Configuring sendmail for anti-relaying

All versions of sendmail 8.8.x have anti-relaying capability, but the configurations supplied with it don't enable it. However you can enabling anti-relaying by following these 4 steps.

(1a) If you are running Red Hat Linux 4.1 or 4.2:

Upgrade your sendmail-cf (not sendmail!) package to the one in RH5.0 (which you can do without upgrading your whole system to RH5.0, because it only contains text files). Red Hat 5.0's sendmail-cf package has anti-relaying available; 4.2 does not.

Download ftp://ftp.redhat.com/pub/redhat/redhat-5.0/i386/RedHat/RPMS/sendmail-cf-8.8.7-12.i386.rpm

rpm -Uvh sendmail-cf-8.8.7-12.i386.rpm

(1b) For other versions of Unix:

Download check.tar and untar it into /usr/lib/sendmail-cf

  cd /usr/lib/sendmail-cf
  tar -xvf /tmp/check.tar

(2a) If you are using the standard, unmodified sendmail.cf which came with Red Hat:

Just copy /usr/lib/sendmail-cf/cf/redhat.cf to /etc/sendmail.cf

(2b) If you are using m4 configuration:

edit your m4 config file and add the following lines at the end:

HACK(check_mail3,`hash -a@JUNK /etc/mail/deny')
HACK(use_ip,`/etc/mail/ip_allow')
HACK(use_names,`/etc/mail/name_allow')
HACK(use_relayto,`/etc/mail/relay_allow')
HACK(check_rcpt4)
HACK(check_relay3)

Careful with the back-quotation marks - if you are using 'joe' they need to be typed twice. Then rebuild and install a new /etc/sendmail.cf. For example:

  cd /usr/lib/sendmail-cf/cf
  joe ucb.mc                 <---- (or vi) to add the 'HACK' lines in
  rm obj/ucb.cf
  pmake ucb.cf
  mv /etc/sendmail.cf /etc/sendmail.cf.orig
  cp obj/ucb.cf /etc/sendmail.cf

(2c) If you are running a manually-tweaked sendmail.cf:

Follow the instructions at http://www.informatik.uni-kiel.de/~ca/email/check.html

(3) Create the new config files

They need to all be present, even if they are empty.

  mkdir /etc/mail
  touch /etc/mail/ip_allow
  touch /etc/mail/name_allow
  touch /etc/mail/relay_allow
  touch /etc/mail/deny
  makemap hash /etc/mail/deny </etc/mail/deny

Put the IP addresses of machines or networks which you will allow to use your machine as a relay in /etc/mail/ip_allow, for example:

200.10.194

will allow all machines in 200.10.194.0/24 to relay.

(In fact this may not be necessary. The default rules allow relaying from any name which your host recognises as itself and all subdomains. So in the case of a machine which has 'ucb.edu.bz' in /etc/sendmail.cw, all machines which have reverse DNS lookups of *.ucb.edu.bz will be allowed to relay)

(4) Restart sendmail:

/etc/rc.d/init.d/sendmail.init stop
/etc/rc.d/init.d/sendmail.init start

and check that you get no errors displayed. (Whenever you change the /etc/mail/* files you also need to restart sendmail)

Full, but rather cryptic, info on these anti-relaying add-ons is in /usr/lib/sendmail-cf/README.check. Basically, the default is that the machine will only accept mail for local users. But then there are four ways you can relax this:

Beware: you need to put domains in relay_allow for which you are doing mail routing with a mailertable (look at /etc/mailertable); for example if you are routing like this:

    ccc.edu.bz      uucp-dom:ccc

then you will need to put 'ccc.edu.bz' in relay_allow otherwise mail for this domain will be bounced.

The final result after all that effort:

RCPT TO:<nobody@demon.net>
551 <nobody@demon.net>... we do not relay

There is a page which allows you to check whether your system is immune to relaying at http://maps.vix.com/tsi/ar-test.html


Last updated: 22-02-1998