Mailinglist Archive: opensuse-security (448 mails)

< Previous Next >
sendmail relays by default
  • From: Jim Osborn <jimo@xxxxxxxxxx>
  • Date: Sun, 19 May 2002 19:10:27 -0700
  • Message-id: <20020520021027.GA12656@xxxxxxxxxx>
Way back on Mon, Apr 15, 2002 at 11:08:28AM -0700, Ben Rosenberg wrote:
> As far as relaying is concerned you should most likely specify in
> /etc/mail/access who can relay and deny all others. I don't believe this
> is configured by default in SuSE.

I've read many, many places that as of v8.9.3, sendmail does not relay
by default. To my surprise, I was informed by a relay testing server
that I was running an open relay, and, sure enough, my sendmail DOES
relay. I had a line "127 RELAY" in /etc/mail/access, so I removed that line,
leaving access empty, but upon retesting, I'm still relaying. It's not
a huge exposure, dynamic IP, brief connections, but it's not right, and
I intend to fix it.

I receive my mail via fetchmail, which hands off to sendmail on port 25,
and I send to my smarthost, via delayed queueing, and flush the queue
when fetchmail is connected anyway. So, with these simple needs, I
should be able to restrict sendmail to relaying only to or from localhost.
I thought that's what the oft-mentioned "by default no relay" remarks meant.

If someone knows offhand, maybe they can reduce my research:
Has SuSE done something to enable relaying by default?
Do I need some stuff in my access database to restrict relaying, even if
I really don't want to relay anything from outside to outside?
If so, what's the access line for "deny all except to/from localhost"?

The docs and faqs I'm reading all go into elaborate detail on the subject
of allowing controlled relaying, whereas I'm more interested in NO relaying.

> I've also bitched for years that they should stop having it start
> with the -bd switch. Taking the -bd switch out of the options for
> when sendmail starts will make it so it doesn't accept
> connections..it just sends mail out. If you have a webserver or
> something else that isn't a mailserver at all..then you don't need
> to accept mail, just send. :)

I tried turning off the sendmail daemon, per the above reasoning.
But then fetchmail began failing, and per the fetchmail FAQ, I needed
to have an SMTP listener for fetchmail to pass the mail to. When I
was first setting up fetchmail, I tried using procmail as the mda,
but for reasons now long forgotten, I went back to sendmail. I think
there were problems parsing mailing lists, and my wife's mail stream,
that made sendmail receive mail better. And in any case, I'd like to
take charge of this important part of my system.

FWIW, I'm still running SuSE 6.3, sendmail 8.9.3, and my settings are as follows:

/etc/mail/{access,mailertable,userdb,virtusertable} are all empty

/etc/mail/service-nodns.switch contains:
hosts files
aliases files

/etc/{rc.config,rc.config.d/sendmail.rc.config} settings:

DHCPD_INTERFACE=""
DHCRELAY_SERVERS="127.0.0.1 127.0.0.2"
FQHOSTNAME="not.a.registered.domain"
FROM_HEADER="eskimo.com"
FW_START="no"
SENDMAIL_ARGS="-bd -om"
SENDMAIL_DIALUP="yes"
SENDMAIL_EXPENSIVE="yes"
SENDMAIL_GENERICS_DOMAIN=""
SENDMAIL_LOCALHOST="localhost"
SENDMAIL_NOCANONIFY="yes"
SENDMAIL_NODNS="yes"
SENDMAIL_RELAY=""
SENDMAIL_SMARTHOST="smtp:mail.eskimo.com"
SENDMAIL_TYPE="yes"
SMTP="yes"
USEPEERDNS=yes

and the resulting .mc file, before m4 renders it into sendmail.cf is:

divert(-1)
include(`/usr/share/sendmail/m4/cf.m4')
divert(0)dnl
VERSIONID(`@(#)Setup for SuSE Linux 8.9.3-0.1 (SuSE Linux) 26/10/1999')
OSTYPE(`suse-linux')dnl
define(`SMART_HOST', `smtp:mail.eskimo.com')dnl
FEATURE(`expensive')dnl
FEATURE(`nocanonify')dnl
HACK(`nodns')dnl
FEATURE(`dialup', `not.a.registered.domain')dnl
MASQUERADE_AS(`eskimo.com')dnl
FEATURE(`masquerade_envelope')dnl
MAILER(`local')dnl
MAILER(`procmail')dnl
MAILER(`smtp')dnl
MAILER(`uucp')dnl
MAILER(`bsmtp')dnl
MAILER(`fido')dnl
LOCAL_CONFIG
Cw localhost

Anyone see an "ENABLE RELAYING" statement in that config?

TIA,

Jim

< Previous Next >