SUMMARY: Sendmail and Relay Restrictions from Burch Seymour RTPS on 1999-02-12 (tru64-unix-managers)

From: Burch Seymour RTPS <bseymour_at_ns.encore.com>
Date: Thu, 11 Feb 1999 14:59:00 -0500 (EST)

Sorry for the long delay in summarizing, but I wanted to be reasonably
certain I had tested this - and that took longer than I thought...

My problem was a large security hole in sendmail due to having field
users pointing their SMTP service at the home office server for
outgoing mail, rather than going through their ISP's mail server. Due
to limits in what you can configure with Sendmail (8.9.0 in my case) I
had to allow relaying from an entire domain - like wcom.net - in order
to get that one user's mail to relay. This opened us up for relay spam
attacks.

Most people rightly suggested that I should just tell them to use their
local ISP. It turned out that the reasons they offered for NOT doing
that were easily resolved.

First - mail from in-house users came to them with no domain so
replying using the local ISP did not work. To fix this I added
FEATURE(always_add_domain) to my config file.

Another user was worried that his return address would show the ISP and
not encore.com. That was fixed by properly configuring his mail program
preferences to reflect the desired 'from' address.

As far as the original question, thanks to Darin Spivey who put me on
the right track to at least reduce the size of the hole for those users
who have not yet moved to their ISP's SMTP service.

If you go to the web page at:

http://www.sendmail.org/~ca/email/chk89-opt.html

You can pick up a set of sendmail rule extensions that allow you
to add

_RELAY_ACCESS_FROM_
Allow relaying based on the envelope FROM address.
This address must be in the access map with a RHS of RELAY.

So by adding the from address and RELAY to my /etc/mail/access.data
file, I can now limit the relaying to a single user. This still leaves
a hole since it's easy for spammers to fake a from address, but it's at
least a much smaller hole until I can get everyone where they should
be.

Again, thanks to all of you who replied with suggestions.

-- 
This message from,		Encore Real Time Computing, Inc.
Burch Seymour                   1700 NW 66th Ave. Suite 103
Senior Software Engineer	Fort Lauderdale, Fl 33313 
email: bseymour_at_encore.com      Vox: (954)377-1128   Fax: (954)377-1140
----------------------------------------------------------------------------

Received on Thu Feb 11 1999 - 19:56:33 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:39 NZDT