Use SMTP Security Manual in LINUX-Qmail Security

Qmail has a configuration file named rcpthosts (the file name originates from the rcpthosts command), which determines whether to accept an email. This email is accepted only when the domain name of the recipient address in the rcpthosts command exists in the rcpthosts file. Otherwise, the email is rejected. If the file does not exist, all emails will be accepted. Qmail has a configuration file named rcpthosts (the file name is derived from the rcpt to command), which determines whether TO accept an email. This email is accepted only when the domain name of the recipient address in an rcpt to command exists in the rcpthosts file. Otherwise, the email is rejected. If the file does not exist, all emails will be accepted. When a mail server forwards all emails (relay) regardless of the recipient and recipient, the mail server is called open relay. When the qmail server does not have rcpthosts, it is open for forwarding.
The simplest way to set your own server to a non-open relay is to direct all domain names of your email server (if the dns mx record points to this machine, it should also include this domain name. For example, if your machine has three domain names, namely, region, mail1.linuxaid.com.cn, and MX of linuxaid.com.cn points to region, rcphosts of qmail should include region, mail1.linuxaid.com.cn, and linuxaid.com.cn ).
However, this will cause your local customers to be denied to use your server to forward emails. to enable the customer to use MUA to send emails, the customer must be allowed to use the server to forward emails. Qmail-smtpd supports a method to selectively ignore rcpthosts files: if the environment variable RELAYCLIENT of qmail-smtpd is set, the rcpthost file will be ignored and relay will be allowed. But how can I identify whether an email sender is a customer? Qmail does not adopt password authentication, but determines the source IP address of the sender. if the IP address belongs to the local network, the sender is considered as the customer.
The ucspi-tcp software package is used here. Here we will use the tcpserver program of this software package. The function of this program is similar to the connection request that inetd-listens for. it sets various environment variables for the service to be started and starts the specified service.
The configuration file of tcpserver is/etc/tcp. smtp, which defines whether to set RELAYCLIENT environment variables for a network. For example, if the local network is a Class C address with the address 192.168.10.0/24, tcp. smtp content should be set as follows: 127.0.0.1: allow, RELAYCLIENT = "" 192.168.10.: allow, RELAYCLIENT = "": allow
These rules mean that if the connection comes from 127.0.0.1 and 192.168.10, the environment variable RELAYCLIENT is allowed and set for the connection. otherwise, other connections are allowed, but the RELAYCLIENT environment variable is not set. In this way, the connection number 25 from other places to the local machine will be allowed, but the connection will be rejected by qmail-smptd because the environment variable is not set.
However, tcopserver does not directly use the/etc/tcp. smtp file, but needs to first convert the file into a cbd file:
[Lix @ mail/etc] ___ FCKpd ___ 1 nbsp; # tcprules tcp. smtp. cdb tcp. smtp. temp
Then, let's look back at the run files in the/service/qmail-smtpd directory.
/Usr/local/bin/tcpserver-v-p-x/etc/tcp. smtp. cdb
As you can see, tcpserver uses the/etc/smtp. cbd file. If there are multiple local networks, these networks must all appear in the/etc/tcp. smtp file.
In this way, local customers are allowed to relay emails to prevent abuse of relay.