Hi all,
I've been trying to hit on the right configuration combo to allow relaying from specific users and/or domains to an internal box running Sendmail.
Reading the docs at http://www.sendmail.org/m4/anti_spam.html#relay and http://www.sendmail.org/m4/anti_spam.html#access_db_fine
I would appear that I should be able to all per-address relaying in /etc/mail/access by enabling
FEATURE(`relay_mail_from')dnl
in sendmail.mc and restarting Sendmail. Then adding test@testdomain.com to /etc/access as:
From:test@testdomain.com RELAY
Should allow relaying FROM this address, yet it doesn't seem to work for me on a CentOS 4.4 system and I can't quite hit on why.
My full sendmail.mc is...
divert(-1)dnl dnl # dnl # This is the sendmail macro config file for m4. If you make changes to dnl # /etc/mail/sendmail.mc, you will need to regenerate the dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is dnl # installed and then performing a dnl # dnl # make -C /etc/mail dnl # dnl # $Id: sendmail.mc,v 1.3 2006/05/09 10:48:40 root Exp $ dnl # include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for Red Hat Linux')dnl OSTYPE(`linux')dnl define(`SMART_HOST',`mailscanner.testdomain.com') define(`confDEF_USER_ID',``8:12'')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confTO_IDENT', `0')dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`relay_mail_from')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.24.112,Name=MTA')dnl FEATURE(`accept_unresolvable_domains')dnl LOCAL_DOMAIN(`willspc')dnl MAILER(smtp)dnl MAILER(procmail)dnl
In my maillog I just see...
Dec 20 12:10:48 willspc sendmail[24558]: kBKCAlG2024558: ruleset=check_rcpt, arg1=wmcdonald@gmail.com, relay=nectarine [192.168.24.111], reject=550 5.7.1 wmcdonald@gmail.com... Relaying denied Dec 20 12:10:48 willspc sendmail[24558]: kBKCAlG2024558: from=test@testdomain.com, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=nectarine [192.168.24.111]
Am I missing something obvious/stupid? I would have thought Sendmail would've accepted and relayed it to its smart host. Switching to "FEATURE(`relay_entire_domain')" works but seems a bit extreme.
Will.
Quoting Will McDonald wmcdonald@gmail.com:
Hi all,
I've been trying to hit on the right configuration combo to allow relaying from specific users and/or domains to an internal box running Sendmail.
Reading the docs at http://www.sendmail.org/m4/anti_spam.html#relay and http://www.sendmail.org/m4/anti_spam.html#access_db_fine
I would appear that I should be able to all per-address relaying in /etc/mail/access by enabling
FEATURE(`relay_mail_from')dnl
in sendmail.mc and restarting Sendmail. Then adding test@testdomain.com to /etc/access as:
From:test@testdomain.com RELAY
Should allow relaying FROM this address, yet it doesn't seem to work for me on a CentOS 4.4 system and I can't quite hit on why.
Have you rebuilt access.db? (makemap hash access.db < access)
BTW, if the system in question is accessible from the Internet, what you are doing is a bad idea. You are allowing anybody to send spam through your system by simply using specific return address.
Better way to do it would be to enable authentication in Sendmail.
On 20/12/06, Aleksandar Milivojevic alex@milivojevic.org wrote:
I've been trying to hit on the right configuration combo to allow relaying from specific users and/or domains to an internal box running Sendmail.
FEATURE(`relay_mail_from')dnl
in sendmail.mc and restarting Sendmail. Then adding test@testdomain.com to /etc/access as:
From:test@testdomain.com RELAY
Should allow relaying FROM this address, yet it doesn't seem to work for me on a CentOS 4.4 system and I can't quite hit on why.
Hi Alex.
Have you rebuilt access.db? (makemap hash access.db < access)
I have, yes. There's the default Makefile in /etc/mail and I just run make after changing the plain-text file.
BTW, if the system in question is accessible from the Internet, what you are doing is a bad idea. You are allowing anybody to send spam through your system by simply using specific return address.
It's OK, it's not. This is strictly for relaying for internal customers.
Better way to do it would be to enable authentication in Sendmail.
I know, unfortunately I have a couple of thousand non-technical users already setup and I can't disrupt those.
Will.
Quoting Will McDonald wmcdonald@gmail.com:
On 20/12/06, Aleksandar Milivojevic alex@milivojevic.org wrote:
I've been trying to hit on the right configuration combo to allow relaying from specific users and/or domains to an internal box running Sendmail.
FEATURE(`relay_mail_from')dnl
in sendmail.mc and restarting Sendmail. Then adding test@testdomain.com to /etc/access as:
From:test@testdomain.com RELAY
Should allow relaying FROM this address, yet it doesn't seem to work for me on a CentOS 4.4 system and I can't quite hit on why.
