Configuring sendmail for anti-relaying

All versions of sendmail 8.8.x have anti-relaying capability, but the configurations supplied with it don't enable it. However you can enabling anti-relaying by following these 4 steps.

(1a) If you are running Red Hat Linux 4.1 or 4.2:

Upgrade your sendmail-cf (not sendmail!) package to the one in RH5.0 (which you can do without upgrading your whole system to RH5.0, because it only contains text files). Red Hat 5.0's sendmail-cf package has anti-relaying available; 4.2 does not.


rpm -Uvh sendmail-cf-8.8.7-12.i386.rpm

(1b) For other versions of Unix:

Download check.tar and untar it into /usr/lib/sendmail-cf

  cd /usr/lib/sendmail-cf
  tar -xvf /tmp/check.tar

(2a) If you are using the standard, unmodified which came with Red Hat:

Just copy /usr/lib/sendmail-cf/cf/ to /etc/

(2b) If you are using m4 configuration:

edit your m4 config file and add the following lines at the end:

HACK(check_mail3,`hash -a@JUNK /etc/mail/deny')

Careful with the back-quotation marks - if you are using 'joe' they need to be typed twice. Then rebuild and install a new /etc/ For example:

  cd /usr/lib/sendmail-cf/cf
  joe                 <---- (or vi) to add the 'HACK' lines in
  rm obj/
  mv /etc/ /etc/
  cp obj/ /etc/

(2c) If you are running a manually-tweaked

Follow the instructions at

(3) Create the new config files

They need to all be present, even if they are empty.

  mkdir /etc/mail
  touch /etc/mail/ip_allow
  touch /etc/mail/name_allow
  touch /etc/mail/relay_allow
  touch /etc/mail/deny
  makemap hash /etc/mail/deny </etc/mail/deny

Put the IP addresses of machines or networks which you will allow to use your machine as a relay in /etc/mail/ip_allow, for example:


will allow all machines in to relay.

(In fact this may not be necessary. The default rules allow relaying from any name which your host recognises as itself and all subdomains. So in the case of a machine which has '' in /etc/, all machines which have reverse DNS lookups of * will be allowed to relay)

(4) Restart sendmail:

/etc/rc.d/init.d/sendmail.init stop
/etc/rc.d/init.d/sendmail.init start

and check that you get no errors displayed. (Whenever you change the /etc/mail/* files you also need to restart sendmail)

Full, but rather cryptic, info on these anti-relaying add-ons is in /usr/lib/sendmail-cf/README.check. Basically, the default is that the machine will only accept mail for local users. But then there are four ways you can relax this:

Beware: you need to put domains in relay_allow for which you are doing mail routing with a mailertable (look at /etc/mailertable); for example if you are routing like this:      uucp-dom:ccc

then you will need to put '' in relay_allow otherwise mail for this domain will be bounced.

The final result after all that effort:

551 <>... we do not relay

There is a page which allows you to check whether your system is immune to relaying at

Last updated: 22-02-1998