Date: Wed, 23 Jul 1997 13:46:44 -0700 (PDT) From: David Lowe <dlowe@sirius.com> To: "Darrin R. Woods" <dwoods@netgazer.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: problems with sendmail security hacks Message-ID: <Pine.NXT.3.95q.970723133424.1385B-100000@ds9> In-Reply-To: <v03102801affbfa8df778@[208.12.177.224]>
next in thread | previous in thread | raw e-mail | index | archive | help
Darrin -
The relay denial rule at www.sendmail.org is not as "nice" as it could be,
and can be terribly inconvenient if you host a lot of domains. If you do
use it, sendmail.cR should be a file containing domain names which *are*
allowed to relay through your mail server, but are not in the $=w class
(domains which are considered local), i.e.:
foo.com
bar.net
I personally use a different approach, basing my relay allowing on the IP
address of the connecting machine (since we host many, many domain names
and only have a couple dozen class Cs, it's easier to keep track of. This
also means that a temporary dns error won't cause relay denial for one of
our clients.)
This would be done via (roughly):
# Netblocks we consider local for relaying purposes
F{LocalIP} /etc/sendmail/LocalIP
...
Scheck_rcpt
# get the client's IP address
R$+ $: $(dequote "" $&{client_addr} $) $| $1
# if it's directly invoked (i.e. alias or .forward - IP is 0) it's ok
R0 $| $* $@ ok
# if it's one of the class Cs in the LocalIP macro, it's ok
R$={LocalIP}$* $| $* $@ ok
# we want to check the recipient address next...
R$* $| $* $: $>3 $2
# if it's in sendmail.cw, it's a local delivery so it's ok
R$*<@$=w.>$* $@ ok
# Otherwise, we're not responsible
R$* $#error $@ 5.7.1 $: 571 Relaying Denied
Where the LocalIP file contains either complete or partial network
addresses:
127.0.0.1
10.10
10.11.159
Thanks,
David Lowe
On Wed, 23 Jul 1997, Darrin R. Woods wrote:
> Due to someone at juno.com using our mailserver as a relay we have added
> the sendmail hacks located at senmail.org to our server.
>
> Question is concerning the 'sendmail.cR' file that checks to see if a user
> is authorized to use the server for ourbound mail. There aren't really any
> instructions on what can be in this file so we've had to do it by trial and
> error. It seems as though this file will handle host.domains only. Is
> there anyway that we can set it up to use wildcards or better yet, can we
> set it up to handle IP addresses (with possible wildcards here as well).
>
> Does anyone have any experience with this file and what it will take and
> what it won't, or can you point me to a reference.
>
> Thanks in advance.
>
>
> Darrin R. Woods | "I'm so happy that I, can't stop crying."
> Director Operations | --- Sting
> Netgazer Solutions, Inc. |
> Dallas, Texas 972.702.9119 | work: http://www.netgazer.net
>
> My employer most whole-heartedly denies everything I say
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NXT.3.95q.970723133424.1385B-100000>