The following are made up domain names to clarify your question.
Let's say the domain space your IP address belongs to is origin.net.
Upon trying to delivering mail to validuser (at mark) destination.net the box
accepts it and happily delivers to validuser (at mark) destination.net, even
though you are on a foreign network.
If I have stated your question correctly, then guess what. That is the
way it is supposed to work. If not, general mail delivery wouldn't
work. A MTA like sendmail must be able to connect to a receiving MTA
without authentication for general mail delivery to work. You don't
even need to set your email client up to look like
validuser (at mark) destination.net to deliver to othervaliduser (at mark) destination.net.
The MTA at destination.net must accept any connection from other MTAs or
mail doesn't flow. Of course there is spamassassin and blacklists and
the like to manage bad and questionable MTAs from connecting to your
MTA.
Here is a simple test. Lookup smtp and telnet in google. You will find
a walk through showing the commands to send mail. Connect to the mail
server of an address you know is valid. telnet mail.destination.net 25.
You will be able to send mail to anyvaliduser (at mark) destination.net. If the
server is setup correctly, you will not be able to send to
anyvaliduser (at mark) someotherdestination.net, unless of course that MTA is the
mail server for it as well. If you can you are connected to an open
relay MTA and the server administrators should be informed.
Hope that helps clear things up.
Ivan
On Thu, 2006-09-28 at 15:51 +0100, Connexions Web Solutions wrote:
> Hi Blues,
>
> Still cannot get my head around the SMTP relay on CentOS/BQ.
>
> I am on a completely different external network.
>
> If I call myself validuser (at mark) domain.com, I can use the SMTP server
> at mail.domain.com to sent to any other valid user on the same
> server mail.domain.com. I do not get called for SMTP authenticate,
> despite having it ticked in the GUI. This is using pegasus on port25.
>
> Surely I should not be able to relay via the BQ box using the SMTP
> server on a totally external network ?
>
> Any clarification appreciated.
>
> Rgds.
>
> Date sent: Thu, 28 Sep 2006 07:45:58 -0500
> From: Larry Smith <lesmith (at mark) ecsis.net>
> Send reply to: coba-e (at mark) bluequartz.org
> Subject: [coba-e:07260] Re: Mail relay
> To: coba-e (at mark) bluequartz.org
>
> [ Double-click this line for list subscription options ]
>
> On Thursday 28 September 2006 03:10, Arthur Sherman wrote:
> > > Believe there are three (3) different "smtp" types, smtp on
> > > port 25, smtps on
> > > port 465, and smtp-auth on port 587. If you are "changing"
> > > the server to use
> > > smtp-auth, your clients _must_ change and use the appropriate
> > > connection type (read that port number and protocol) for it to be
> > > effective.
> > >
> > > Generally on a server using only smtp-auth is not an option
> > > since most of the
> > > world does not have an account and password on your box to be able
> > > to send you mail - so one usually runs smtp-auth for clients, and
> > > smtp for outside world connections.
> > >
> > > --
> > > Larry Smith
> > > SysAd ECSIS.NET
> > > sysad (at mark) ecsis.net
> >
> > Hi Larry,
> >
> > If I enable smtp-auth, but not submission port, what will happen?
> > Will it work over regular tcp/25, or it just won't?
> >
>
> Arthur,
>
> Do not believe it will since the smtp-auth (from the submit.cf file)
> is
> configured to "ask" for a username and password pretty much like pop3
> (port 110) does when the user/client connects. Even if you
> configured that on port 25, it would then ask every connection for
> username and password.
>
> Outlook and most other mail clients now support smtp-auth (server
> requires authentication) on port 587, so it is really the "best" way
> to go for clients since you can then turn off poprelayd as it is not
> needed when the clients can authenticate to send mail from just about
> anywhere and also the port 587 is not blocked by any ISP that I am
> aware of so you don't have problems with cable, dsl, etc people
> blocking port 25.
>