Re: Sendmail & access restrictions
Stephen Gran wrote:
> I think I'm being dense, but I can't figure out how to do something
> like the following in /etc/mail/access:
>
> xxx.xxx.xxx.xxx: OK # front-end machine 1
> xxx.xxx.xxx.xxy: OK # front-end machine 2
OK. You'll want to add localhost and 127.0.0.1:
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
otherwise locally-generated mail will fail. Unless you've got a good
reason NOT to trust localhost, any sendmail access map should include
these or similar lines- the last one is probably all that's required.
> AUTH: OK
> *: REJECT
But these aren't really valid.
By default (at least with recent versions of sendmail), relaying is
denied UNLESS you have told sendmail otherwise.
To allow SMTP-AUTH users to relay mail, add the following to your
sendmail.mc:
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
You may want to trust additional mechanisms (CRAM-MD5, DIGEST-MD5, there
may be others).
You'll *probably* also want TLS support, so that roaming users relaying
through your server don't send password-ish information in the clear.
If you go this route, you can also issue certificates to individual
users and include that information in the access map.
I set this up on my personal server, but not the ISP servers I admin.
User information is too scattered to practically implement SMTP AUTH
right now. :/
The complete set of changes for allowing SMTP AUTH to relay is in the
sendmail.mc file. Mine includes the following:
dnl --- STARTTLS/SMTP-AUTH options ---
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS', `A,p')dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/ca-deepnet.crt')dnl
define(`confSERVER_CERT', `/etc/mail/certs/smtp.deepnet.crt')dnl
define(`confSERVER_KEY', `/etc/mail/certs/rock.key.insecure')dnl
This specifies, in respecitve order:
- Trust LOGIN or PLAIN SMTP AUTH mechanisms for relay
- Allow LOGIN and PLAIN authentication
- Only allow easily-sniffed/bypassed/cracked AUTH mechanisms after
successful STARTTLS or similar security layer
- Where to find server/client certs
- What to use as the CA cert
- What to use as the TLS cert for this host
- Which key to use for the TLS cert
Unfortunately I seem to have lost the original reference I used to put
this together, and that system is still running RedHat 7.3. :(
Checking for Debian shows there are useful sections in
/usr/share/doc/cf.README (from sendmail-doc).
http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml should be useful
in getting TLS going.
If you're going to be doing much sendmail adinistration, you should
probably pick up a copy of the current (3rd) edition of the Bat Book.
Many references assume that you're installing sendmail from source; you
should just be able to skip the first few steps relating to compile
options as most packaged sendmail installs include at least *potential*
support for all of its options.
-kgd
--
"Sendmail administration is not black magic. There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
- Unknown
Reply to: