
Brief note from jfesler:
  the smtpd.ok file belongs (for most people) in c:\tcpip\etc\smtpd.ok - 
  smtpd looks at your "ETC" config.sys variable, and looks for the
  file in that directory..



 Area: GIGO 
  Msg#: 43                                           Date: 24 Mar 96  14:56:57
  From: davidn@unique.blaze.net.au                   Read: Yes    Replied: No 
    To: All                                          Mark:                     
  Subj: Re: Problems with mailinglist [nomime]


On 24 Mar 1996, Jason Fesler wrote:

> da> it seemed to think that it was addressing
> da> firstname.lastname@csource.blaze.net.au (which is the
> da> gateway address). GIGO did *something* to the address, but
> da> unless I can capture another instance of this happening,
> da> I've no clear idea what happened.
>
> Wierd..

Lota help YOU are.  :-)

Standard reply: well, gee, I'm only the author. What would
*I* know??!?


> da> BTW - if you read this, Jason, are the current smtpd sources
> da> available (if so, what filename and where)? I want to hack
> da> in the RFC821 empty "MAIL FROM:<>" support - will send diffs
> da> when done.
>
> I believe it handles it

Sure does. Fixed my bounces now from 3 messages to 1, which
is a little more manageable. :-)

> I've just emailed you the current sources.  The smtpd.ok file seems
> to be working fine at my site - perhaps (grin) if you can make
> comprehensible notes that others will understand, we can post them
> here and let people start using it..

Errm, sure.  This is based on my understanding and 5 minutes
tapping at the keyboard. If I'm wrong in any way, let me
know. However, it seems to be working ok here too.


                         SMTPD.OK
                         --------

*> What IS this file and why does SMTPD.EXE want it?

SMTPD.OK is an *optional* filter facility that allows you to
selectively reject incoming smtp sessions with a remote system based
on any one or combination of:

a) the (remote) hostname which initiates the connection,

b) the sender of the mail (the real *envelope* sender relating to
   an email item, which is not necessarily the same as the From:
   header),

c) the recipient of the mail.

If you do not wish to filter smtp sessions, then do not create
SMTPD.OK. Smtpd will warn you that it cannot read the file, but
this warning may be safely ignored.

The idea behind using SMTPD.OK is that it allows you some form of
protection from internet "spamming" - so that you can selectively
reject sessions from machines sending annoying mail, or items which
transgress your gateway's policies.  Because the smtp session is
rejected before any data is sent, this will avoid entirely the
transfer of mail to your system (an exception to this is when you
have blocked mail by recipient, and an item of mail has more than
one recipient - it will still be transmitted to any unblocked
destinations).

A secondary use of SMTPD.OK would be to provide a basic form of
destination address validation for a gateway.  Rather than gate
any/all mail received and then have other software bounce that mail
if it is not addressed to a valid FidoNet node, you could instead
list all valid destination addresses your gateway handles in
SMTPD.OK (updated regularly from the FidoNet nodelist or DNS of
course), and reject invalidly addressed mail without having to
receive it at all!

WARNING:  Do not make the mistake of assuming that this filtering
makes your system in any way "secure".  IT DOES NOT.  Someone
determined enough to harass will still be able to do so simply by
calling from a different system or by only slightly modifying the
sender or recipient addresses.  For most uses, however, malicious
and purposeful harassment aren't usually the cause.


*> Where should I put SMTPD.OK?

Put it in your system's "ETC" directory, normally x:\TCPIP\ETC,
where 'x' is the drive on which you have installed OS/2 TCP/IP 3.x,
the TCP/IP components of OS/2 Warp Connect, or OS/2 Warp's
Internet Access Kit.  SMTPD.EXE dated prior 24-Mar-96 requires this
be the \TCPIP\ETC directory on the drive on which SMTPD.EXE is run;
later versions look at the ETC environment variable (used by OS/2
TCP/IP, and set in your CONFIG.SYS).


*> What is SMTPD.OK's format?

The file is line-based; each line represents a filter, which either
explicitly allows or disallows a session.  The default action (when
the file does not exist or is empty) is to allow any session.  This
can be changed by adding a global "reject" as the last item in the
list.

Comments may be placed in SMTPD.OK by starting a line with the
character '#' as the first non-space character in the line.  Blank
lines are ignored.

