F{LocalIP} /etc/mail/localIP
containing the IP network numbers for the hosts you will allow to relay
through your mail server, for example
127.0.0 192.168.1 192.168.2If you relay mail for other systems, use also:
F{RelayTo} -o /etc/mail/RelayTo
Here is the ruleset:
Scheck_rcpt
R$+ $: $>3 $1
R$+ $: $(dequote $1 $)
R$- $@ ok to here
R$* % $* $: relay attempt
R$* @ $* < @ $* . > $: relay attempt
R$+ < @ $=w . > $@ ok to here
R$+ < @ $={RelayTo} . > $@ ok allow relay to there
R$+ $: $(dequote "" $&{client_addr} $)
R0 $@ ok client_addr is 0 for sendmail -bs
R$={LocalIP}.$* $@ ok from here
R$* $#error $@ 5.7.1 $: "571 we do not support relaying"
It uses the client address to check for relaying.
Moreover, it also tries to detect addresses of the form:
foo%bar.com@relay.com @relay.com:foo@bar.comNote: there is a problem with these rules! But for every problem, there should be a solution.
Of course you can modify these rules so you don't have to list all subdomains you handle. For instance,
R$+ < @ $*$=w . > $@ ok to here
R$+ < @ $*$={RelayTo} . > $@ ok allow relay to there
F{LocalNames} /etc/mail/LocalNames
containing the names for the hosts you will allow to relay
through your mail server, for example
uni-kiel.de geomar.deHowever, this is subject to DNS spoofing, so it may be better to use IP addresses.
Scheck_rcpt
R$+ $: $>3 $1
R$+ $: $(dequote $1 $)
R$- $@ ok to here
R$* % $* $: relay attempt
R$* @ $* < @ $* . > $: relay attempt
R$+ < @ $=w . > $@ ok to here
R$+ < @ $={RelayTo} . > $@ ok allow relay to there
R$+ $: $(dequote "" $&{client_name} $)
R$- $@ ok local names (unqualified)
R$*$={LocalNames} $@ ok from here
R$* $#error $@ 5.7.1 $: "571 we do not support relaying"