Hi Stefan & All:
The nice ppl @ sendmail.org pointed me to the right URL:
http://www.sendmail.org/~ca/email/roaming.html
The response is: RELAY_MAIL_FROM :-)
However, this feature isn't available at 8.9.3 version of sendmail.
And so occurs with other solutions (like the AUTH command)
I'll have to download latest sendmail src and compiled by myself. I
think SuSE should launch new .rpm's in updates' section since 8.9.3
version is old and you loose security features like the AUTH command.
The other solution is the hack provided by Martin Hermanowski
On Sun, 19 Nov 2000, RoMaN SoFt / LLFB!! wrote:
:-? /me doesn't understand :) Then... what is the /etc/mail/access file intended for? The above statement isn't true: you canNOT "always" send mail to any user at any domain. This is the relay check intended for. If you're not connecting to sendmail (I'm assuming a remote user connecting to mta's 25 port) from an ip address "which is relayed" (e.g. listed in /etc/mail/access as RELAY) or try to send mail to a domain which isn't relayed, sendmail denies/rejects this send-attempt. However your statement is true for old sendmail's, where default behaviour is RELAY all (spammer's paradise ;-)).
From the SuSE default access file:
# With this file you can control the access # to your mail server.
If you are sending from inside your own domain (which is what I understood from your first mail) and have got sendmail set up right, then unless you specifically block connections elsewhere you CAN send mail anywhere. But I guess what you meant to say was that ccc.com is now a domain your mailserver accepts mail for, i.e. anyone can send mail through your server for a user in the ccc.com domain. So I guess we misunderstood eachother. What you mean is what the mailserver doesn't relay to any user by default, which is of course trivially true if you set it up right.
Yes. I knew that. SuSE 6.4 doesn't have the /etc/mail/relay-domains file created (btw, you could create it; sendmail would use it since it's pointed in /etc/sendmail.cf). Perhaps they prefer to use the access file with RELAY "command"... I think you get the same behaviour. Hope I'm not wrong here.
No, you're not. I don't know if SuSE uses it, since I don't use SuSE's default configuration. In general I use relay-domains when I want to relay an entire domain, access can be used for more detailed tuning if neccessary.
That's the problem. This is NOT what I want to achieve. The above behaviour would imply my clients connect ALWAYS from an IP or IP range belonging to ccc.com domain, which is NOT my intention.
I summarize: I want my clients connecting from *ANY* IP. At first sight, this implies an open relay mta and perhaps my site included in a spam black-list, which is not my desire ;-) I need some way of "authentication", and the one I'm trying to perform is mail's header checking: more precisely, "From:" checking.
From checking is not an option here, since as you already said spoofing it is trivial. If you want to enable relaying from anywhere and stay out of ORBS, you need authentication.
I know this isn't too much secure, as I said in former post, because then anyone could send mail through my server, talking to the mta and saying "I'm xxxx@ccc.com and want to send spam". Anyway (and this is in response to Holger's post) the real approach is that I'm not going to relay all ccc.com domain but particular_user@ccc.com. This is also trivially exploitable, but at least some more restrictive. Moreover, I use to have a look to logs; if a spammer try to abuse my server, I'll notice it.
As will the postmaster receiving the thousands of spam mails your server would have let through by then. I really hope you don't believe checking your logs is sufficient.
There are other auth's methods, I think any (if not all) of them are implemented in newer sendmail's versions, though. For instance, a kind of password ("auth" command, I think, but don't trust me), smtp after pop (you have to pop into your account [user xxx, pass yyy -> ok], then you can do smtp inside a time interval, etc. I also want to try them, but 1st I want to get success in header's checking attempt.
See SMTP auth in the mentioned README.
Thanks for your answers. But I still need more help. My problem keeps unresolved.
Again, see the README.
Kind regards, Román.
good luck,
Stefan
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~