From owner-freebsd-isp Wed Jul 23 13:47:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA13308 for isp-outgoing; Wed, 23 Jul 1997 13:47:01 -0700 (PDT) Received: from mail1.sirius.com (mail1.sirius.com [205.134.253.131]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA13303 for ; Wed, 23 Jul 1997 13:46:58 -0700 (PDT) Received: from ds9.sirius.com (ds9.sirius.com [205.134.226.34]) by mail1.sirius.com (8.8.6/Sirius-8.8.6-97.07.17) with ESMTP id NAA28533; Wed, 23 Jul 1997 13:46:50 -0700 (PDT) Received: from localhost (dlowe@localhost) by ds9.sirius.com (8.6.12/961127) with SMTP id NAA01414; Wed, 23 Jul 1997 13:46:46 -0700 X-Authentication-Warning: ds9.sirius.com: dlowe owned process doing -bs Date: Wed, 23 Jul 1997 13:46:44 -0700 (PDT) From: David Lowe X-Sender: dlowe@ds9 To: "Darrin R. Woods" cc: freebsd-isp@FreeBSD.ORG Subject: Re: problems with sendmail security hacks In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Darrin - The relay denial rule at www.sendmail.org is not as "nice" as it could be, and can be terribly inconvenient if you host a lot of domains. If you do use it, sendmail.cR should be a file containing domain names which *are* allowed to relay through your mail server, but are not in the $=w class (domains which are considered local), i.e.: foo.com bar.net I personally use a different approach, basing my relay allowing on the IP address of the connecting machine (since we host many, many domain names and only have a couple dozen class Cs, it's easier to keep track of. This also means that a temporary dns error won't cause relay denial for one of our clients.) This would be done via (roughly): # Netblocks we consider local for relaying purposes F{LocalIP} /etc/sendmail/LocalIP ... Scheck_rcpt # get the client's IP address R$+ $: $(dequote "" $&{client_addr} $) $| $1 # if it's directly invoked (i.e. alias or .forward - IP is 0) it's ok R0 $| $* $@ ok # if it's one of the class Cs in the LocalIP macro, it's ok R$={LocalIP}$* $| $* $@ ok # we want to check the recipient address next... R$* $| $* $: $>3 $2 # if it's in sendmail.cw, it's a local delivery so it's ok R$*<@$=w.>$* $@ ok # Otherwise, we're not responsible R$* $#error $@ 5.7.1 $: 571 Relaying Denied Where the LocalIP file contains either complete or partial network addresses: 127.0.0.1 10.10 10.11.159 Thanks, David Lowe On Wed, 23 Jul 1997, Darrin R. Woods wrote: > Due to someone at juno.com using our mailserver as a relay we have added > the sendmail hacks located at senmail.org to our server. > > Question is concerning the 'sendmail.cR' file that checks to see if a user > is authorized to use the server for ourbound mail. There aren't really any > instructions on what can be in this file so we've had to do it by trial and > error. It seems as though this file will handle host.domains only. Is > there anyway that we can set it up to use wildcards or better yet, can we > set it up to handle IP addresses (with possible wildcards here as well). > > Does anyone have any experience with this file and what it will take and > what it won't, or can you point me to a reference. > > Thanks in advance. > > > Darrin R. Woods | "I'm so happy that I, can't stop crying." > Director Operations | --- Sting > Netgazer Solutions, Inc. | > Dallas, Texas 972.702.9119 | work: http://www.netgazer.net > > My employer most whole-heartedly denies everything I say > >