I have a slight problem. I have a qmail server on the local network. in /etc/tcp.smtp I have allowed relaying from localhost and the martian addresses on the LAN. However, some of the people at the office need to be able to use their accounts from home.

They can receive mail fine, as they log into the pop server using their username/passowrd pair. But they can't send email, getting an error stating that they aren't in the rcpthosts file. Now, /etc/tcp.smto overrides the rcpthosts file, but only allows localhost and LAN relaying. As the people at home are on dialup accounts, they don't have permanent IP addresses, so the only way to allow them would be by allowing everyone to relay through my server.

Wouldn't that be a dumb idea? How can I let only the people I want relay from the wild, while stopping everyone else?

Any ideas? What really little thing am I missing?

Are they connecting from home through webmail? i.e. Horde, Squirrel?

And if not, why not?

No, actually, they are using Outlook both from the office and from home. I just haven't had time to set up SquirrelMail yet (plus my boss doesn't want it, he wants to use Outlook). I know SquirrelMail would be an ideal solution, but surely there must be one for the Outlook situation?

I think that the boss will have to make a choice between convenience and security.

http://www.palomine.net/qmail/relaying.html

Yar, I think I'll have to go with Squirrelmail, but it just puzzles me, how do commercial ISPs offer email to all their cleints? Are they perhaps open relay clients?

I mean, you have to log on to pop servers, isn't there some way to require logon to smtp servers?

Perhaps a mangling rule on the firewall that might check the from line of the email? --Ok, ok, I'm reaching...

Thanks for the advice, mako747

I suspect that when you connect to an ISP to get your mail you are on their netblock, that is you dial in and are assigned an ip.
Most ISP's provide webmail services as well for other situations.

Hi:

I have done this with vpopmail, it comes with and smtp after pop authentication, so first you check your mail (pop) using your username and password, and then you are able to send mail (smtp) because it puts your current IP address inside the valid relaying table for a predefined period of time.

Also you do not need to set up real users and it has a lot of other features that you can play with. http://www.inter7.com/vpopmail.html

Federico

Well, after some discussion with my brother, who KNOWS THESE THINGS, I have come to realise the error of my ways.

Sorry if much of what I say is obvious, but I repeat it purely for clarification to both myself, and anyone reading this who is confuzzed liek I was.

Firstly, when you dial in to an ISP you are essentially on their local network, even if you have a relatively slow (ie modem) connection instead of a nice UTP cable connection, just like mako747 said. That is why you are allowed to forward smtp, because you are on the LAN using one of their IP addresses.

When qmail receives an email, it can only do one of two things with it. One, deliver it to the destination if that is on the system, or two, forward it to another smtp server if the destination is not on the system. It will only do the first one if the domain of the address is in the rcpthosts file, and it will only do two if the RELAYCLIENT environment variable is set when it is run, which gets set by tcpserver based on source IP address. Unlike pop, there is no username/password authentication, so the only way to allow using the server to send mail onwards is by using an IP address that is allowed to relay. This means either being on the LAN, or allowing EVERYONE to relay, which is generally considered a VERY BAD THING, with good reason. I know so far this is all very obvious, but here come the solutions. Number one, use SquirrelMail. This is my brother's preffered option. It is the most secure, and allows you to have one copy of the mail accessable from anywhere, at any time, no hassles. Secondly, use smtp-auth, which is an extension to the smtp protocol that allows using a username/password pair to authenticate before connecting to the smtp server. Thirdly, like fariz83 is doing, use pop first to authenticate, and have a mechanism that sets RELAYCLIENT for that IP address, allowing smtp relay, and expire it on a set interval.

Well, the third option is the least secure, and a bit of a kludge, but hey, it works, and vpopmail comes with this ability almost built in, just compile with the --enable-roaming-users=y option.

Option two seems like an ideal solution, and simple to implement in theory. You simply patch the qmail smtpd, and supply a password check program. The smtpd program runs the password checker, which gets the username/password, validates it, and returns either success or failure, and smtpd only accepts relaying if the password checker returns success. However, I have been having a little trouble with this option. I'll need to hack away a bit more, but I'll post any results I get.

Option one is still the best, but at this stage requires the most work. I need to install an IMAP server, as I currently only have a POP3 server running. Also, https is required, which is not correctly configured at our site yet. Oh, well, at least I like a challenge...