Hi all

Many thanks for your support, sorry my silence during last days... I see you understand my wish, i want a private relay server and I can 't use IP filter adress because some connections will come from internet and the IP adress could be xxx.xxx.xxx.xxx.

Yesterday i found another way:

    -Close all port on my internet firewall except the incoming port 80

    -Install IMAP support in MERCURY

    -Install Appache-PHP server with squirreimail on the mercury server

So when an internet (autorised) user need to use my SMTP server to relaying an mail, he can do it using the webmail interface.

Francoy 

In mercuryS SMTP server, it will be very interesting to have an new option "Always authenticate" without considering relaying.So the SMTP client will have to ALWAYS authenticate for sending a mail.

In my case i want to have a computer connected to internet with mercury/32. The port 25 will be opened to allow incoming connection. I can't restrict IP adress in mercury because other computer wil have floating adress (internet). With the actual release of Mercury/32, if someone connected to internet use my mercury SMTP server ,guess my mercury domain, change his FROM adress to a local adress, he can spam with massive mails other users (same domains so there is no relay).....!!

 Thanks for an answer or a solution for closing this problem

Francoy 

How do you then suggest _valid_ inbound messages are to be recognized? -

or do you mean to demand the following: 1. valid from, 2. from address not part of local domains, then disregard auth but demand for all else?

Also note, that there is already a flag in MercuryS that you should uncheck: "accept mail for invalid local addresses"

Thanks for your answer Peter

Yes for the moment i unchecked the "accept mail for invalid addresses"

A valid incoming message is:

    - a mail with a correct FROM ( but a spammer can very easily simulate a valid domain in a mail....)

and 

    -a mail destinated for my local domain or an other domain (not part of my local domain)

So with this setting if a spammer use my SMTP server with a valid FROM (domain+user) he can send a message to another user of my local domain and i can't filter with the IP adress, the only way i think is to use the authenticate SMTP option, but in existing option available in actual mercury release,  Mercury only required an authentification for relaying (sending a mail of local domain to an external domain)

Francois

Yep, there are many technologies touching this subject. Some are in place and some not. They all aim at lowering the spam ratio. Mercury lacks, SPF (sender policy framework), domainkeys, valid sender domain checks (that a domain exists and has reverse pointers) - but Mercury has graywall from Lucas.

However, I agree with you that the check-boxes are not all that clear in their meaning - and that a setting of the following would be of interest (at least for us here):

1. Validate From address against local domains - if it is local, demand authentication, if not - process according to relay settings.

Yes this is not very clear in the dialog box but in the documentation is clear.

So i supposed there is no way to force all clients to ALWAYS authenticate during the SMTP transaction disregarding the domain name, the IP adress... and so on?

Ehh no - that would be the same as closing the IP channel - making the server completely local. To do that you have to restrict on IP basis, first deny all, then allow the nets that are most frequent. Even if your users do move around a lot and you want an internal system, I'd connect them to the local net over more secure channels.

Maybe I'm not understanding you fully :-?

What you would be creating would be a private relay server, which could not receive mail from anyone except your "floating" computer. That's a fairly specialized case, so I don't know if it will be added to Mercury/32.

With the existing version, what you can do to reduce the likelihood of abuse is to use a non-standard port. The usual port for what you're trying to do (message submission) is 587. But you could use a non-standard one (e.g. 1587) instead, since only one client will connect and it is under your control. It's not really secure, but much less likely to be abused.

Really, the spam problem here is the same one that everyone faces for servers that *do* wish to accept mail from outside. So some of the same solutions will be helpful -- such as block lists, graylisting and so forth.

[quote user="francoy"]

Yes this is not very clear in the dialog box but in the documentation is clear.

So i supposed there is no way to force all clients to ALWAYS authenticate during the SMTP transaction disregarding the domain name, the IP address... and so on?

 [/quote]

The simple answer is you cannot as long as you want external servers to deliver mail to your MercuryS server.  If you are only using your MercuryS to support e-mail clients and not other SMTP mail servers then you can change port 25 to something like port 2500 and tell everyone using a mail client to change to that port.  You can also allow the IP addresses you will accept and the reject all others.

If you are really trying to just reject spammers using a local MAIL FROM: address though it's not going to be all that successful.  All the spammer has to do is use the <> MAIL FROM: address to get past that one.