A lot of documents talk about mail relaying, specifying rules about mail relaying and getting converted in cdb file but what they lack is a nice explanation about relaying, specifying relaying rules. This inspired me to write this document.
What is mail relaying anyway? And what is an open relay?
In a literal sense the word relay means- act or instance of conveying or trasnmitting by or as by relays. In mail servers’ relation it may be explained as: accepting email on behalf of someone for someone.
In older days when there were few mail servers on the internet, it was common for MTAs to act as SMTP server and as SMTP client. They typically accepted mails from the hosts on the internet for local users, acting as server. In the opposite role they accepted messages from local users and deliver it to remote users. These were the days when mail servers acted as open relays. Meaning, they used to accept mails from anyone and for anyone. This left the possibility open for illegitimate, unscrupulous junk mailers use these open relays to send bulk mails and commercial mails rather than sending mails from their own servers. This kind of mailing served two purposes for unsolicited mailers. First, they releaved their own servers from the load of sending these bulk emails. Second, they hid the origin of mails.
This forced the adminstrators not to let their MTAs act as open relays. Alas, gone are the days of innocence. In todays synical world if your server acts as an open relay be sure to see it blacklisted on serveral mail servers. Which means, mail messages from your server will be rejected by several servers attributing it as junk since it is originated from a blacklisted server (unfortunately, its yours in this case).
What happens actually in mail relaying?
Consider you have mail server running. You are currently hosting a few domains on this server. You have qmail-smtp listening on port 25 to receive emails for your domains from other hosts. Consider a situation. Some host on the internet connects to your server on port 25. This host might be another mail server running qmail, sendmail, exim or some other MTA or this can be an end user’s mail client. The host initiates SMTP conversation with your server by identifying itself. The SMTP conversation in its simplest form looks as follows:
When an MTA at somedomain.com initiates an SMTP conversation, your server responds..
220 mydomain.com ESMTP
The server for somedomain responds..
ehlo somedoamin.com
On this response your server declares its capabilities..
250-mydomain.com
250-PIPELINING
250-DATAZ
250-STARTTLS
250 8BITMIME
The server for somedomain.com sends the FROM part of envelop..
MAIL FROM:sam@somedomain.com
Your server responds to continue conversation..
250 ok
The server at somedomain.com now sends one or more receipient’s addresses using RCPT TO command.
RCPT TO:alec@imaginary.com
Now at this point server has two options. First is, it can accept the message to relay it to imaginary.com. Second, it can reject with proper error message. It would have answerd ok, had the first case been true.
250 ok
But in second case the server would answer in one of the following way.
553 sorry, relaying denied from your location [10.15.20.25] (#5.7.1)
553 sorry, that domain isn’t in my list of allowed rcpthosts (#5.7.1) Note that your server (mydomain.com) won’t reply with any decisive answer till it sees the recipients address part of envelop. The reason is this mail can be from one of the domains your server is serving (MAIL FROM). If your server finds that it is not responsible for delivering mails from somedomain.com it will wait till it see the recipient’s address. On seeing the recipients address if your server discovers that neither it is responsible to relay the messages from somedomain.com nor it is reponsible for receiving messages for domain in recepients address, it will reject the message with one of the above messages.
Ok, I don’t want an open relay. But how the hell do I fix it?
To prevent your server act as open relay you define rcpthosts file in qmail (in default installation) usually found at /var/qmail/control/. This file contains the list of domains for which your server is responsible to accept mails via SMTP. It accepts mails for domains identified by SMTP RCPT TO command, hence the control file name rcpthosts. This file generally contains all hosts listed in locals and virtualdomains.
If rcpthosts is not present in your qmail setup, your server will immediately become an open relay.
All above is true if you are not using control patch for qmail-ldap.
But now my users are getting messages saying sorry, that domain isn’t in my list of allowed rcpthosts and that I want my users to be able to relay messages from my server. And you know I can’t possibly list every domain in my rcpthosts file that my users may want to send mail to. So what do I do?
Well, certainly you should not add those domains in rcpthosts file! There is nothing called authentication as such in SMTP protocol. So you have to identify whether a particular connection is from one of your users. The esiest way to identify is IP from which the SMTP connection is initiated. Using IPs you can distinguish your users and foreign users. This way you know that the user is connecting from one of the hosts on your network.
