| Sanford Whiteman 2007-06-19, 1:18 am |
| > I changed the FQDN at smart host setting from the local computer
> name to the FQDN of the mail server. Even though the mail server is
> on another machine, this seem to work fine. I thought you had to set
> the FQDN of the machine with the Virtual SMTP Server you send mail
> from, but at least in this case it works.
I think you're confusing two different settings.
The smart host should point to the IP address (in square brackets,
e.g. [1.2.3.4]) or the hostname of an upstream server that will be
performing remote delivery for you. You would _only_ fill in this box
if a smart host is in use. Typically, you would use a smart host if
(a) the local server is not shown properly on the public Net, i.e. it
doesn't have a PTR entry and can't pass a PTR-A-IP roundtrip test; (b)
the local server is not allowed to communicate to the outside world on
TCP port 25 due to local or ISP firewall rules; (c) the local server
is too busy with other tasks, such as web serving, to double as a
direct-delivery SMTP box; (d) the smart host is more powerful and
capable of servicing a larger queue and daily traffic load; (e) to
offload a lengthy retry cycle to a secondary server, with "attempt
direct delivery first" checked; or (f) to consolidate logs on a
restricted set of outbound servers.
The FQDN is the full hostname of the local server's "most public" IP
address as seen by the next SMTP hop. If the local server is
performing direct delivery, the FQDN must be publicly resolvable back
to the machine's public IP, and should also match the PTR for that IP.
Even if the local server is not performing direct delivery -- using a
smart host instead -- the FQDN must be the hostname of the local
server as seen from the smart host's perspective.
Obviously, if you are performing direct delivery, you must have a
public FQDN that's under a registered and published DNS domain. If you
are using a smart host, it is possible to have an FQDN that is only
privately resolvable, perhaps using a TLD like .lan or .local, as long
as the smart host can still resolve names within that domain.
> Regarding the authentication error, do you know if it's possible to
> send user name and password to the mail server by using the Outbound
> Security setting in Virtual SMTP Server?
Of course, if your web application supports authentication. It is
possible that CDONTS doesn't (I haven't used it in so long, since it
was superseded by CDOSYS). However, as long as your machine doesn't
allow _relaying_ to any server that connects to it, it's okay to allow
relay by a short list of specific source IPs in addition to allowing
relay by once a user authenticates.
The issues with relay-by-IP are in security auditing (you can have
multiple applications running on the same source IP, as in hosting
environments, and you won't know which one submitted a piece of mail
unless you dole out usernames/passwords to each), in management
(manually inputting and maintaining a huge list of IPs is painful, and
in supporting roaming users (where you cannot know the source IP).
--Sandy
|