Hello managers,
Thanks VERY MUCH to the following for taking the time to
send helpful replies with lots of good information !!!
I found your instructions to be extremely useful.
Richard L Jackson Jr <rjackson_at_portal.gmu.edu>
Steven Johnson (BUS) <johnson_at_bayflash.stpt.usf.edu>
Richard Sharpe <sharpe_at_ns.aus.com>
Jorge Granjal <jgranjal_at_dei.uc.pt>
Steve VanDevender <stevev_at_hexadecimal.uoregon.edu>
Additionally, thanks to these for helpful hints:
Anthony Talltree <aad_at_nwnet.net>
Martin Mokrejs <mmokrejs_at_prfdec.natur.cuni.cz>
My original question is at the very end of this SUMMARY.
The following is what worked for my particular Digital UNIX
box (our campus mail server). Please note that this system
is an AlphaServer 2100 running DU 4.0B, Enhanced Security,
and sendmail 8.8.8. It is not part of any kind of cluster and
doesn't run NFS or NIS, if that makes any difference.
We ended up using three separate
HACKs in our .mc file, all written by Claus Assman: HACK(use_ip),
HACK(use_relayto), and HACK(check_rcpt4). (Thank you, Claus !!)
I know that there are plenty of HACKs offered by Claus to allow
you to tailor your sendmail and protect against SPAM in many
ways. And as I learn more, I plan to use more of these. But
for now, these three have done what we need.
These three HACKs enabled us to: (1) stop all relaying THROUGH
our domain (uah.edu) from the outside world, (2) allow relaying
WITHIN our domain, and (3) keep most of our POP users happy.
Please see below my descriptions of each of the three HACKs,
plus how I obtained and installed them. I wish I could have
done more than guess as to the specific function of each of
these HACKs. I do know that all three, when used together,
function as I describe. I searched the www.sendmail.org web
page and its links to other pages, Claus's web page, the
sendmail "bat" book, etc,. but could find no clear explanation
of EXACTLY what each allows and does not allow. This is
expecially true for the check_rcpt4 hack. I guess I'll just
have to learn how to read sendmail.cf "lingo" myself in order
to discover what the rules in these hacks actually do.
<<< If any of you can enlighten me on the specifics of >>>
<<< these three hacks (exactly what each does allow, >>>
<<< what each prevents) I'll be glad to post a SUMMARY-2.>>>
**WARNING** The following information is bound to be very
elementary and boring to all sendmail/network gurus.
(Since I am a novice at sendmail, I personally would have
found the following summary to be extremely valuable in
helping me understand how to configure anti-relaying and
anti-SPAM measures. So, I hope it helps some of you.)
Here's an additional note about how our POP users were
affected by the way I configured (see below) these HACKs
in our sendmail: (1) Those POP client users attached to our
campus network (i.e. physically within our domain) were
unaffected -- that is, those who had their POP client software
pointing to this email server as both their "incoming (POP/IMAP)
mail server" and their "outgoing (SMTP) mail server" BEFORE I
configured these HACKs into sendmail, noticed no difference
AFTER the change. (2) Also, those POP client users located off
campus (i.e. physically outside our domain) were likewise
unaffected *IF* they had previously been using this email server
as the "incoming server" and a DIFFERENT server for "outgoing"
mail. (3) However, those off-campus POP client users who had
been using this server for both incoming and outgoing mail, are
now unable to send mail to anyone that doesn't have a username
on this server. That is good because we do not want to allow
anyone outside our domain to relay thru this server).
------------------------------------------------------
------- HOW I GOT THE HACKS AND CONFIGURED THEM ------
------------------------------------------------------
>From Claus Assman's web page at:
http://www.informatik.uni-kiel.de/%7Eca/email/check.html
I downloaded this file named "check.tar":
http://www.informatik.uni-kiel.de/%7Eca/email/rules/check.tar
Restoring the tar file to some temporary location yields a
directory named "hack" containing some "xxxx.m4" files. I copied
all of these .m4 files to the hack subdirectory of my sendmail
v8.8.8 "build" area. For example, if I had parked my original
sendmail v8.8.8 distribution in the directory "/my_build", and
then unfolded and made/installed it there, my sendmail hack
subdirectory would be "/my_build/sendmail-8.8.8/cf/hack".