You can allow your users to relay messages from your server. This can be achieved by specifying the rules in tcpserver environment. If this explaination is gibberish, here is a more verbose explanation. You specify IPs from which your users will connect to your server in the file called tcp.smtp or tcp in /service/smtpd, depending on your installation. If you have been following my qmail-ldap step-by-step installation document, you will have to edit /var/qmail/control/qmail-smtpd.rules file.
From now on I consider that you have been following my qmail-ldap step-by-step installation document to avoide confusion.
By specifying these IPs in qmail-smtpd.rules you tell qmail to specifically allow SMTP connections from these IPs and relay mails from your server. Suppose some of your users operate from IPs 10.22.13.55; 140.114.27.99; and 115.11.11.1. So in this case we will specify these IPs in /var/qmail/control/qmail-smtpd.rules as follows.
127.:allow,RELAYCLIENT=””
10.22.13.55:allow,RELAYCLIENT=””
140.114.27.99:allow,RELAYCLIENT=””
115.11.11.1:allow,RELAYCLIENT=””
:allow The first line tells qmail to relay any mail from localhost. Next three lines tell qmail to relay mails from specified IPs. The last line saying :allow is redudent. Which tells qmail server to allow anyone to connect to SMTP server but since it does not have RELAYCLIENT=”” qmail won’t allow anyone to relay mails but the IPs specified with RELAYCLIENT=””. For Example 10.22.13.55:allow,RELAYCLIENT=”” tells to allow mail relaying from IP 10.22.13.55.
Once you are done with that you need to create the cdb file from this /var/qmail/control/qmail-smtpd.rules file. To create cdb file you have to change directory to /var/qmail/control/ then run the command as follows.
tcprules qmail-smtpd.cdb rules.tmp < qmail-smtpd.rules The command tcprules is installed with ucspi-tcp package
Not all of my users have static IP. Many of them have dynamic IP assigned by various ISPs they use. So can I not relay mails if the mails is from one of my domains?
I would interpret the scentence mail from one of my domains as mail with sender’s address as one of my domains. Meaning that I would not believe the sender’s address on envelop to be true sender. This is because one can easily spoof sender’s address on the mail envelop. If you go by the senders address on the email, you have to rely on the senders word and beleave that he is what he claims he is. This is clearly a security issue.
So how my legit users are supposed to relay mails with my domain in senders address field?
In such a case these users can use their ISPs mail servers to relay their mails. Else they can use any server that agrees to relay their mails. Besides its ISPs duty to provide mail relaying service to their users. My personal experience is that some ISPs won’t relay your messages with some other sender’s address. They require not only that the sending host be connected to the ISP’s network, but also that the sender use the address provided by his ISP as his envelope sender address. If your customer wants to relay mail through his ISP’s SMTP server and he has one of these envelope-checking ISPs, he won’t be able to show in his “From” header, the address that you’ve provided him–all his mail will have to appear to come from his ISP address.
So if your user have one of these idiot ISP and wants to show his mail address provided by you, he has only one way that is ideal for him. That would be SMTP_AUTH. Before relaying a mail through your server the user have to authenticate to your mail server. Then the IP from which this user has authenticated will be allowed to relay mails for a short period of time.
If you have been following qmail-ldap step-by-step installation document you would have it already. If you was not, then you may want to refer to the documentation. If you are going to install plain qmail, you need a seperate patch for SMTP_AUTH.
Another way to circumvent the problem. That is to use POP-before-SMTP (PBS). In this mechanism you are allowed to relay messages for a short period of time after a host at that IP address is authenticated via POP. The only problem with this approach is that some M$ windows based email clients are hard wired to send any queued mails before they authenticate and receive. So that leaves your users with an additional responsibility of checking mails before they queue any mails (in their outboxes) for sending.
Other approaches may include running a seperate qmail-smtpd on different IP and on a non-standard port and use it as open relay (which is NOT RECOMENDED at all). For this you have to tell your users to keep this IP and port secret (tell them to keep secret??). You also have to tell your users to configure their mail clients to use this IP & port for smtp. Again there lies the same problem as in PBS (POP-before-SMTP). Some M$ windows based mail clients won’t allow you to change SMTP port.
In approach described, all we get is security through obscurity which is nothing but a feel secure state of mind. In reality, tools like nmap or scanrand (paketto keiretsu) will easily discover these ports (even entire IP range for that matter) in just a minute. Once thay are known …. do I need to tell again what might happen..?
This documentation is distributed in hope that it will be useful but WITHOUT ANY WARRANTY. Without even the implied warranty of FITNESS FOR A PARTICULAR PURPOSE. This documentation is COPYLEFTED.
Devenix's Weblog 