The original of this article you can find here
What we'd like to do is allow mail relaying from a selected group of IP addresses only.
If you've just been reading the qmail newbie's guide to relaying
, you know that we do this be
setting the environment variable RELAYCLIENT in qmail-smtpd's environment only when the connection
is coming from one of our IP addresses. Here's how to do it.
First, list in control/rcpthosts all of the domains that your server is hosting (i.e. those listed
in control/locals and control/virtualdomains). Also list any domains for which your server is
acting as secondary mail exchanger. The domains in control/rcpthosts are the domains for which your
server will always accept incoming mail, no matter where it's coming from. You must have a
rcpthosts file; otherwise your server will relay mail for anyone.
Then, you'll need to download and install a copy of Dan Bernstein's ucspi-tcp package.
The current version is available from http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
You can read about all of the programs in the package at ftp://koobera.math.uic.edu/www/ucspi-tcp.html
The particular program we'll be using here is tcpserver, which accepts incoming network connections,
sets various environment variables, and then runs a program of your choice.
Now we'll set up the rules file that tcpserver will use to determine whether to set RELAYCLIENT.
In our fictional network, we have a single /24 block of addresses, 192.168.10.0/24.
Create a file in /etc (or /usr/local/etc, or wherever else you prefer) called tcp.smtp.
The file should read as follows:
These rules say: "If the connection is from 192.168.10.*, allow it and set RELAYCLIENT;
otherwise allow the connection (but don't set RELAYCLIENT)."
Note that the last ":allow" line is redundant, since the default is to allow any connection.
But it helps illustrate what we're doing: we want to allow anyone to connect to our server,
but set RELAYCLIENT (and thus allow unrestricted relaying) only if the connection is
Now we'll compile this rules file into a cdb file (do this in the directory in which you created
the tcp.smtp file):
# tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp
To accept SMTP connections with tcpserver, using these access control rules, run tcpserver like so:
# tcpserver -x/etc/tcp.smtp.cdb -u102 -g101 0 smtp /var/qmail/bin/qmail-smtpd &
Replace 102 with your qmaild user ID and 101 with your nofiles group id, and make sure the path to
your tcp.smtp.cdb file is correct.
NOTE: If you're already starting your qmail-smtpd service in a script that runs as part of your
boot process, don't start it again with the above tcpserver line; just make sure that your script
includes the -x/etc/tcp.smtp.cdb option.
That's it! Just replace the IP addresses in the example with your real IP addresses. Note that you
can have more than one line in your rules file, to allow relaying from various addresses: