From owner-freebsd-security Wed Dec 23 07:10:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA27303 for freebsd-security-outgoing; Wed, 23 Dec 1998 07:10:42 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gallions-reach.inpharmatica.co.uk (ns0.inpharmatica.com [193.115.214.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA27277 for ; Wed, 23 Dec 1998 07:10:37 -0800 (PST) (envelope-from m.seaman@inpharmatica.co.uk) Received: from kings-cross.inpharmatica.co.uk (euston.inpharmatica.co.uk [193.115.214.6]) by gallions-reach.inpharmatica.co.uk (8.8.8/8.8.8) with ESMTP id PAA20132; Wed, 23 Dec 1998 15:10:25 GMT (envelope-from m.seaman@inpharmatica.co.uk) Received: from paddington.inpharmatica.co.uk (root@paddington.inpharmatica.co.uk [192.168.122.1]) by kings-cross.inpharmatica.co.uk (8.8.7/8.8.7) with ESMTP id PAA31129; Wed, 23 Dec 1998 15:10:25 GMT Received: from inpharmatica.co.uk (matthew@localhost [127.0.0.1]) by paddington.inpharmatica.co.uk (8.8.7/8.8.7) with ESMTP id PAA30286; Wed, 23 Dec 1998 15:10:24 GMT Message-ID: <368107DF.97958F79@inpharmatica.co.uk> Date: Wed, 23 Dec 1998 15:10:23 +0000 From: Matthew Seaman X-Mailer: Mozilla 4.5 [en] (X11; I; Linux 2.1.130 i586) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav CC: security@FreeBSD.ORG Subject: Re: Sendmail configuration References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > I have a box where Sendmail needs to run as a kind of proxy: all mail > it receives destined to a specific domain should be forwarded to > another host (which is not listed as MX for that domain), while all > mail received *from* that host should be relayed to its recipient. > Other than that, all relaying should be blocked. Do any of you have an > idea of how to do this with Sendmail 8.8.8 (FreeBSD 2.2.7)? BTDT. Assuming this sendmail is also handling mail for other domains, or that you want it to do spam filtering (otherwise you'ld be using the SMTP proxy from FWTK eh?) Then you need to do these things: i) Enable MAILERTABLE: eg. add this to the .mc file FEATURE(mailertable, `hash -o /etc/mail/mailertable')dnl ii) Add entries to the mailertable to relay all of the e-mail for the domain in question (and any sub-domains thereof): domain.com relay:[mailhost.domain.com] .domain.com relay:[mailhost.domain.com] Generate the hashed table with makemap: makemap hash mailertable < mailertable Nb. the [square brackets] suppress sendmail's normal MX lookup behaviour --- you will need some sort of hostname to address translation for mailhost.domain.com, but that can probably be provided out of /etc/hosts via the /etc/service.switch mechanism if you can't use DNS. iii) Set up a standard anti-relay configuration. Personally I use Claus Assmann's check_* rulesets (http://www.informatik.uni-kiel.de/~ca/email/check.html) --- the beta version (http://www.informatik.uni-kiel.de/~ca/email/rules/beta/check.tar) is quite usable and has a cleaner configuration than the release version IMHO. Unpack the tarball in /usr/src/usr.sbin/sendmail/cf --- most files will end up in the `hack' directory --- and edit the .mc file appropriately. Here's what I use: this also enables RBL and is set up to send any local e-mail from the relay onto the mailhost: divert(0)dnl VERSIONID(`@(#)mailrelay.mc $Revision$') OSTYPE(bsd4.4)dnl DOMAIN(generic)dnl define(`MAIL_HUB', `relay:mailhost.domain.com')dnl define(`confPRIVACY_FLAGS', `goaway,restrictmailq,restrictqrun')dnl define(`confDEF_USER_ID', `6:6')dnl define(`confCW_FILE', `-o /etc/sendmail.cw')dnl MAILER(local)dnl MAILER(smtp)dnl FEATURE(always_add_domain)dnl FEATURE(mailertable, `hash -o /etc/mail/mailertable')dnl define(`_MAPS_RBL_')dnl define(`_CHECK_FROM_')dnl define(`_CHECK_FULL_FROM_')dnl define(`_DNSVALID_')dnl define(`_IP_LOOKUP_')dnl define(`_USE_RELAY_MAILERTABLE_', `/etc/mail/mailertable')dnl define(`_CHECK_MAP_TYPE_', `hash')dnl define(`_MARK_')dnl HACK(use_names)dnl HACK(use_ip)dnl HACK(use_relayto)dnl HACK(check_mail3)dnl HACK(check_relay3)dnl HACK(check_rcpt4)dnl iv) Set up the various anti-relay and anti-spam tables: Lists of IP no.s/domains to be considered local and thus allowed to relay through the mailer: /etc/mail/LocalIP /etc/mail/LocalNames List of domains to which anyone can relay via this mailer: /etc/RelayTo Hashed lookup table of banned domains or IP number ranges. possibly with personalized rejection message... /etc/mail/junk.db eg. CYBERPROMO.COM:dom "501 Access from this domain is denied because of spamming" 205.199.2:net "550 Access for your IP block is denied because of spamming" And that's basically it... Matthew -- Certe, Toto, sentio nos in Kansate non iam adesse. Matthew Seaman Inpharmatica Ltd, 60 Charlotte St, London, W1P 2AX Tel: +44 171 631 4644 x229 Fax: +44 171 631 4844 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message