check_rcpt
ruleset against unauthorized
relaying
has a problem with "roaming" users,
since it accepts outgoing mails only
from local addresses.
This problem can be solved in at least two ways:
Another way will be SMTP AUTH as described in RFC 2554. However, this is not implemented in sendmail 8.9 because it has been released before the RFC was available. It is planned for the next version (no release date known).
FROM
address is one which seems ok to us.
So list in the class
F{LocalIP} /etc/mail/LocalIPthe IP addresses of the hosts you will allow to relay through your mail server, for example
134.245 127.0.0.1Next, you need to define a map
# list of domains and addresses which can send mail through # our relay if they appear in MAIL FROM: Kallow dbm -a@ALLOWED /etc/mail/allowcontaining the names of domains or full e-mail addresses which may use your system. As usual, you can also define a class of addresses for which you act as a relay (for incoming mail):
F{RelayTo} /etc/mail/RelayToThe rulesets (available by
define(`_ALLOW_SOME_') HACK(check_rcpt4)in check.tar) now look like this:
# check for allowed addresses Sallow # lookup domain in database R$*<@$+> $:$1<@$(allow $2$)> # exists? return R$*<@$*@ALLOWED> $@$1<@$2@ALLOWED> # lookup address in database R$*<@$+> $:$1<@$(allow $1@$2 $:$2$)> # exists? return R$*<@$*@ALLOWED> $@$1<@$2@ALLOWED> # remove one subdomain, try again R$*<@$-.$-.$+> $: $>allow $1<@$3.$4> Scheck_rcpt # make sure you have TABs here, not BLANKs! sendmail will complain otherwise... # first: get client address R$+ $: $(dequote "" $&{client_addr} $) $| $1 R0 $| $* $@ ok client_addr is 0 for sendmail -bs R$={LocalIP}$* $| $* $@ ok from here # not local, check rcpt R$* $| $* $: $>3 $2 # remove local part R$+ $:$>remove_local $1 R$*<@$+>$* $: <RELAY> # now get and canonify the FROM address R$* $: $1 $| $>3 $(dequote "" $&f $) # compare it with an "allowed" domain R$* $| $*<@$*.>$* $: $1 $| $>allow $2<@$3> # match: ok R$* $| $*<@$*@ALLOWED>$* $@ ok # nope, it's a relay attempt R<RELAY> $| $* $#error $@ 5.7.1 $: 550 we do not relay Sremove_local # remove RelayTo part (maybe repeatedly) R$*<@$*$={RelayTo}.>$* $>3 $1 $4 R$*<@$=w.>$* $: $>remove_local $>3 $1 $3 R$*<@$*>$* $@ $1<@$2>$3 # dequote local part R$- $: $>3 $(dequote $1 $) R$*<@$*>$* $: $>remove_local $1<@$2>$3All explanations (and enhancements) for the original
check_rcpt
ruleset apply here too.
William R. Thomas sent me a single PERL script which does all of the work. Harlan Stenn sent me a modified version of this PERL script, which should be used instead. (Last Update: 1998-04-24)
Dynamic Relay Authorization Control written by Gary Mills and POP3-Authenticated Relaying written by Curt Sampson are other proposals.