Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Wietse Venema (wietseporcupine.org)
Date: Fri Apr 13 2001 - 07:53:39 CDT
If your clients do not authenticate to your MTA, then it is a very
bad idea to send mail to the client's IP address. It is a great
opportunity to steal other people's mail.
> Yes I agree with what you are saying, and would love to give the static IP,
> but it's not our dial service. The thing is that some of those windows
> programs detect the requesting IP and then send it to that IP number, and I
> just wanted to see if we have that ability. This of course opens up ALL
> KINDS of security nightmares. I like the way postfix works now, but was just
> trying to patch the clients wound from the loss of their service....
> Thanks !
> Wietse Venema wrote:
> > Jack Sasportas:
> > > In a backup mx environment I understand that under normal circumstances
> > > Postfix will send the deferred mail to the primary mx address at
> > > whatever intervals, or when it gets triggered from the primary to send
> > > the mail.
> > >
> > > Under certain programs ( mdeamon / windows environment ) they have the
> > > ability to when they receive the ETRN command look at the IP number
> > > issuing the command, and then send the mail to that IP number, and not
> > > look at the primary mx information. Obviously this is in a *non
> > > static* IP number environment. Is there something we can do to match
> > > this behavior ?
> > This sounds like a candidate for UUCP. Barring that, one would have
> > to use ATRN (authenticated TURN), which is not implemented in
> > Postfix. ATRN requires that all queued mail be sent over one and
> > the same connection. Postfix likes to make multiple connections
> > if it can.
> > What you ask for could be kludged together, but it is not pretty.
> > You'd have to create transport map entries on the fly that
> > route mail for "domain.name" to the client's IP address:
> > domain.name: smtp:[client.ip.address]
> > These entries would have to be created when the client authenticates
> > to your dialup access infrastructure, and would have to be destroyed
> > immediately when the client hangs up, or else their mail would be
> > sent to the wrong machine.
> > However, this scheme is fragile, because mail will be misdelivered
> > when for some reason a "disconnect" event is lost and a transport
> > entry is not removed.
> > Whatever code you use would have to lock the maps in the same way
> > that postmap locks is. It would be safer to just run "postmap -i"
> > or "postmap -d" as appropriate.
> > > This is only temporary as you know Northpoint shut down a lot of
> > > clients, and it takes time for Frame cicruits to be installed so we are
> > > trying to help our clients as we can.
> > >
> > > I appreciate your help!
> > It would be more robust if you could give those customers a static
> > IP address for the duration of their problems.
> > Wietse
> > -
> > To unsubscribe, send mail to majordomopostfix.org with content
> > (not subject): unsubscribe postfix-users
> Jack Sasportas
> Innovative Internet Solutions
> Phone 305.665.2500
> Fax 305.665.2551
> To unsubscribe, send mail to majordomopostfix.org with content
> (not subject): unsubscribe postfix-users
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users