Reindl Harald <h.reindl(a)thelounge.net> wrote:
> Am 25.12.2013 18:26, schrieb Andreas Meyer:> Reindl Harald <h.reindl(a)thelounge.net> wrote:
> >
> >> Am 25.12.2013 15:29, schrieb Andreas Meyer:
> >>> If I define $rcmail_config['smtp_server'] = '78.47.3.18'; instead of
> >>> $rcmail_config['smtp_server'] = ''; the users get a Relay access denied.
> >>>
> >>> Whereby Roundcube takes the first IP of the subnet 78.47.3.17 and I
> >>> assume, this is the reason for the denied access.
> >>
> >> youndcube does take nothing
> >> 78.47.3.17 is the IP from which roundcube connects to the mailserver
why? 78.47.3.17 is not known by any mailservice at the host. Just because
it is not blocked at the firewall?
# netstat -pantu |grep master
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.18:587 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.19:587 0.0.0.0:* LISTEN 2246/master
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN 2246/master
tcp 0 0 213.239.207.165:587 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.18:465 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.19:465 0.0.0.0:* LISTEN 2246/master
tcp 0 0 127.0.0.1:465 0.0.0.0:* LISTEN 2246/master
tcp 0 0 213.239.207.165:465 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.22:25 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.21:25 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.18:25 0.0.0.0:* LISTEN 2246/master
tcp 0 0 78.47.3.19:25 0.0.0.0:* LISTEN 2246/master
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2246/master
tcp 0 0 213.239.207.165:25 0.0.0.0:* LISTEN 2246/master
> > The Relay access denied only happens when I set
> > $rcmail_config['smtp_server'] = '78.47.3.18';
> >
> > This is necessary so that Roundcube connects to the smtpd running
> > in the same host instead of connecting directly to the pickup of
> > postfix. The reason is the smtpd_restriction_classes restriction
> > of postfix to work.
>
> *SMTP authentication*
>
> nobody should ever send any single message to be relayed without user/password
> why? because you have no clue which clients account was hacked in case of spam
> and you can do *nothing* to stop it without kill the whole service
>
> // SMTP server host (for sending mails)
> $rcmail_config['smtp_server'] = 'tls://your-mailserver';
$rcmail_config['smtp_server'] = '78.47.3.18';
> // SMTP port (default is 25; 465 for SSL)
> $rcmail_config['smtp_port'] = 587;
the clients submit on port 25. Why do I get a Relay access denied? The
clients are authenticated per login with username and password and
are allowed to relay per SASL. It works as soon Roundube connetcs
with $rcmail_config['smtp_server'] = '';
> // SMTP username (if required) if you use %u as the username Roundcube will use the current username for login
> $rcmail_config['smtp_user'] = '%u';
>
> // SMTP password (if required) if you use %p as the password Roundcube will use the current user's password for login
> $rcmail_config['smtp_pass'] = '%p';
>
> // SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use best server supported one)
> $rcmail_config['smtp_auth_type'] = 'PLAIN';
>
> >>> Dec 25 15:14:47 delta anup/smtpd[32664]: connect from sites.anup.de[78.47.3.17]
> >>> Dec 25 15:14:47 delta anup/smtpd[32664]: NOQUEUE: reject: RCPT from sites.anup.de[78.47.3.17]: 554 5.7.1
> <anmeyer(a)gmx.net>: Relay access denied; from=<anmeyer(a)anup.de> to=<anmeyer(a)gmx.net
> >>> Dec 25 15:14:47 delta anup/smtpd[32664]: disconnect from sites.anup.de[78.47.3.17]
> >>>
> >>> How do I prevent this?
> >>
> >> whitelist the roundcube IP on the mailserver or configure SMTP authentication properly
> >> roundcube is a mail-client like any other (Outlook, Thunderbird..)
> >> so handle it the same way
> >
> > Connections of other MUAs are no problem.
>
> hopefully not with authentication
Everybody who wants to relay has to authenticate. I thought whith Roundcube
this is done as soon someone can login.
In every MUA I can specify what outgoing SMTP-Server and incoming IMAP-Server
to use. Where can this be done in Roundube?
> > How do I tell Roundcube
> > to connect to the MTA with 78.47.3.18 instead of 78.47.3.17, which
> > is no IP known to the MTA or known in virtual_mailbox_domains?
>
> please learn about networking - the outgoing IP is nothing you tell roundcube
> it is your TCP stack!
You tell me if I specify $rcmail_config['smtp_server'] = '78.47.3.18';
users are not allowed to send, but they are authenticated. Why does
the problem not occure if I set $rcmail_config['smtp_server'] = ''; ?
78.47.3.18 is known to the mailserver as a virtual_mailbox_domains
I do not understand what is happening.
Andreas