1 Reply Latest reply on May 11, 2006 11:04 AM by Andrew Oliver

    Relaying --> Security

    sriram Newbie

      Am using M4 release.

      Deployment Detail:
      I have a PC with 2 NICs. One is an external NIC connected to the internet, the other one is a private NIC connected to the LAN. The mail server running in this machine will receive mails from both these NICs. Mails coming from the local domain will be received through the local NIC and mails received from external world will be received through the external NIC.

      Requirement: The people in the LAN should be able to use this mail server as an open relay. They should be able to send mails to say yahoo.com, gmail.com, anything.com and everything.com. Employees of a company can send mails to any domain.

      The people NOT in the local network should NOT be allowed to use it as a open relay. I dont want any stranger to use my mail server to send a mail to some domain. I should reject all mails which are not destined to the local domains(configured in DomainGroupMBean)

      Probable solution
      Current implementation does not check if the mail is from a trusted IP. Relaying should be allowed only if the IP address of the client is trusted (local).

      What do you feel. Any workarounds??? Any better ideas???

        • 1. Re: Relaying --> Security
          Andrew Oliver Master

          Lets be clear on what is an OPEN relay and what is not. OPEN relay means that client can send email ANYWHERE without authenticating. JBMS cannot be configured in this manner. However authenticated users can of course (by default) send mail anywhere to any domain.

          You can configure on SMTPServer/Protocol instance that does NOT Allow for sending email externally (only receiving mail addressed to local users) and DOES NOT allow authentication and bind that to one NIC.

          Another could be configured to allow authentication and relaying mail.

          "trusted ip" as authentication is not secure and is an anti-pattern. We do not support it as a design decision. Assign your users accounts and passwords :-)