Mailing List Archive

Hi Michael,

as you know, the classical way to tell qmail-smtpd to act as relay-client is to use tcpserver and generate a respective cdb where the IP addresses incorporated (or perhaps FQDNs) are flagged as RELAYCLIENT=‚‘.



Am 20.08.2015 um 15:20 schrieb Michael DiMartino <michael@hudsonstreet.us>:

> To All Members,
>
> I need to setup a mail gateway to accept all outgoing mail for a specific mail domain that uses G-Apps from email services. The mail domain is .auranetix.com
>
> Again .auranetix.com use google apps for their mail services and instead having google apps send out their mail, my client would prefer all outbound to go thru their own SMTP server.
>
> The issue I am facing right now is what is the best way to open the mail server to google apps.
> When I asked G-Apps support all the possible IP addresses the outbound mail would come from, G-Apps gave me a long list of network addresses.
>
> My question is what is the best way to accept the outbound mail from G-Apps w/out becoming an open relay to 1000's of possible IP addresses.
>
> Google Apps spf record = _spf.google.com
> List of network addresses supplied by Google Support.
> ip4:64.18.0.0/20
> ip4:64.233.160.0/19
> ip4:66.102.0.0/20
> ip4:66.249.80.0/20
> ip4:72.14.192.0/18
> ip4:74.125.0.0/16
> ip4:173.194.0.0/16
> ip4:207.126.144.0/20
> ip4:209.85.128.0/17
> ip4:216.58.192.0/19
> ip4:216.239.32.0/19
>
> Thanks for your assistance.

Part 1:

Your implicit question is, how to put CIDR addresses in tcpserver’s cdb. With standards ucspi-tcp you can’t.

However, I’ve released already some time before ucspi-tcp6 (http://www.fehcom.de/ipnet.html) which allows you to simply add the very few lines you’ve shown in the very same way into the cdb and you are done.

Apart from this an IPv6 support, both versions of tcpserver act in the very same way.

Part 2:

Since I don’t believe, Google uses SMTP Auth, the only way for safe relaying are X.509 clients certs to be requested from your server. Using ucspi-ssl (from the above URL) together with my Spamcontrol patch for Qmail or perhaps my qmail successor s/qmail you can do this — if Google supports this of course.

Part 3:

In any both cases YOU WILL be acting as open relay for those sending MTA. What I can offer in addition is ‚Mail From: Adress Verification‘; available from the above sources. Thus you can restrict sending addresses to be ‚gmail‘ addresses. However, this will break forwarding — perhaps.



regards.
—eh.

>

---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

Yes, TCPserver. Ok then does does tcpserver accept cidr notation?

is the following correct. BTW,I am using NetQmail install the LWQM way.

echo '64.18.0.0/20:allow,RELAYCLIENT=""' >>/etc/tcp.smtp





Mike Di Martino, CEO/Founder
M: +1 631 988 6060
F: +1 206 202 1807
E: michael@hudsonstreet.us
W: www.hudsonstreet.us



On Thu, Aug 20, 2015 at 9:55 AM, Erwin Hoffmann <feh@fehcom.de> wrote:

> Hi Michael,
>
> as you know, the classical way to tell qmail-smtpd to act as relay-client
> is to use tcpserver and generate a respective cdb where the IP addresses
> incorporated (or perhaps FQDNs) are flagged as RELAYCLIENT=‚‘.
>
>
>
> Am 20.08.2015 um 15:20 schrieb Michael DiMartino <michael@hudsonstreet.us
> >:
>
> To All Members,
>
> I need to setup a mail gateway to accept all outgoing mail for a specific
> mail domain that uses G-Apps from email services. The mail domain is .
> auranetix.com
>
> Again .auranetix.com use google apps for their mail services and instead
> having google apps send out their mail, my client would prefer all outbound
> to go thru their own SMTP server.
>
> The issue I am facing right now is what is the best way to open the mail
> server to google apps.
> When I asked G-Apps support all the possible IP addresses the outbound
> mail would come from, G-Apps gave me a long list of network addresses.
>
> My question is what is the best way to accept the outbound mail from
> G-Apps w/out becoming an open relay to 1000's of possible IP addresses.
>
> Google Apps spf record = _spf.google.com
> List of network addresses supplied by Google Support.
> ip4:64.18.0.0/20
> ip4:64.233.160.0/19
> ip4:66.102.0.0/20
> ip4:66.249.80.0/20
> ip4:72.14.192.0/18
> ip4:74.125.0.0/16
> ip4:173.194.0.0/16
> ip4:207.126.144.0/20
> ip4:209.85.128.0/17
> ip4:216.58.192.0/19
> ip4:216.239.32.0/19
>
> Thanks for your assistance.
>
>
> Part 1:
>
> Your implicit question is, how to put CIDR addresses in tcpserver’s cdb.
> With standards ucspi-tcp you can’t.
>
> However, I’ve released already some time before ucspi-tcp6 (
> http://www.fehcom.de/ipnet.html) which allows you to simply add the very
> few lines you’ve shown in the very same way into the cdb and you are done.
>
> Apart from this an IPv6 support, both versions of tcpserver act in the
> very same way.
>
> Part 2:
>
> Since I don’t believe, Google uses SMTP Auth, the only way for safe
> relaying are X.509 clients certs to be requested from your server. Using
> ucspi-ssl (from the above URL) together with my Spamcontrol patch for Qmail
> or perhaps my qmail successor s/qmail you can do this — if Google supports
> this of course.
>
> Part 3:
>
> In any both cases YOU WILL be acting as open relay for those sending MTA.
> What I can offer in addition is ‚Mail From: Adress Verification‘; available
> from the above sources. Thus you can restrict sending addresses to be
> ‚gmail‘ addresses. However, this will break forwarding — perhaps.
>
>
>
> regards.
> —eh.
>
>
>
> ---
> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
>
>
>

