Date: Wed, 23 Jul 1997 13:46:44 -0700 (PDT) From: David Lowe <dlowe@sirius.com> To: "Darrin R. Woods" <dwoods@netgazer.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: problems with sendmail security hacks Message-ID: <Pine.NXT.3.95q.970723133424.1385B-100000@ds9> In-Reply-To: <v03102801affbfa8df778@[208.12.177.224]>
next in thread | previous in thread | raw e-mail | index | archive | help
Darrin - The relay denial rule at www.sendmail.org is not as "nice" as it could be, and can be terribly inconvenient if you host a lot of domains. If you do use it, sendmail.cR should be a file containing domain names which *are* allowed to relay through your mail server, but are not in the $=w class (domains which are considered local), i.e.: foo.com bar.net I personally use a different approach, basing my relay allowing on the IP address of the connecting machine (since we host many, many domain names and only have a couple dozen class Cs, it's easier to keep track of. This also means that a temporary dns error won't cause relay denial for one of our clients.) This would be done via (roughly): # Netblocks we consider local for relaying purposes F{LocalIP} /etc/sendmail/LocalIP ... Scheck_rcpt # get the client's IP address R$+ $: $(dequote "" $&{client_addr} $) $| $1 # if it's directly invoked (i.e. alias or .forward - IP is 0) it's ok R0 $| $* $@ ok # if it's one of the class Cs in the LocalIP macro, it's ok R$={LocalIP}$* $| $* $@ ok # we want to check the recipient address next... R$* $| $* $: $>3 $2 # if it's in sendmail.cw, it's a local delivery so it's ok R$*<@$=w.>$* $@ ok # Otherwise, we're not responsible R$* $#error $@ 5.7.1 $: 571 Relaying Denied Where the LocalIP file contains either complete or partial network addresses: 127.0.0.1 10.10 10.11.159 Thanks, David Lowe On Wed, 23 Jul 1997, Darrin R. Woods wrote: > Due to someone at juno.com using our mailserver as a relay we have added > the sendmail hacks located at senmail.org to our server. > > Question is concerning the 'sendmail.cR' file that checks to see if a user > is authorized to use the server for ourbound mail. There aren't really any > instructions on what can be in this file so we've had to do it by trial and > error. It seems as though this file will handle host.domains only. Is > there anyway that we can set it up to use wildcards or better yet, can we > set it up to handle IP addresses (with possible wildcards here as well). > > Does anyone have any experience with this file and what it will take and > what it won't, or can you point me to a reference. > > Thanks in advance. > > > Darrin R. Woods | "I'm so happy that I, can't stop crying." > Director Operations | --- Sting > Netgazer Solutions, Inc. | > Dallas, Texas 972.702.9119 | work: http://www.netgazer.net > > My employer most whole-heartedly denies everything I say > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NXT.3.95q.970723133424.1385B-100000>