Mailing List CGatePro@mail.stalker.com Message #102444
From: Tom Rymes <trymes@rymes.com>
Subject: Device incapable of SMTP Auth (again)
Date: Fri, 09 Sep 2011 10:17:35 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Ok,

So I asked this question a while back and am now coming back to it. I need to allow a device that is not capable of SMTP AUTH to send mail via our CGP Server. One suggestion is to set up a second CGP server that only accepts mail from that device, but I would rather avoid that added complexity.

Currently, we have:

1.) "Force SMTP AUTH" set to "Everybody".
2.) "Delay Prompt" set to 23s for non-client senders.
3.) LAN addresses defined and set to be treated as clients.
4.) WAN Addresses for other locations set as clients.

If I were to Change the "Force SMTP AUTH" to "Non-clients", the device in question should be able to send mail. My concern is that any compromised client or or bad-actor who has access to the LAN could then send SPAM via our server.

So, my plan was to:

1.) Remove all defined Client IP addresses.
2.) No longer treat all LAN Addresses as Clients.
3.) Set "Force SMTP AUTH" to "Non-Clients"
4.) Add the device's IP address to the Client IP list.

This should effectively mean that everyone/thing other than the device in question will be required to use SMTP AUTH. Of course, I quickly realized that this would result in all of our users (except that one device) being subject to the SMTP prompt delay, but I think that I can work around that by making certain that all users connect to port 587 or 465.

So, I have a few questions:

1.) Does anyone have a better suggestion here?
2.) I see that the "Relay: To Any IP Address" setting has been set to "clients" for some reason. Unless I am mistaken, this means that any device with a client IP can use our host as an open relay if I change "Force SMTP AUTH" to "Non-Clients".
3.) However, if I change "Force SMTP AUTH" to "Non-Clients" and change "Relay: To Any IP Address" to "Nobody", compromised-machines/malware/bad-actors on the LAN will not be able to use the host as an open relay, but then the device I am trying to use will not be able to send to non-local addresses, correct?

Another suggestion was to create another domain that only has the device's IP Address listed as a client, does not accept incoming mail, relays only for clients, and does not require AUTH. Perhaps this is simpler? Can this be done without creating a user in that domain?

My apologies for the long post, but I keep stumbling over the various moving parts here and I was hoping someone out there might be able to slice through it for me.

Tom
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster