Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 9 Jun 1998 01:23:26 +0000 (GMT)
From:      Terry Lambert <tlambert@primenet.com>
To:        mauri@krabi.mbp.ee (Lauri Laupmaa)
Cc:        current@FreeBSD.ORG
Subject:   Re: (NOT) relaying mail with current
Message-ID:  <199806090123.SAA23641@usr07.primenet.com>
In-Reply-To: <Pine.BSF.3.96.980608204536.226A-100000@krabi.mbp.ee> from "Lauri Laupmaa" at Jun 8, 98 08:47:36 pm
next in thread | previous in thread | raw e-mail | index | archive | help 
> Is -current relaying mail by default ? What are the simple steps to take
> to stop relaying (apart from reading sendmail book) ?

You could compile sendmail 8.9 for your machine.  This will turn off
relaying by default.  I believe it is a port.


I prefer www.obtuse.com's "smtpd/smtpfwdd" from Obtuse system's, Inc.'s
"free code" area.  You can turn on RBL, etc., from it.  You run smtpd
in place of the sendmail in daemon mode.  It runs in a chroot jail,
and protects against sendmail exploits, as well.



To turn off relaying, you define an smtpd.rules file (that lives in
/etc in the chroot jail).

If you are using a FreeBSD box as a router/firewall (ie: it has your
network on one side, and the Internet on the other), the simplest way
to accomplish this is to install my patches to ifconfig to allow the
designation of the internal network as "trusted":

	http://www.freebsd.org/~terry/

This is exactly the model supported by the Juniper firewall code itself,
so (obviously) it works well with their "smtpd" program.

Then you edit their "address_check.c" and replace their:

	connection_trusted()

Function to getsockopt() on the socket to see if packets sent on it
would got to a "trusted" interface or not.  If they will, the machine's
inside, and the relay is allowed.

The rules file for no external relay is:

allow:TRUSTED:ALL:ALL
noto:ALL:ALL:ALL:551 Sorry %H(%I), I don't allow unauthorized relaying. Please use another SMTP host to mail from %F to %T


...the only catch is you need to replace the "#if defined(JUNIPER_SUPPORT)"
with "#if defined(CHECK_ADDRESS)", and define it seperately for FreeBSD;
this makes it so it's a recompile if you later buy Juniper (or replace
your Juniper box with a FreeBSD box).


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806090123.SAA23641>