How do I allow selective relay for off-site users? |
Post Reply 
|
| Author | |
Robert 
Guest Group 
|
 Post Options
 Thanks(0)
 Quote Reply
 Topic: How do I allow selective relay for off-site users?Posted: 25 June 2003 at 8:24pm |
|
I host a web site and email for a local charity. They have a fixed-ip dsl service at their office, but their domain name resolves to one of my ip addresses. Their domain name is in my local domains list, and they can receive email just fine. When they send email from their office to someone outside of their domain, however, SpamFilter detects this as a relay, blocks it, and issues the expected error message. I would like to create the equivalent of a trust relationship, or essentially add their ip address to a white list that lets them relay - otherwise it appears that they cannot send email to outside persons/organizations now that I've installed SpamFilter. Is there a way to accomplish this, and I've possibly just not figured it out yet? Could I put their fully qualified domain name with the ip address in reverse order in the white list to do this? Thus far my experimentation hasn't yielded a solution, so any advice would be appreciated very much! Tx, Robert |
|
 |
|
|
Desperado
Senior Member 
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 25 June 2003 at 8:35pm |
|
Technically, they should set their outbound SMTP server to be that of their DSL ISP. SpamFilter ISP was not actually intended to be your clients outbound SMTP server. Having said that, if you add their IP the "Excluded Domains / IP's" white list, they can relay through you.
Dan S.
|
|
|
|
|
Robert
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 June 2003 at 9:03pm |
|
Thanks Dan. I'd already tried that, but SpamFilter still rejects Kathleen's email with the relay error message. I actually changed the word "send" to "relay" to prompt me when I saw it, so I can confirm that's where the error message is being generated from. I am using the outside ip address from their dsl router, which I know is passed through our firewall. I see it in the Raptor logs. So I presume that the same ip is getting passed thru to SpamFilter. Thoughts? Anything else that I should look at? Tx, Robert |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 25 June 2003 at 9:28pm |
|
Robert,
Let's back up a step. Is there a reason that they can't use their ISP as their OUTBOUND SMTP server? Also, are you trying to use SpamFilter to DIRECTLY email outbound? Or is it forwarding to your "Normal" SMTP Server for delivery? Can you lay our your architecture for me?
Dan S.
|
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 25 June 2003 at 9:36pm |
|
Robert, I am wondering if this is related to your previous post. Do you, in fact have DNS set up? Dan
|
|
|
|
|
Robert
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 June 2003 at 9:56pm |
|
Dan, SBC uses authentiated smtp, but they cannot authenticated when users are behind firewalls. Their solution is to turn off the firewall (really!). I may be able to solve this at the charity's site b/c their network is simpler than mine, but I need to pursue both solutions in parallel so that I'll end up with at least one that works. My network architecture is as follows for inbound smtp traffic: dsl router --> Raptor firewall --> SpamFilter --> MS Exchange Server Outbound is: MS Exchange --> Raptor firewall ... The address space between router and Raptor is routable. The address space inside the firewall is non-routable. SpamFilter and Exchange are on the same w2k server, and the same internal ip address, but different ports. So to answer your specific questions, Exchange handles all outbound smtp, and anything that SpamFilter forwards goes directly and only to Exchange. Robert |
|
|
|
|
Robert
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 25 June 2003 at 10:26pm |
|
Dan, I have DNS set up, and pop/smtp/web/etc. have been running. I just did some additonal testing, and I think I'm seeing what you're connecting about my posts. Exchange wasn't using the ip information that it was getting from the firewall - or maybe it was, and that's why it was always an uncontrolable open relay. SpamFilter is looking at that non-routable address that it's getting passed, and is saying (1) country n/a and (2) you can't relay because your address doesn't match any approved domains and (3) you can't relay because your ip is not on the exception list. This explains why putting Kathleen's ip in the whitelist didn't work. Of course, if I put the internal address in the white list... no, we won't go there. Most folks must run SpamFilter behind a firewall, so I am guessing that their firewalls pass the IP address of the source rather than the internal ip of the firewall? If I recall correctly, ours has always passed the internal interface address. I am thinking that I have a configuration problem because SpamFilter is seeing the non-routable address for *every* transaction, but clearly is only passing traffic that is directed to internal domains. That later part works, as I'm getting your emails. I need to do more investigation here. Thanks for seeing that! Robert
|
|
|
|
|
Robert
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 26 June 2003 at 3:28pm |
|
Dan, I wanted to post a huge THANKYOU for picking up on the relationship between my selective relay problem and my other post about the country N/A message. We have been running with a configuration error on our firewall since it was set up, and have experienced a variety of specific things that didn't work right. Because the major services worked, I kept looking at the individual applications for solutions. What we needed was an appropriate set of Address Transforms defined on our firewall so that internal hosts would see the actual external client's ip address. Now the SpamFilter features work as they should, and it's clear already that several other inbound access-related issues will be solved as well. Again, THANK YOU!!!! Robert |
|
|
|
|
Desperado
Senior Member
Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 June 2003 at 3:56am |
|
Robert, No problem ... I take it you are off and running now? Dan
|
|
|
|
|
Robert
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 28 June 2003 at 1:00am |
|
Dan, Yes I am. Spam attacks are down to next to nothing, and none are getting thru. I'll test the selective relay further over the weekend, but my local external ip tests were spot on. Thanks!! Robert |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.291 seconds.