Providing SMTP relay access to roaming laptop without creating an open relay...

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Providing SMTP relay access to roaming laptop without creating an open relay...

blue_cowdawg
Hi folks,

In pseudo code here's how I want my outside mail exchange system to
behave:

        if  mail_sent_by_outside_host_to_inside_user
        then
                relay_to_inside_user
        elsif
            mail_sent_by_inside_host_to_inside_user
        then
                relay_to_inside_user
        elsif
            mail_sent_by_inside_host_to_outside_destination
        then
                relay_to_outside_destination
        elsif mail_being_sent_by_roaming_laptop    <-- need this!!!
                relay_where_it_needs_to_go
        else
                reject

The part that seems broken (and that is probably a good thing) right now
is the roaming laptop part.  Since I travel a lot with my laptop both
for business and personal purposes and would like my laptop to relay
mail through my server when "outside the cloud" so to speak, what is the
best approach to this without breaking the MX functionality for my
domain?

I've read "The Book" on this subject about SASL authentication and my
fear is if I implement that I'll not be able to receive un-authenticated
hosts (such as the fine server that serves this list) and that would be
a bad thing.

Can somebody point me in the right direction and hopefully not screw
this up?


               
--
Peter L. Berghold, Australian Cattle Dog Owner, Agility Fan, Foodie,
Salty Old Dog and Old School Unix Hacker.
Skype:  cowdawg
"Those who fail to learn from history are condemned to repeat it"

Reply | Threaded
Open this post in threaded view
|

Re: Providing SMTP relay access to roaming laptop without creating an open relay...

Magnus Bäck
On Sunday, August 01, 2010 at 19:15 CEST,
     "Peter L. Berghold" <[hidden email]> wrote:

> In pseudo code here's how I want my outside mail exchange system to
> behave:
>
> if  mail_sent_by_outside_host_to_inside_user
> then
> relay_to_inside_user
> elsif
>    mail_sent_by_inside_host_to_inside_user
> then
> relay_to_inside_user
> elsif
>    mail_sent_by_inside_host_to_outside_destination
> then
> relay_to_outside_destination
> elsif mail_being_sent_by_roaming_laptop    <-- need this!!!
> relay_where_it_needs_to_go
> else
> reject

This is a standard setup. Except for the roaming laptop part, it's the
default configuration. Adding authentication for laptops we get this:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

This means:

   * Permit local clients to send email anywhere.
   * Permit authenticated clients to send email anywhere.
   * Permit other clients to send email to hosted domains.

> The part that seems broken (and that is probably a good thing) right
> now is the roaming laptop part.  Since I travel a lot with my laptop
> both for business and personal purposes and would like my laptop to
> relay mail through my server when "outside the cloud" so to speak,
> what is the best approach to this without breaking the MX
> functionality for my domain?
>
> I've read "The Book" on this subject about SASL authentication and my
> fear is if I implement that I'll not be able to receive
> un-authenticated hosts (such as the fine server that serves this list)
> and that would be a bad thing.

No. While you can configure Postfix to always require SASL
authentication, with the configuration above authentication
is only required for relay access which is exactly what you want.

http://www.postfix.org/SASL_README.html#server_sasl

--
Magnus Bäck
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Providing SMTP relay access to roaming laptop without creating an open relay...

Wietse Venema
In reply to this post by blue_cowdawg
Peter L. Berghold:
> Hi folks,
>
> In pseudo code here's how I want my outside mail exchange system to
> behave:
>

On the Postfix server:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated <- for the roaming laptop
        ...
        reject_unauth_destination
        ...

Then configure the Postfix server for SASL (to authenticate the
roaming laptop) and perhaps TLS encryption (to protect the login
sequence).

http://www.postfix.org/SASL_README.html#server_sasl
http://www.postfix.org/TLS_README.html#server_tls

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Providing SMTP relay access to roaming laptop without creating an open relay...

jonnytabpni

On 01/08/10 18:56, Wietse Venema wrote:
> and perhaps TLS encryption (to protect the login
>    
Do not underestimate the importance of enabling TLS :)