Those already familiar with GIGO's MAPPING.CFG (which specifies the
newsgroup<->echotag mapping for gated news) will notice a similarity
to SMTPD.OK's formula.  The format of a filter is as follows:

    action hostname sender recipient errorcode errormsg

Each of these fields may be separated by one or more spaces or tabs.
The 'errormessage' field starts at the word in that position and
continues until the end of the line.

action     This is one of '+', '-' or '=' (without the single
           quotes.

           +  Explicitly allows the session, unless any subsequent
              matching lines disallow it.

           -  Explicitly disallows the session, unless any
              subsequent matching lines disallow it.

           =  Explicitly disallows any session matching this line
              (no further matching is done).

hostname   This is the host name of the remote system. This is a
           WILDCARD field, where the asterisk character matches
           none, one or more characters.

sender     This is the sender's email address, again a WILDCARD
           field.

recipient  This is the recipient's email address, also a WILDCARD
           field.

errorcode  This is the SMTPD error number.  Unless you are familiar
           with the SMTP standard, you should use "550" or "551".

errormsg   This is a text string that is sent to the remote system
           when the errorcode rejects the session.

Note that a line 'matches' on a particular host, sender, recipient
combination if it matches ALL of the fields, not just one. A single
asterisk (*) in a field matches any entry for that field.

The errorcode and errormsg fields are only required (and used) in
a "reject" match; that is, any line commencing with either '=' or
'-'.


*> SMTPD.OK by Example

1/ An internet system starts delivering a mailing list to your
system which was not subscribed by anyone, and addressed to multiple
FidoNet recipients.  Let's take the easy way out and ban any and all
mail from the site's domain ("lotsamail.goofey.com"):

= *goofey.com * * 550 Unsolicited mailing lists rejected!
- ----------- - - --- -----------------------------------
^    host     ^ ^  ^  Text displayed to remote smtp agent
|             | |  +- SMTP error code
+ Match/quit  | +---- Match any recipient
              +------ Match any sender

Once this line matches with the incoming sessions, any remaining
lines after this in SMTPD.OK are ignored.


2/ A similar case, but here we still want to reject mail from the
host in question only if addressed from a specific user:

= *goofey.com spammer@*goofey.com * 550 Unsolicited... (etc)


3/ Also a similar case, but here will reject all mail from the host
unless addressed from a couple of specific users:

- *goofey.com * * 550 Unsolicited.... (etc)
+ *goofey.com root@* *
+ *goofey.com egbert@* *


4/ Here is a simple node checker; we are the MX target for a
mythical 4 node network in zone 8, so we reject all mail by
default, then accept mail for nodes (and their points) only:

- * * * 551 Unknown host or mailbox; mail root@mysite.com for info.
+ * *@*mysite.com *
+ * *@*f503.n442.z8.fidonet.org *
+ * *@*f502.n442.z8.fidonet.org *
+ * *@*f501.n442.z8.fidonet.org *

If you wished to be more pedantic, you could instead do:

- * * * 551 Unknown host or mailbox; mail root@mysite.com for info.
+ * *mysite.com *
+ * *@f503.n442.z8.fidonet.org *
+ * *@p*.f503.n442.z8.fidonet.org *
+ * *@*f502.n442.z8.fidonet.org *
+ * *@p*.f502.n442.z8.fidonet.org *
+ * *@*f501.n442.z8.fidonet.org *
+ * *@p*.f501.n442.z8.fidonet.org *


-=-
>> This is the GIGO mailing list!.  To submit a new message, send your post >>
>> to "gigo-l@gigo.com".  Subscriptions:  email info@gigo.com for full help.>>

-!- News headers follow ---
From: David Nugent <davidn@unique.blaze.net.au>
Date: Mon, 25 Mar 1996 08:56:57 +1000 (EST)
X-To: Multiple recipients of GIGO Support <gigo@gigo.com>
Subject: Re: Problems with mailinglist [nomime]
Message-Id: <Pine.OS2.3.91.999.960325084750.38G-100000@sdev.blaze.net.au>
X-Listname: GIGO Support
To: gigo@gigo.com (Multiple recipients of GIGO Support)
Reply-To: gigo@gigo.com
Errors-To: gigo-owner@gigo.com
Sender: gigo-owner@gigo.com
Precedence: bulk


-!-
 ! Origin: Net 203 Services | Email & Newsgroups Co-op $2/mo (1:203/8055)