Hi,

if you use tcpserver out of ucspi-tcp6: Yes.

http://www.fehcom.de/ipnet/ucspi-tcp6.html


ucspi-tcp6 (or ucspi-ssl) work independently of any qmail version.


regards.
—eh.



Am 20.08.2015 um 16:06 schrieb Michael DiMartino <michael@hudsonstreet.us>:

> Yes, TCPserver. Ok then does does tcpserver accept cidr notation?
>
> is the following correct. BTW,I am using NetQmail install the LWQM way.
>
>> echo '64.18.0.0/20:allow,RELAYCLIENT=""' >>/etc/tcp.smtp
>
>
>
>
>
> Mike Di Martino, CEO/Founder
> M: +1 631 988 6060
> F: +1 206 202 1807
> E: michael@hudsonstreet.us
> W: www.hudsonstreet.us
>
>
> On Thu, Aug 20, 2015 at 9:55 AM, Erwin Hoffmann <feh@fehcom.de> wrote:
> Hi Michael,
>
> as you know, the classical way to tell qmail-smtpd to act as relay-client is to use tcpserver and generate a respective cdb where the IP addresses incorporated (or perhaps FQDNs) are flagged as RELAYCLIENT=‚‘.
>
>
>
> Am 20.08.2015 um 15:20 schrieb Michael DiMartino <michael@hudsonstreet.us>:
>
>> To All Members,
>>
>> I need to setup a mail gateway to accept all outgoing mail for a specific mail domain that uses G-Apps from email services. The mail domain is .auranetix.com
>>
>> Again .auranetix.com use google apps for their mail services and instead having google apps send out their mail, my client would prefer all outbound to go thru their own SMTP server.
>>
>> The issue I am facing right now is what is the best way to open the mail server to google apps.
>> When I asked G-Apps support all the possible IP addresses the outbound mail would come from, G-Apps gave me a long list of network addresses.
>>
>> My question is what is the best way to accept the outbound mail from G-Apps w/out becoming an open relay to 1000's of possible IP addresses.
>>
>> Google Apps spf record = _spf.google.com
>> List of network addresses supplied by Google Support.
>> ip4:64.18.0.0/20
>> ip4:64.233.160.0/19
>> ip4:66.102.0.0/20
>> ip4:66.249.80.0/20
>> ip4:72.14.192.0/18
>> ip4:74.125.0.0/16
>> ip4:173.194.0.0/16
>> ip4:207.126.144.0/20
>> ip4:209.85.128.0/17
>> ip4:216.58.192.0/19
>> ip4:216.239.32.0/19
>>
>> Thanks for your assistance.
>
> Part 1:
>
> Your implicit question is, how to put CIDR addresses in tcpserver’s cdb. With standards ucspi-tcp you can’t.
>
> However, I’ve released already some time before ucspi-tcp6 (http://www.fehcom.de/ipnet.html) which allows you to simply add the very few lines you’ve shown in the very same way into the cdb and you are done.
>
> Apart from this an IPv6 support, both versions of tcpserver act in the very same way.
>
> Part 2:
>
> Since I don’t believe, Google uses SMTP Auth, the only way for safe relaying are X.509 clients certs to be requested from your server. Using ucspi-ssl (from the above URL) together with my Spamcontrol patch for Qmail or perhaps my qmail successor s/qmail you can do this — if Google supports this of course.
>
> Part 3:
>
> In any both cases YOU WILL be acting as open relay for those sending MTA. What I can offer in addition is ‚Mail From: Adress Verification‘; available from the above sources. Thus you can restrict sending addresses to be ‚gmail‘ addresses. However, this will break forwarding — perhaps.
>
>
>
> regards.
> —eh.
>
>>
>
> ---
> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
>
>
>

---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

Erwin,
Can ucspi-tcp6 be installed on a system already running ucspi-tcp 088?
Or should that version be removed first.

