Re: [Exim] Smtp authentication.

Top Page
Delete this message
Reply to this message
Author: Guillermo Llenas
Date:  
To: Andreas Metzler, exim-users
CC: Odhiambo Washington
Subject: Re: [Exim] Smtp authentication.
> > I formed exim with smtp authentication,
> > and works well. Although I have noticed that if any remote host
> > establishes connection with my smtp and try to send messages to any
> > of my local domains can freely send without to be necessary the
> > authentication. I will have forgotten something in the
> > configuration?.
>
> No, that is just the normal szenario, otherwise how would you recieve
> mail for you domains? Neither Hotmail nor AOL have an user/password
> pair for your system.
>                 cu andreas


Andreas, thanks for the answer, perhaps I did not explain myself very well.
    Is correct that users of yahoo or hotmail or whatever, does deliverys
towards accounts@mydomains. But using smtps of yahoo or hotmail like
transport of those mails. What I am saying is that if anyone of those users
instead of using smtp.hotmail.com or smtp.yahoo.com uses smtp.mydomain.com
sending mails to accounts@mydomain it can do it.


An example:

my server : 200.70.xx.xx , Some mine domain: compras.com.ar

If any of my users:
From: exim@??? delivers to papa@??? through 200.70.xx.xx
(my server) must use smtp authentication Perfect !!

2003-10-17 10:46:26 H=pix.com (200.70.xx.xx) [200.70.xx.xx]
F=<exim@???> rejected RCPT <papa@???>: relay not permitted


Now if the same user delivers to another account of my domain: it doesn 't
need authentication. Ok I don't mind

2003-10-17 10:50:14 1AAUze-0004Nu-0V <= exim@??? H=pix.com
(200.70.xx.xx) [200.70.xx.xx] P=smtp S=379
2003-10-17 10:50:14 1AAUze-0004Nu-0V => postmaster
<postmaster@???> R=mysqluser T=local_delivery
2003-10-17 10:50:14 1AAUze-0004Nu-0V Completed

But then anyone can do delivery to accounts@??? using like
transport my smtp(200.70.xx.xx), and not the one that each Isp assigns to
its users, and anyone who knows accounts@mydomain can bomb the same ones,
and above without squandering its resources since it uses my own smtp, for
example:
2003-10-17 11:03:43 1AAVCg-0004QI-RA <= cerberof@???
H=law12-f97.law12.hotmail.com (hotmail.com) [64.4.19.97] P=esmtp S=1009
id=Law12-F978HGmCvoXM700029fd2@???
2003-10-17 11:03:43 1AAVCg-0004QI-RA => postmaster
<postmaster@???> R=mysqluser T=local_delivery
2003-10-17 11:03:43 1AAVCg-0004QI-RA Completed

    That 's fine, but using cerberof@??? using my smtp without
authentification(since is not outgoing relay) I can do the same without
using smtps of hotmail :


2003-10-17 11:07:35 1AAVGR-0004Qi-2R <= cerberof@??? H=pix.com
(200.70.xx.xx) [200.70.xx.xx] P=smtp S=380
2003-10-17 11:07:35 1AAVGR-0004Qi-2R => postmaster
<postmaster@???> R=mysqluser T=local_delivery
2003-10-17 11:07:35 1AAVGR-0004Qi-2R Completed
2003-10-17 11:07:35 1AAVGR-0004Qi-78 <= cerberof@???
H=internal.lc-2.la.inter.net (203.176.88.24) [203.176.88.64] P=smtp S=380

    In this case, I think that if somebody wants to use the service of my
smtp(200.70.xx.xx) like transport, even to send mails to accounts@mydomains
would have to do using smtp.authentication.