent by the exim-users mailing list.  To unsubscribe send a
    mail with subject "unsubscribe" to exim-users-request@???
* Exim information can be found at http://www.exim.org/