Sent from my Windows Phone

-----Original Message-----
From: "Erwin Hoffmann" <feh@fehcom.de>
Sent: ‎8/‎20/‎2015 10:19 AM
To: "Michael DiMartino" <michael@hudsonstreet.us>
Cc: "qmail List" <qmail@list.cr.yp.to>
Subject: Re: SMPT Relay

Hi,


if you use tcpserver out of ucspi-tcp6: Yes.


http://www.fehcom.de/ipnet/ucspi-tcp6.html




ucspi-tcp6 (or ucspi-ssl) work independently of any qmail version.




regards.
—eh.






Am 20.08.2015 um 16:06 schrieb Michael DiMartino <michael@hudsonstreet.us>:


Yes, TCPserver. Ok then does does tcpserver accept cidr notation?


is the following correct. BTW,I am using NetQmail install the LWQM way.


echo '64.18.0.0/20:allow,RELAYCLIENT=""' >>/etc/tcp.smtp







Mike Di Martino, CEO/Founder
M: +1 631 988 6060
F: +1 206 202 1807
E: michael@hudsonstreet.us
W: www.hudsonstreet.us




On Thu, Aug 20, 2015 at 9:55 AM, Erwin Hoffmann <feh@fehcom.de> wrote:

Hi Michael,


as you know, the classical way to tell qmail-smtpd to act as relay-client is to use tcpserver and generate a respective cdb where the IP addresses incorporated (or perhaps FQDNs) are flagged as RELAYCLIENT=‚‘.






Am 20.08.2015 um 15:20 schrieb Michael DiMartino <michael@hudsonstreet.us>:


To All Members,


I need to setup a mail gateway to accept all outgoing mail for a specific mail domain that uses G-Apps from email services. The mail domain is .auranetix.com


Again .auranetix.com use google apps for their mail services and instead having google apps send out their mail, my client would prefer all outbound to go thru their own SMTP server.


The issue I am facing right now is what is the best way to open the mail server to google apps.
When I asked G-Apps support all the possible IP addresses the outbound mail would come from, G-Apps gave me a long list of network addresses.


My question is what is the best way to accept the outbound mail from G-Apps w/out becoming an open relay to 1000's of possible IP addresses.


Google Apps spf record = _spf.google.com
List of network addresses supplied by Google Support.
ip4:64.18.0.0/20
ip4:64.233.160.0/19
ip4:66.102.0.0/20
ip4:66.249.80.0/20
ip4:72.14.192.0/18
ip4:74.125.0.0/16
ip4:173.194.0.0/16
ip4:207.126.144.0/20
ip4:209.85.128.0/17
ip4:216.58.192.0/19
ip4:216.239.32.0/19



Thanks for your assistance.


Part 1:



Your implicit question is, how to put CIDR addresses in tcpserver’s cdb. With standards ucspi-tcp you can’t.


However, I’ve released already some time before ucspi-tcp6 (http://www.fehcom.de/ipnet.html) which allows you to simply add the very few lines you’ve shown in the very same way into the cdb and you are done.


Apart from this an IPv6 support, both versions of tcpserver act in the very same way.


Part 2:


Since I don’t believe, Google uses SMTP Auth, the only way for safe relaying are X.509 clients certs to be requested from your server. Using ucspi-ssl (from the above URL) together with my Spamcontrol patch for Qmail or perhaps my qmail successor s/qmail you can do this — if Google supports this of course.


Part 3:


In any both cases YOU WILL be acting as open relay for those sending MTA. What I can offer in addition is ‚Mail From: Adress Verification‘; available from the above sources. Thus you can restrict sending addresses to be ‚gmail‘ addresses. However, this will break forwarding — perhaps.






regards.
—eh.






---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE








---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

Hi,

you can have both versions installed.

ucpsi-tcp6 uses the same (but enhanced) syntax eg. for tcpserver.
The cdb is of course more powerful and supports IPv6 addresses as well.

Include the CIDR networks in the way you have demonstrated to /etc/tcp.smtp and use this as input for (my) tcprules.
You will receive an error upon calling tcprules in case you made mistakes.

Using tcpserver, you should be careful about binding to IP addresses.
Probably, it is best you invoke 'tcpserver -4‘ otherwise tcpserver will bind to perhaps IPv6 addresses as well.

Please read the docs on ucspi-tcp6 web page and the man pages coming with the programs.

