Relay control in sendmail for roaming users

Last Update 2001-06-02


Relay control is based on either the recipient address or the origin of an e-mail. The first is very simple to control, but the second can be a problem: what is the origin of an e-mail? This can either be based on something simple like the connecting host (IP address/name) or it can use SMTP STARTTLS / AUTH as implemented in sendmail 8.11 / 8.10, which allows users to authenticate themselves to enable relaying without requiring any of the "hacks" listed below.

In this document some hacks are described to provide less sophisticated forms of authentication which do not use SMTP AUTH. The best of these methodes is called POP-before-SMTP.

Authorize relaying based on authentification provided by a modified POP daemon

POP-before-SMTP requires a modification to a POP daemon, some utilities, and a simple addition to the sendmail configuration. This is an idea from John Levine, described by Scott Hazen Mueller. It has been implemented by Neil Harkins and John Levine .


Some utitilities are necessary to create a map for the rules in the file. Here are some of those:


Since there are several broken rulesets available which cause the volunteers at additional work, here is a ruleset for sendmail 8.9 and beyond which is very simple:
Notice If you use sendmail 8.10 (or beyond), the default for this hack is to require a tag (POP:) for each entry in the map. To turn this off, you need to use:
define(`POP_B4_SMTP_TAG', `')

The old HACKs for 8.8 have an option _POPAUTH_

Other Solutions for POP-before-SMTP

Dynamic Relay Authorization Control written by Gary Mills and POP3-Authenticated Relaying written by Curt Sampson are other proposals.

Authorize relaying based on the sender address

This is a Bad Idea as cf/README points out:
		Allows relaying if the domain portion of the mail sender
		is a local host.  This should only be used if absolutely
		necessary as it opens a window for spammers.  Specifically,
		they can send mail to your mail server that claims to be
		from your domain (either directly or via a routed address),
		and you will go ahead and relay it out to arbitrary hosts
		on the Internet.
However, sendmail 8.10 and later versions provide a slightly better feature:
		Allows relaying if the mail sender is listed as RELAY in
		the access map.  If an optional argument `domain' is given,
		the domain portion of the mail sender is checked too.
		This should only be used if absolutely necessary as the
		sender address can be easily forged.  Use of this feature
		requires the "From:" tag be prepended to the key in the
		access map; see the discussion of tags and
		FEATURE(`relay_mail_from') in the section on ANTI-SPAM

Use the mailserver of the ISP

There is yet another, very simple solution: roaming users can also try to use the mailserver of the ISP through which they connect to the internet. In this case they usually are authenticated by dialing into the ISP.
[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.