All versions of sendmail 8.8.x
have
anti-relaying capability, but the configurations supplied with it don't
enable it. However you can enabling anti-relaying by following these 4
steps.
Upgrade your sendmail-cf (not sendmail!) package to the one in RH5.0 (which you can do without upgrading your whole system to RH5.0, because it only contains text files). Red Hat 5.0's sendmail-cf package has anti-relaying available; 4.2 does not.
Download ftp://ftp.redhat.com/pub/redhat/redhat-5.0/i386/RedHat/RPMS/sendmail-cf-8.8.7-12.i386.rpm
rpm -Uvh sendmail-cf-8.8.7-12.i386.rpm
Download check.tar and untar it into /usr/lib/sendmail-cf
cd /usr/lib/sendmail-cf tar -xvf /tmp/check.tar
Just copy /usr/lib/sendmail-cf/cf/redhat.cf to /etc/sendmail.cf
edit your m4 config file and add the following lines at the end:
HACK(check_mail3,`hash -a@JUNK /etc/mail/deny') HACK(use_ip,`/etc/mail/ip_allow') HACK(use_names,`/etc/mail/name_allow') HACK(use_relayto,`/etc/mail/relay_allow') HACK(check_rcpt4) HACK(check_relay3)
Careful with the back-quotation marks - if you are using 'joe' they need to be typed twice. Then rebuild and install a new /etc/sendmail.cf. For example:
cd /usr/lib/sendmail-cf/cf joe ucb.mc <---- (or vi) to add the 'HACK' lines in rm obj/ucb.cf pmake ucb.cf mv /etc/sendmail.cf /etc/sendmail.cf.orig cp obj/ucb.cf /etc/sendmail.cf
Follow the instructions at http://www.informatik.uni-kiel.de/~ca/email/check.html
They need to all be present, even if they are empty.
mkdir /etc/mail touch /etc/mail/ip_allow touch /etc/mail/name_allow touch /etc/mail/relay_allow touch /etc/mail/deny makemap hash /etc/mail/deny </etc/mail/deny
Put the IP addresses of machines or networks which you will allow to use
your machine as a relay in /etc/mail/ip_allow
, for example:
200.10.194
will allow all machines in 200.10.194.0/24 to relay.
(In fact this may not be necessary. The default rules allow relaying from any name which your host recognises as itself and all subdomains. So in the case of a machine which has 'ucb.edu.bz' in /etc/sendmail.cw, all machines which have reverse DNS lookups of *.ucb.edu.bz will be allowed to relay)
/etc/rc.d/init.d/sendmail.init stop /etc/rc.d/init.d/sendmail.init start
and check that you get no errors displayed. (Whenever you change the /etc/mail/* files you also need to restart sendmail)
Full, but rather cryptic, info on these anti-relaying add-ons is in /usr/lib/sendmail-cf/README.check. Basically, the default is that the machine will only accept mail for local users. But then there are four ways you can relax this:
ip_allow
gives the IP addresses of hosts which can relay mail through us
to any destination (i.e. use us as 'smarthost')
name_allow
gives the names of hosts which can use us as smarthost
(although it is usually better to specify by IP address)
relay_allow
gives the names of hosts which are allowable relay
destinations which we will allow any host to relay to (i.e. hosts for
which we have agreed to act as backup MX)
deny
allows you to specify E-mail addresses or domains of spammers which
we refuse if seen in the MAIL FROM:<> line. This file could get big so
it is a hash file; you need to use makemap to generate it. Example:
cyberpromo.com "571 Sorry, Spamford, no e-mail from your place." honey@sweeties.com "571 Honey, you're a spammer, go away."
then:
makemap hash /etc/mail/deny </etc/mail/deny
Beware: you need to put domains in relay_allow for which you are doing mail routing with a mailertable (look at /etc/mailertable); for example if you are routing like this:
ccc.edu.bz uucp-dom:ccc
then you will need to put 'ccc.edu.bz' in relay_allow
otherwise mail for
this domain will be bounced.
RCPT TO:<nobody@demon.net> 551 <nobody@demon.net>... we do not relay
There is a page which allows you to check whether your system is immune to relaying at http://maps.vix.com/tsi/ar-test.html