Hi Alex.
Have you rebuilt access.db? (makemap hash access.db < access)
I have, yes. There's the default Makefile in /etc/mail and I just run make after changing the plain-text file.
That's strange. I've just tested it on one of my boxes, and relay_mail_from feature worked as advertised. Have you rebuilt sendmail.cf after editing sendmail.mc and before restarting Sendmail? (m4 sendmail.mc > sendmail.cf)
I know, unfortunately I have a couple of thousand non-technical users already setup and I can't disrupt those.
Hm, if same system is their IMAP/POP3 server too, you could configure Sendmail to use same password source. It should not prompt them for passwords when sending mails (since it's the same server, same account name, same password, and they already entered it when accessing IMAP or POP3). Then you just tell those that need to send email with outside domains in "from" to make sure "use username and password" is checked in their mail client (if not already checked, some clients default to authenticating to SMTP server). Hopefully it wouldn't be too much of disruption.
On Wednesday 20 December 2006 08:30, Aleksandar Milivojevic wrote:
I know, unfortunately I have a couple of thousand non-technical users already setup and I can't disrupt those.
Hm, if same system is their IMAP/POP3 server too, you could configure Sendmail to use same password source. It should not prompt them for passwords when sending mails (since it's the same server, same account name, same password, and they already entered it when accessing IMAP or POP3). Then you just tell those that need to send email with outside domains in "from" to make sure "use username and password" is checked in their mail client (if not already checked, some clients default to authenticating to SMTP server). Hopefully it wouldn't be too much of disruption.
I can relate to Mr. McDonald, telling a few non-technical users to make sure "use username and password" is checked is nowhere near as you make it sound. Many most likely don't even know how to get into their mail settings.
Pop-before-smtp might save you a lot of trouble. It's a small program to auto-populate and remove (after a set time) IP's from a separate sendmail access DB that are pulled from the pop authentication logfile. That way, as long as a user has popped mail within 15 minutes or so, they are OK to send through the server.
Karan's repo (http://centos.karan.org/) has a package built from Fedora Extras.
On 20/12/06, Kevan Benson kbenson@a-1networks.com wrote:
On Wednesday 20 December 2006 08:30, Aleksandar Milivojevic wrote:
I know, unfortunately I have a couple of thousand non-technical users already setup and I can't disrupt those.
With a few pointers from Aleksandar I got this sorted. I started today with a clean slate and it's working, to be honest I'm not 100% sure what's changed this time round, possibly just that I'm a bit more clear headed in the light of day. :)
<------------------sendmail.mc-------------------------> divert(-1)dnl dnl # dnl # This is the sendmail macro config file for m4. If you make changes to dnl # /etc/mail/sendmail.mc, you will need to regenerate the dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is dnl # installed and then performing a dnl # dnl # make -C /etc/mail dnl # dnl # $Id: sendmail.mc,v 1.3 2006/05/09 10:48:40 root Exp $ dnl # include(`/usr/share/sendmail-cf/m4/cf.m4')dnl VERSIONID(`setup for Red Hat Linux')dnl OSTYPE(`linux')dnl define(`SMART_HOST',`mailscanner.somedomain.com') define(`confDEF_USER_ID',``8:12'')dnl define(`confTO_CONNECT', `1m')dnl define(`confTRY_NULL_MX_LIST',true)dnl define(`confDONT_PROBE_INTERFACES',true)dnl define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl define(`ALIAS_FILE', `/etc/aliases')dnl define(`STATUS_FILE', `/var/log/mail/statistics')dnl define(`UUCP_MAILER_MAX', `2000000')dnl define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl define(`confAUTH_OPTIONS', `A')dnl define(`confTO_IDENT', `0')dnl FEATURE(`no_default_msa',`dnl')dnl FEATURE(`smrsh',`/usr/sbin/smrsh')dnl FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl FEATURE(redirect)dnl FEATURE(always_add_domain)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl FEATURE(`relay_mail_from')dnl FEATURE(`blacklist_recipients')dnl EXPOSED_USER(`root')dnl DAEMON_OPTIONS(`Port=smtp,Addr=192.168.24.112,Name=MTA')dnl FEATURE(`accept_unresolvable_domains')dnl LOCAL_DOMAIN(`willspc')dnl MAILER(smtp)dnl MAILER(procmail)dnl <------------------sendmail.mc------------------------->
And
<------------------access-------------------------> # # $Id: access,v 1.2 2006/12/21 11:02:53 root Exp $ #
localhost RELAY 127.0.0.1 RELAY
From:test@testdom.com RELAY <------------------access------------------------->
Will.
-
Aleksandar Milivojevic -
Kevan Benson -
Will McDonald