From: "Mike A. Leonetti" on
I want to relay messages coming through a server with a dynamic IP
(Exchange) through my postfix.

My postfix
my smtpd_recipient_restrictions already has a
"hash:/etc/postfix/allowed_relays" option on it, and I've tried adding
the Dynamic DNS name that resolves to that IP address and put it in the
list but it still gave me an "relay access denied" error. Is there
another way to do it?

Thanks.

From: Nataraj on
Mike A. Leonetti wrote:
> I want to relay messages coming through a server with a dynamic IP
> (Exchange) through my postfix.
>
> My postfix
> my smtpd_recipient_restrictions already has a
> "hash:/etc/postfix/allowed_relays" option on it, and I've tried adding
> the Dynamic DNS name that resolves to that IP address and put it in the
> list but it still gave me an "relay access denied" error. Is there
> another way to do it?
>
> Thanks.
>
Commonly this is done us using SASL authentication, ideally with TLS for
added security. See the relevant documentation in
http://www.postfix.org/docs.html
The first round I used Cyrus SASL, but I went to dovecot with my last
upgrade and it was much less work to get running and has performed
reliably. With dovecot, you also install it with the dovecot pop/imap
server since they are integrated, but the SASL functionality is
available for other purposes.


Nataraj

From: "Mike A. Leonetti" on
On 05/05/10 13:31, Nataraj wrote:
> Mike A. Leonetti wrote:
>> I want to relay messages coming through a server with a dynamic IP
>> (Exchange) through my postfix.
>>
>> My postfix
>> my smtpd_recipient_restrictions already has a
>> "hash:/etc/postfix/allowed_relays" option on it, and I've tried adding
>> the Dynamic DNS name that resolves to that IP address and put it in the
>> list but it still gave me an "relay access denied" error. Is there
>> another way to do it?
>>
>> Thanks.
>>
> Commonly this is done us using SASL authentication, ideally with TLS
> for added security. See the relevant documentation in
> http://www.postfix.org/docs.html
> The first round I used Cyrus SASL, but I went to dovecot with my last
> upgrade and it was much less work to get running and has performed
> reliably. With dovecot, you also install it with the dovecot pop/imap
> server since they are integrated, but the SASL functionality is
> available for other purposes.
>
>
> Nataraj
>
Thanks for the reply, Nataraj.

I did see that online and the server does have SASL Auth working, but we
are having a difficult time getting it to try and provide a
username/password on the Exchange server so I was wondering if there was
a way to get around that.

From: Nataraj on
Mike A. Leonetti wrote:
>
>>
> Thanks for the reply, Nataraj.
>
> I did see that online and the server does have SASL Auth working, but we
> are having a difficult time getting it to try and provide a
> username/password on the Exchange server so I was wondering if there was
> a way to get around that.
>
Personally, I have more experience with replacing exchange servers than
with making them work, however I would think that recent versions of
exchange would support SASL authentication. If you really can't
implement authentication, I can think of a few other ideas.

I'm guessing that this situation might be internal to your
organization. If you DNS is fairly secure and the exchange server
updates dynamic DNS reliably, you could check that somehow.
Alternatively you could run an SMTP submission server on another port
and protect it with a dynamically updated firewall list, or something
like fwknop, but you would probably be challenged with getting the
client to authenticate with FWKNOP. These later approaches could have
tiny holes in them, depending in the freqency with which your dynamic ip
address changes and how quickly you verify on the new ip address, but if
this is within your corporate network it might not be too bad.

Nataraj

From: Noel Jones on
On 5/5/2010 1:06 PM, Nataraj wrote:
> Mike A. Leonetti wrote:
>>
>> Thanks for the reply, Nataraj.
>>
>> I did see that online and the server does have SASL Auth working, but we
>> are having a difficult time getting it to try and provide a
>> username/password on the Exchange server so I was wondering if there was
>> a way to get around that.
> Personally, I have more experience with replacing exchange servers than
> with making them work, however I would think that recent versions of
> exchange would support SASL authentication. If you really can't
> implement authentication, I can think of a few other ideas.
>
> I'm guessing that this situation might be internal to your organization.
> If you DNS is fairly secure and the exchange server updates dynamic DNS
> reliably, you could check that somehow. Alternatively you could run an
> SMTP submission server on another port and protect it with a dynamically
> updated firewall list, or something like fwknop, but you would probably
> be challenged with getting the client to authenticate with FWKNOP. These
> later approaches could have tiny holes in them, depending in the
> freqency with which your dynamic ip address changes and how quickly you
> verify on the new ip address, but if this is within your corporate
> network it might not be too bad.
>
> Nataraj
>


Also, if the exchange server is a box under your control you
can use a VPN. OpenVPN is pretty easy to set up and works
under Windows and virtually every flavor of *nix.
http://openvpn.net/index.php/open-source.html