Re: [suse-security] Problems with sendmail & relay
From: RoMaN SoFt / LLFB!! <roman@madrid.com> Date: Sun, 19 Nov 2000 15:52:48 +0100 Message-ID: <9oef1tsadvt8uh36evp9mocntjlul0e9vn@4ax.com> Subject: Re: [suse-security] Problems with sendmail & relay On Sat, 18 Nov 2000 18:33:33 +0100 (CET), you wrote:
cccc.com RELY
I hope this is a typo, because if it isn't then I would try changing it to RELAY ;-)
Yes, it was a typo when writing the former post :) The /etc/mail/access sintax is ok. It is not the problem.
The result is that now I can send to recipients like: user@cccc.com. But this isn't the behaviour I want. What I want is that user@cccc.com can send (not be sent to) to any other recipient (at whatever domain) using my mta.
This doesn't make much sense to me. You can always (providing you've got sendmail running) send mail to any user at any domain. This has nothing to do with the access setting you changed.
:-? /me doesn't understand :) Then... what is the /etc/mail/access file intended for? The above statement isn't true: you canNOT "always" send mail to any user at any domain. This is the relay check intended for. If you're not connecting to sendmail (I'm assuming a remote user connecting to mta's 25 port) from an ip address "which is relayed" (e.g. listed in /etc/mail/access as RELAY) or try to send mail to a domain which isn't relayed, sendmail denies/rejects this send-attempt. However your statement is true for old sendmail's, where default behaviour is RELAY all (spammer's paradise ;-)).
If I understand you correctly, what you want to do is be a mailserver for domain bbb.com, as well as relay mail from domain ccc.com. This you can achieve by adding ccc.com to either your access database or (simpler) by adding it to /etc/mail/relay-domains. That will permit any user coming
Yes. I knew that. SuSE 6.4 doesn't have the /etc/mail/relay-domains file created (btw, you could create it; sendmail would use it since it's pointed in /etc/sendmail.cf). Perhaps they prefer to use the access file with RELAY "command"... I think you get the same behaviour. Hope I'm not wrong here.
from the ccc.com domain (i.e. whose client ip number is in the ccc.com domain) to send mail through your mailserver. If you also
That's the problem. This is NOT what I want to achieve. The above behaviour would imply my clients connect ALWAYS from an IP or IP range belonging to ccc.com domain, which is NOT my intention. I summarize: I want my clients connecting from *ANY* IP. At first sight, this implies an open relay mta and perhaps my site included in a spam black-list, which is not my desire ;-) I need some way of "authentication", and the one I'm trying to perform is mail's header checking: more precisely, "From:" checking. My MTA would think: "Oh, yeah, by deault I don't relay at all. But somebody (no matter the IP mail comes from) want me to send an email whose sender address is user@ccc.com. This means I'm dealing with one of our customers trying to send his/her mail and I must allow it!". I know this isn't too much secure, as I said in former post, because then anyone could send mail through my server, talking to the mta and saying "I'm xxxx@ccc.com and want to send spam". Anyway (and this is in response to Holger's post) the real approach is that I'm not going to relay all ccc.com domain but particular_user@ccc.com. This is also trivially exploitable, but at least some more restrictive. Moreover, I use to have a look to logs; if a spammer try to abuse my server, I'll notice it. There are other auth's methods, I think any (if not all) of them are implemented in newer sendmail's versions, though. For instance, a kind of password ("auth" command, I think, but don't trust me), smtp after pop (you have to pop into your account [user xxx, pass yyy -> ok], then you can do smtp inside a time interval, etc. I also want to try them, but 1st I want to get success in header's checking attempt.
want to permit people from external locations to relay through your server (which from your story I think you want to do) you want to look at authenticated relaying. SuSE's default version won't do this I think (if I'm not mistaken the feature was included in sendmail 8.11.0, but I might be wrong. Anyway, if you get the newest source from sendmail.org, it will support this feature. Look at the {install_directory}/cf/README file, it has info on both SMTP authentication and STARTTLS.
Yes, it's perhaps the best solution. I like to try all possibilities and then choose. It's the best way for learning. No way is discarded. Thanks for your answers. But I still need more help. My problem keeps unresolved. Kind regards, Román. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
participants (1)
-
roman@madrid.com