How to set MTA to accept mails from hosts on INTERNAL_IP only?
Hello,
I would like to config a messaging server with:
- this mail server will accept incoming mails from hosts on INTERNAL_IP list only without authentication.
- this mail server will accept to send mail for clients with SASL and TLS only, which means, any incoming SMTP connection will be restricted to use SASL and TLS except hosts on INTERNAL_IP list.
/opt/SUNWmsgsr/@msg# imsimta version
Sun Java(tm) System Messaging Server 6.2-7.05 (built Sep 5 2006)
libimta.so 6.2-7.05 (built 12:08:11, Sep 5 2006)
I appreciate if you can help me on this, thanks in advance.
Best regards,
Robert
# 1
Hi,
Sending hosts tend to either go to three channels by default:
tcp_intranet (hosts defined in INTERNAL_IP)
tcp_submit (if sending emails to port 587)
tcp_local (everything else)
If you want to force sasl/tls you can modify the tcp_local channel definition in the imta.cnf file from "maytlsserver maysaslserver" to "musttlsserver mustsaslserver".
Then run:
./imsimta cnbuild; ./imsimta restart
Regards,
Shane.
# 2
Hello Shane,
Thanks for your reply.
From the log below, it seems incoming mails will go to the tcp_local channel first then switch to tcp_intranet later for sending hosts on INTERNAL_IP list.
INTERNAL_IP
$(10.1.255.222/32) $Y
$(10.1.255.202/32) $Y <-- sending host
127.0.0.1 $Y
* $N
25-Jun-2007 11:29:18.25 46f1.39c.2830 tcp_local+O TCP|10.1.255.222|25|10.1.255.202|6442 SMTP
25-Jun-2007 11:29:18.27 46f1.39c.2831 tcp_intranet ims-msE 3 lisakuan@abc.com rfc822;jimlin@msg.abc.com 0694037@ims-ms-daemon /opt/SUNWmsgsr/data/queue/ims-ms/007/ZZf0B4WiQpxLd.00 <A0D8A3EC90EE42E799706627282BF74C@ibm336> mailsrv msmail.abc.com ([10.1.255.202])
25-Jun-2007 11:29:18.27 4c9c.0e48.3788 ims-msD 3 lisakuan@abc.com rfc822;jimlin@msg.abc.com 0694037@ims-ms-daemon /opt/SUNWmsgsr/data/queue/ims-ms/007/ZZf0B4WiQpxLd.00 <A0D8A3EC90EE42E799706627282BF74C@ibm336> mailsrv
My question is, if I modify the tcp_local channel definition to "mustsaslserver" and "musttlsserver", will sending hosts listed on INTERNAL_IP also be blocked?
Thanks for your response. ^^
# 3
> Hello Shane,
>
> Thanks for your reply.
>
> From the log below, it seems incoming mails will go
> to the tcp_local channel first then switch to
> tcp_intranet later for sending hosts on INTERNAL_IP
> list.
>
> INTERNAL_IP
>
>$(10.1.255.222/32) $Y
> $(10.1.255.202/32) $Y <-- sending host
>127.0.0.1 $Y
> * $N
>
> 25-Jun-2007 11:29:18.25 46f1.39c.2830 tcp_local+
> O TCP|10.1.255.222|25|10.1.255.202|6442
> SMTP
> 5-Jun-2007 11:29:18.27 46f1.39c.2831 tcp_intranet
> ims-msE 3 lisakuan@abc.com
> rfc822;jimlin@msg.abc.com 0694037@ims-ms-daemon
> /opt/SUNWmsgsr/data/queue/ims-ms/007/ZZf0B4WiQpxLd.00
> <A0D8A3EC90EE42E799706627282BF74C@ibm336> mailsrv
> msmail.abc.com ([10.1.255.202])
> 25-Jun-2007 11:29:18.27 4c9c.0e48.3788 ims-ms
> D 3 lisakuan@abc.com
> rfc822;jimlin@msg.abc.com 0694037@ims-ms-daemon
> /opt/SUNWmsgsr/data/queue/ims-ms/007/ZZf0B4WiQpxLd.00
> <A0D8A3EC90EE42E799706627282BF74C@ibm336> mailsrv
>
> My question is, if I modify the tcp_local channel
> definition to "mustsaslserver" and "musttlsserver",
> will sending hosts listed on INTERNAL_IP also be
> blocked?
>
> Thanks for your response. ^^
No. All emails to port 25 'hit' the tcp_local channel - there is a rewrite rule to switch messages from a certain IP range (INTERNAL_IP) across to the tcp_intranet channel, at which point the tcp_intranet restrictions apply.
Regards,
Shane.