Which tcpserver you use, depends of the path. Both versions are typically installed in /usr/local/bin.
Thus, ucspi-tcp6’s tcpserver will overwrite the one already in place. The same holds for tcprules.

regards.
—eh.


Am 20.08.2015 um 16:36 schrieb <michael@hudsonstreet.us> <michael@hudsonstreet.us>:

> Erwin,
> Can ucspi-tcp6 be installed on a system already running ucspi-tcp 088?
> Or should that version be removed first.
>
> Sent from my Windows Phone
> From: Erwin Hoffmann
> Sent: ‎8/‎20/‎2015 10:19 AM
> To: Michael DiMartino
> Cc: qmail List
> Subject: Re: SMPT Relay
>
> Hi,
>
> if you use tcpserver out of ucspi-tcp6: Yes.
>
> http://www.fehcom.de/ipnet/ucspi-tcp6.html
>
>
> ucspi-tcp6 (or ucspi-ssl) work independently of any qmail version.
>
>
> regards.
> —eh.
>
>
>
> Am 20.08.2015 um 16:06 schrieb Michael DiMartino <michael@hudsonstreet.us>:
>
>> Yes, TCPserver. Ok then does does tcpserver accept cidr notation?
>>
>> is the following correct. BTW,I am using NetQmail install the LWQM way.
>>
>>> echo '64.18.0.0/20:allow,RELAYCLIENT=""' >>/etc/tcp.smtp
>>
>>
>>
>>
>>
>> Mike Di Martino, CEO/Founder
>> M: +1 631 988 6060
>> F: +1 206 202 1807
>> E: michael@hudsonstreet.us
>> W: www.hudsonstreet.us
>>
>>
>> On Thu, Aug 20, 2015 at 9:55 AM, Erwin Hoffmann <feh@fehcom.de> wrote:
>> Hi Michael,
>>
>> as you know, the classical way to tell qmail-smtpd to act as relay-client is to use tcpserver and generate a respective cdb where the IP addresses incorporated (or perhaps FQDNs) are flagged as RELAYCLIENT=‚‘.
>>
>>
>>
>> Am 20.08.2015 um 15:20 schrieb Michael DiMartino <michael@hudsonstreet.us>:
>>
>>> To All Members,
>>>
>>> I need to setup a mail gateway to accept all outgoing mail for a specific mail domain that uses G-Apps from email services. The mail domain is .auranetix.com
>>>
>>> Again .auranetix.com use google apps for their mail services and instead having google apps send out their mail, my client would prefer all outbound to go thru their own SMTP server.
>>>
>>> The issue I am facing right now is what is the best way to open the mail server to google apps.
>>> When I asked G-Apps support all the possible IP addresses the outbound mail would come from, G-Apps gave me a long list of network addresses.
>>>
>>> My question is what is the best way to accept the outbound mail from G-Apps w/out becoming an open relay to 1000's of possible IP addresses.
>>>
>>> Google Apps spf record = _spf.google.com
>>> List of network addresses supplied by Google Support.
>>> ip4:64.18.0.0/20
>>> ip4:64.233.160.0/19
>>> ip4:66.102.0.0/20
>>> ip4:66.249.80.0/20
>>> ip4:72.14.192.0/18
>>> ip4:74.125.0.0/16
>>> ip4:173.194.0.0/16
>>> ip4:207.126.144.0/20
>>> ip4:209.85.128.0/17
>>> ip4:216.58.192.0/19
>>> ip4:216.239.32.0/19
>>>
>>> Thanks for your assistance.
>>
>> Part 1:
>>
>> Your implicit question is, how to put CIDR addresses in tcpserver’s cdb. With standards ucspi-tcp you can’t.
>>
>> However, I’ve released already some time before ucspi-tcp6 (http://www.fehcom.de/ipnet.html) which allows you to simply add the very few lines you’ve shown in the very same way into the cdb and you are done.
>>
>> Apart from this an IPv6 support, both versions of tcpserver act in the very same way.
>>
>> Part 2:
>>
>> Since I don’t believe, Google uses SMTP Auth, the only way for safe relaying are X.509 clients certs to be requested from your server. Using ucspi-ssl (from the above URL) together with my Spamcontrol patch for Qmail or perhaps my qmail successor s/qmail you can do this — if Google supports this of course.
>>
>> Part 3:
>>
>> In any both cases YOU WILL be acting as open relay for those sending MTA. What I can offer in addition is ‚Mail From: Adress Verification‘; available from the above sources. Thus you can restrict sending addresses to be ‚gmail‘ addresses. However, this will break forwarding — perhaps.
>>
>>
>>
>> regards.
>> —eh.
>>
>>>
>>
>> ---
>> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
>>
>>
>>
>
> ---
> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
>
>

---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE