Re: Sendmail & access restrictions

To: debian-isp@lists.debian.org
Subject: Re: Sendmail & access restrictions
From: Kris Deugau <kdeugau@webhart.net>
Date: Wed, 24 Mar 2004 12:30:28 -0500
Message-id: <[🔎] 4061C5B4.B229E57F@webhart.net>
Reply-to: debian-isp@lists.debian.org, debian-isp@lists.debian.org
References: <[🔎] 20040324041154.GC30100@hadrian>

Stephen Gran wrote:
> I think I'm being dense, but I can't figure out how to do something
> like the following in /etc/mail/access:
> 
> xxx.xxx.xxx.xxx: OK # front-end machine 1
> xxx.xxx.xxx.xxy: OK # front-end machine 2

OK.  You'll want to add localhost and 127.0.0.1:

localhost.localdomain	RELAY
localhost		RELAY
127.0.0.1		RELAY

otherwise locally-generated mail will fail.  Unless you've got a good
reason NOT to trust localhost, any sendmail access map should include
these or similar lines- the last one is probably all that's required.

> AUTH: OK
> *: REJECT

But these aren't really valid.

By default (at least with recent versions of sendmail), relaying is
denied UNLESS you have told sendmail otherwise.

To allow SMTP-AUTH users to relay mail, add the following to your
sendmail.mc:

TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

You may want to trust additional mechanisms (CRAM-MD5, DIGEST-MD5, there
may be others).

You'll *probably* also want TLS support, so that roaming users relaying
through your server don't send password-ish information in the clear. 
If you go this route, you can also issue certificates to individual
users and include that information in the access map.

I set this up on my personal server, but not the ISP servers I admin. 
User information is too scattered to practically implement SMTP AUTH
right now.  :/

The complete set of changes for allowing SMTP AUTH to relay is in the
sendmail.mc file.  Mine includes the following:

dnl --- STARTTLS/SMTP-AUTH options ---
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS', `A,p')dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/ca-deepnet.crt')dnl
define(`confSERVER_CERT', `/etc/mail/certs/smtp.deepnet.crt')dnl
define(`confSERVER_KEY', `/etc/mail/certs/rock.key.insecure')dnl

This specifies, in respecitve order:
- Trust LOGIN or PLAIN  SMTP AUTH mechanisms for relay
- Allow LOGIN and PLAIN authentication
- Only allow easily-sniffed/bypassed/cracked AUTH mechanisms after
successful STARTTLS or similar security layer
- Where to find server/client certs
- What to use as the CA cert
- What to use as the TLS cert for this host
- Which key to use for the TLS cert

Unfortunately I seem to have lost the original reference I used to put
this together, and that system is still running RedHat 7.3.  :( 
Checking for Debian shows there are useful sections in
/usr/share/doc/cf.README  (from sendmail-doc).

http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml should be useful
in getting TLS going.

If you're going to be doing much sendmail adinistration, you should
probably pick up a copy of the current (3rd) edition of the Bat Book.

Many references assume that you're installing sendmail from source;  you
should just be able to skip the first few steps relating to compile
options as most packaged sendmail installs include at least *potential*
support for all of its options.

-kgd
-- 
"Sendmail administration is not black magic.  There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
   - Unknown

Reply to:

Follow-Ups:
- Re: Sendmail & access restrictions
  - From: Stephen Gran <sgran@debian.org>

References:
- Sendmail & access restrictions
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: ldap
Next by Date: Re: 3ware Raid 5 and ext3 filesystem
Previous by thread: Sendmail & access restrictions
Next by thread: Re: Sendmail & access restrictions
Index(es):
- Date
- Thread