[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Exim relaying and DNS questions (for small mail server)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 19 January 2002 4:07 pm, Rory Campbell-Lange wrote:
> I've setup a machine in a little office to allow people in the office to
> send each other email, and to download and parcel out incoming mail from
> the isp using using fetchmail, exim and procmail. This all works fine.
> The clients, all running macs, all can pick up pop3 mail served via
> ipopd.
>
> I'd like to be able to allow clients to send mail to other people on our
> internal network, or to the isp, via the mail server. Clients presently
> get a "relaying is denied" message from exim.
>
> What I would like to do:
>
> 1.  Setup bind so that they can pickup and send mail via
>     myname@mail.local.domain.com. I don't know the first thing about
>     setting this up in small network. Pointers gratefully received.

Can you be more specific here.  Is some variant of domain.com actually yours? 
What do people external to the office mail you on?  

I am going to give you how I do it for my house.  I "own" 
chandlerfamily.org.uk and an external company sets up the DNS records to 
point mail requests (in DNS speak the MX record) at its own mail server which 
then forwards mail to my ISP.  It also sets up a dns records for 
www.chandlerfamily.org.uk to its own web server which then creates a frame 
and forwards the frame to my web space at the ISP.  Since my ISP does not 
allow me to set up services on my end of the line, I didn't want to use 
chandlerfamily.org.uk for the internal network of machines.  So after some 
thought I created an "internal domain" for the home called .home

Here is some of my named .conf  I have created an internal network with 
winnie the pooh machine names on the .home domain (I sometimes have the two 
forwarders lines in, sometimes I leave them out - they are the ip addresses 
of my ISPs DNS service - I find it can be unreliable and so I just avoid 
him).  Also, my main gateway (roo.home) has a number of other ip addresses 
and names (mail.home www.home news.home etc)
============================named.conf
...
options {
       	directory "/var/cache/bind";

	listen-on {127.0.0.1; 10.0.10/24; };
        	query-source address * port 53;

	notify no;

	//forwarders {
	// 	62.30.112.121;
	//	62.30.112.122;
	};
};
...  (standard stuff for db.root db.localhost db.127 and db.0 set up by 
debian)


zone "home" {
	type master;
	file "/etc/bind/db.home";
};

zone "10.0.10.in-addr.arpa" {
	type master;
	file "/etc/bind/db.10.0.10";

};

========================db.home 
;
; BIND data file for local loopback interface
;
$TTL	604800
@	IN	SOA	home. root.home. (
			      8		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	roo.home.
@	IN	MX 10	mail.home.
kanger	IN	A	10.0.10.1
pooh	IN	A	10.0.10.2
tigger	IN	A	10.0.10.3
eeyore	IN	A	10.0.10.4
;
;
piglet	IN	A	10.0.10.20
rabbit  IN	A	10.0.10.30
;
;
;  50-99 allocated to dhcpd clients
;
;  Default gateway
;
roo	IN	A	10.0.10.100
www	IN	A	10.0.10.101
home	IN	CNAME	www
mail	IN	A	10.0.10.102
fetchmail IN	CNAME	mail
news	IN	CNAME	mail
cvs	IN	CNAME	roo
apps	IN	A	10.0.10.103
============================ db.10.0.10
;
; BIND reverse data file for local loopback interface
;
$TTL	604800
@	IN	SOA	home. root.home. (
			      8		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	roo.home.
1	IN	PTR	kanger.home.
2	IN	PTR	pooh.home.
3	IN	PTR	tigger.home.
4	IN	PTR	eeyore.home.
;
;  From this point on we allocate IP addresses for visiting devices which 
require a fixed IP
;
20	IN	PTR	piglet.home.
30	IN	PTR	rabbit.home.
;
;  Note the range 50-99 is reserve for dhcpd to dynamically allocate
;
;  Default Gateway has several names and addresses
;
100	IN	PTR	roo.home.
101	IN	PTR	www.home.
102	IN	PTR	mail.home.
103	IN	PTR	apps.home.
============================

>
> 2.  Fix the relaying issue
>     I've read the "Control of Relaying" section in the exim docs.
>     It appears that I need to:
>     a)  set host_accept_relay to accept mail on
>         192.168.181.0/255.255.255.0:localhost

Exactly (I actually use the other notation and resolve local host - ie 
10.0.10.0/24:127.0.0.1)

>     b)  set the local_domain so that local mail is put into local email
>         boxes
>         is localdomains = localhost:mail:192.168.181.0 ok here?

I think your middle entry could be *.mail.local.domain.com (from what you 
said about the domain you want to use - what names are you going to give your 
other local machines)

In my example above I put localhost:*.home:chandlerfamily.org.uk 

You don't need the ip address.  I orginally did that so that fetchmail would 
work (by default it puts the mail over as localuser@localhost) I now put 
"smtpaddress fetchmail.home" at the end of each "user" line in my fetchmailrc 
file so that the headers tells me more specifically how the mail is delivered

>     c)  set a smarthost (the isp) who gets all the other mail
>         authentication settings for _server side authentication_ (is
>         this right, to allow client to attatch to this mail server).

Not sure I understand what your are saying here.  My users send outgoing mail 
via my mailserver at mail.home  this means exim can tell whether its internal 
mail or external - for outgoing mail I have a router

smarthost:
  driver = domainlist
  transport = remote_smtp
  route_list = "* smtp.blueyonder.co.uk bydns_a"

which sends everything via my isp (blueyonder.co.uk)

and a transport

remote_smtp:
  driver = smtp
  headers_rewrite = *@*home $1@chandlerfamily.org.uk
  return_path = ${lc:${sender_address_local_part}}@chandlerfamily.org.uk
# authenticate_hosts = smarthost.isp.com

The authenticate_hosts option of for exim to authenticate itself to your isps 
mail server when it send the outgoing mail.  I think this depends on what 
your isp needs (mine doesn't as it knows who I am from the ip address being 
in its block).  You can see I am rewriting all home addresses into 
chandlerfamily.org.uk ones as they go out.

>         I can use the plaintext drivers to auth aagainst /etc/exim/passwd.

Again I am confused about what you mean here.  Mail destined for your users 
will be put into a mail file (probably /var/spool/mail/$user) using the 
appendfile transport.  The director that sends via this transport may need to 
check which users are local (to your office).  In my case I do not use 
/etc/passwd but list the users who are allowed to receive mail in a file 
(this is because I have more accounts than mail users, and I want to do 
catchall addresses and not send them to the spool file - you do this via a 
line in the director

local_parts = /etc/exim/localusers

HOWEVER, when users come to get their mail they are going to use POP3 or IMAP 
to connect to your machine.  The software that is acting as the POP3 or IMAP 
server will need to validate the connection and one way of doing that is to 
look it up in /etc/passwd (there are other ways too)

>     Have I left anything out?

There are lots of other things you could do - like filtering for spam - 
allowing people to sent out of the office messages - mailing lists for 
specific topics in the office (I use mailman for this - but exim can be set 
up to do simple versions of it).

Get the basics up and then worry about the rest later.

Feel free to ask any more questions 
- -- 

  Alan - alan@chandlerfamily.org.uk
http://www.chandlerfamily.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8Sa081mf3M5ZDr2kRAv9QAKCC082HuObk5t3DbA47T6+59yGoOgCeP3jE
YBxyrq5XBGQMr7le+IBU2Hk=
=6m2s
-----END PGP SIGNATURE-----
Reply to: