Relay control in sendmail 8.8,9 for roaming users

Last Update 1999-02-13

check_rcpt

The check_rcpt ruleset against unauthorized relaying has a problem with "roaming" users, since it accepts outgoing mails only from local addresses. This problem can be solved in at least two ways:
  1. specify domains or e-mail addresses which can use your system no matter from where they connect,
  2. authorize relaying based on authentification provided by a modified POP daemon.

Allow relaying based on MAIL FROM

This code is for sendmail 8.8, a version for 8.9 can be found elsewhere. The first proposal just adds another test: first, we check whether it is a local client: it can do whatever it want. Next, we remove the local part, maybe repeatedly. If it still has routing information in it, it seems to be a relay attempt. We mark it as such and check now whether the FROM address is one which seems ok to us. So list in the class 
F{LocalIP} /etc/mail/LocalIP
the IP addresses of the hosts you will allow to relay through your mail server, for example 
134.245
127.0.0.1
Next, you need to define a map 
# list of domains and addresses which can send mail through
# our relay if they appear in MAIL FROM:
Kallow dbm -a@ALLOWED /etc/mail/allow
containing the names of domains or full e-mail addresses which may use your system. As usual, you can also define a class of addresses for which you act as a relay (for incoming mail): 
F{RelayTo} /etc/mail/RelayTo
The rulesets (available by 
define(`_ALLOW_SOME_')
HACK(check_rcpt4)
in check.tar) now look like this: 
# check for allowed addresses
Sallow
# lookup domain in database
R$*<@$+>		$:$1<@$(allow $2$)>
# exists? return
R$*<@$*@ALLOWED>	$@$1<@$2@ALLOWED>
# lookup address in database
R$*<@$+>		$:$1<@$(allow $1@$2 $:$2$)>
# exists? return
R$*<@$*@ALLOWED>	$@$1<@$2@ALLOWED>
# remove one subdomain, try again
R$*<@$-.$-.$+>		$: $>allow $1<@$3.$4>

Scheck_rcpt
# make sure you have TABs here, not BLANKs! sendmail will complain otherwise...
# first: get client address
R$+			$: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*		$@ ok		client_addr is 0 for sendmail -bs
R$={LocalIP}$* $| $*	$@ ok		from here
# not local, check rcpt
R$* $| $*		$: $>3 $2
# remove local part
R$+			$:$>remove_local $1
R$*<@$+>$*		$: <RELAY>
# now get and canonify the FROM address
R$*			$: $1 $| $>3 $(dequote "" $&f $)
# compare it with an "allowed" domain
R$* $| $*<@$*.>$*	$: $1 $| $>allow $2<@$3>
# match: ok
R$* $| $*<@$*@ALLOWED>$*	$@ ok
# nope, it's a relay attempt
R<RELAY> $| $*	$#error $@ 5.7.1 $: 550 we do not relay

Sremove_local
# remove RelayTo part (maybe repeatedly)
R$*<@$*$={RelayTo}.>$*	$>3 $1 $4
R$*<@$=w.>$*		$: $>remove_local $>3 $1 $3
R$*<@$*>$*		$@ $1<@$2>$3
# dequote local part
R$-			$: $>3 $(dequote $1 $)
R$*<@$*>$*		$: $>remove_local $1<@$2>$3
All explanations (and enhancements) for the original check_rcpt ruleset apply here too.

Authorize relaying based on authentification provided by a modified POP daemon

Another proposal requires a modification to a POP daemon and some utilities. This is an idea from John Levine, described by Scott Hazen Mueller. It has been implemented by Neil Harkins and John Levine . This feature can be enabled in my HACKs for 8.8 with the option _POPAUTH_ and is also available for 8.9.

William R. Thomas sent me a single PERL script which does all of the work. Harlan Stenn sent me a modified version of this PERL script, which should be used instead. (Last Update: 1998-04-24)

Dynamic Relay Authorization Control written by Gary Mills and POP3-Authenticated Relaying written by Curt Sampson are other proposals.

[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca@sendmail.org>