I added three lines (referencing the HACKs that I decided to use)
to the end of our server's .mc file (paul-osf1.mc). This .mc file
is sitting in the directory /my_build/sendmail-8.8.8/cf/cf with
all the other "generic-xxxx.mc" files that came with the v8.8.8
distribution. Here is a copy it. Notice that our .mc file is
an exact copy of the file "generic-osf1.mc" except for the three
lines I added at the bottom.. (The generic-osf1.mc file worked
just fine for us, both before and after adding the HACKs.)
-----------------------
VERSIONID(`_at_(#)generic-osf1.mc 8.3 (Berkeley) 3/23/96')
OSTYPE(osf1)dnl
DOMAIN(generic)dnl
MAILER(local)dnl
MAILER(smtp)dnl
HACK(use_ip)dnl
HACK(use_relayto)dnl
HACK(check_rcpt4)dnl
----------------------
The use_ip HACK requires the existence of a file named
(by default) /etc/mail/LocalIP. This should contain the
IP addresses or nets of systems which can SEND mail through
your server (to anyplace?). In it I put the single line:
146.229
to accept mail for relaying only from hosts within our
class B IP address. If you want to put the file somewhere
else or use a different name than the default, the entry in
your server's .mc file would look something like this:
HACK(use_ip, /etc/LocalIP.txt)dnl
where /etc/LocalIP.txt is the non-default file name/location.
The use_relayto HACK requires the existence of a file named
(by default) /etc/mail/RelayTo. It should contain domain
names and host names of systems which can RECEIVE mail (from
anyplace?) through your server. In it I put the one line:
uah.edu
to accept mail for relaying to systems in our domain. Again,
you can change the default name/location of the file RelayTo
by changing the .mc entry, similar to the above example.
The check_rcpt4 HACK did not require an additional file (other
than what had already been created for the above hacks). My
impression of this one is that it is required to stop the other
two hacks from being too relay-restrictive EITHER on mail
coming in from the outside world, OR on mail going out to the
world -- I don't know which. Of course, this is just a guess
on my part. (Somebody send me corrections for a SUMMARY-2 if
you know what check_rcpt4 really does.) Anyway, I AM sure
that I need it for our config.
Finally, to build a new sendmail config file with the new
anti-relay rules specified in my .mc file (paul-osf1.mc),
and get sendmail to use it, I did the following:
# cd /my_build/sendmail-8.8.8/cf/cf
# m4 ../m4/cf.m4 paul-osf1.mc > paul-sendmail.cf
# cp /etc/sendmail.cf /etc/sendmail.cf.old
# cp paul-sendmail.cf /etc/sendmail.cf
# /sbin/init.d/sendmail stop
# /sbin/init.d/sendmail start
Then I watched my currently active mail.log file to make sure
the new rule sets were behaving as expected. For example:
# tail /var/adm/syslog.dated/22-Apr-18:04/mail.log
or you could search the log just to see what gets rejected:
# grep reject /var/adm/syslog.dated/22-Apr-18:04/mail.log
If I saw that the new config was not behaving as I expected,
I could just copy the old sendmail.cf back to sendmail.cf
and restart sendmail.
Regards,
Paul Youngblood
email: youngbloodp_at_uah.edu
-----------------------------------------------------
--- original posting --- original posting ---
-----------------------------------------------------
Subject: Preventing relay - sendmail v8.8.8
Hello system admins,
Currently, I've got sendmail 8.8.8 running on DU 4.0B.
Also, I do not run NIS. I want to prevent anyone from using
my AlphaServer as a mail relay, except for users within my
domain. For example, if my server lives at 123.456.7.899,
and I want to prevent anyone outside of 123.456 from relaying
email thru my server, are the following two hacks in my .mc file
ALL that m4 requires to accomplish this: (I understand that these
lines reference properly created data files, etc, but are these
THE two critical lines required in the .mc file) ???
HACK(use_ip)
HACK(check_rcpt4)
I've checked out www.sendmail.org, anti-spam sites, etc, and
I'm still not completely clear about this. I think this will
do the job, but would like some confirmation.
Thanks for helping. I'll summarize.
Paul Youngblood
University of Alabama in Huntsville
email: youngbloodp_at_uah.edu
Received on Sat Apr 25 1998 - 01:36:35 NZST