Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: [suse-security] Problems with sendmail & relay
From: Martin Hermanowski (mhtechsection.com)
Date: Sun Nov 19 2000 - 10:40:30 CST

RoMaN SoFt / LLFB!! wrote:

> Hi.
> I'm running SuSE 6.4 and need to run sendmail (host permanently
> connected to Internet). By default, SM 8.9.3 comes with relay denied
> for all. I want to set an acceptable secure sendmail. The scenario is
> as follows:

> The problem is that my users can connect to the smtp machine
> from *ANY* ip. So the rely-filters only could trust in the "From:"
> line in header's mail. I know this isn't too much secure, since
> spammers could send mail spoofing the From: field (which is trivial).
> But it's more secure than a sendmail running with "promiscuos relay"
> feature turned on.

> What I want is that usercccc.com
> can send (not be sent to) to any other recipient (at whatever domain)
> using my mta.

I had the same situation, in my sendmail.cf I added the following
lines at the end of SBasic_check_rcpt:

# check IP address
R$* $: $&{client_addr}
R$ $ OK originated locally
R0 $ OK originated locally
R$=R $* $ OK relayable IP address
R$* $: $>LookUpAddress <$1> <?> <$1>
R<RELAY> $* $ RELAY relayable IP address
R<$*> <$*> $: $2
R$* $: [ $1 ] put brackets around it...
R$=w $ OK ... and see if it is local



# now get and canonify the FROM address
R$* $: $(dequote "" $&f $)
R$+$={roamingdomains} $ RELAY

##/ADDED by MH

# anything else is bogus
R$* $#error $ 5.7.1 $: "550 Relaying denied"

/etc/mail/roaming-domains contains the list of sender-domains
that are allowed. It works well, and I think it's reasonable


To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com