[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sendmail & access restrictions

Stephen Gran wrote:
> I think I'm being dense, but I can't figure out how to do something
> like the following in /etc/mail/access:
> xxx.xxx.xxx.xxx: OK # front-end machine 1
> xxx.xxx.xxx.xxy: OK # front-end machine 2

OK.  You'll want to add localhost and

localhost.localdomain	RELAY
localhost		RELAY		RELAY

otherwise locally-generated mail will fail.  Unless you've got a good
reason NOT to trust localhost, any sendmail access map should include
these or similar lines- the last one is probably all that's required.


But these aren't really valid.

By default (at least with recent versions of sendmail), relaying is
denied UNLESS you have told sendmail otherwise.

To allow SMTP-AUTH users to relay mail, add the following to your


You may want to trust additional mechanisms (CRAM-MD5, DIGEST-MD5, there
may be others).

You'll *probably* also want TLS support, so that roaming users relaying
through your server don't send password-ish information in the clear. 
If you go this route, you can also issue certificates to individual
users and include that information in the access map.

I set this up on my personal server, but not the ISP servers I admin. 
User information is too scattered to practically implement SMTP AUTH
right now.  :/

The complete set of changes for allowing SMTP AUTH to relay is in the
sendmail.mc file.  Mine includes the following:

dnl --- STARTTLS/SMTP-AUTH options ---
define(`confAUTH_OPTIONS', `A,p')dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/ca-deepnet.crt')dnl
define(`confSERVER_CERT', `/etc/mail/certs/smtp.deepnet.crt')dnl
define(`confSERVER_KEY', `/etc/mail/certs/rock.key.insecure')dnl

This specifies, in respecitve order:
- Trust LOGIN or PLAIN  SMTP AUTH mechanisms for relay
- Allow LOGIN and PLAIN authentication
- Only allow easily-sniffed/bypassed/cracked AUTH mechanisms after
successful STARTTLS or similar security layer
- Where to find server/client certs
- What to use as the CA cert
- What to use as the TLS cert for this host
- Which key to use for the TLS cert

Unfortunately I seem to have lost the original reference I used to put
this together, and that system is still running RedHat 7.3.  :( 
Checking for Debian shows there are useful sections in
/usr/share/doc/cf.README  (from sendmail-doc).

http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml should be useful
in getting TLS going.

If you're going to be doing much sendmail adinistration, you should
probably pick up a copy of the current (3rd) edition of the Bat Book.

Many references assume that you're installing sendmail from source;  you
should just be able to skip the first few steps relating to compile
options as most packaged sendmail installs include at least *potential*
support for all of its options.

"Sendmail administration is not black magic.  There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
   - Unknown

Reply to: