From: Christopher L. Barnard (cbar44@tsg.cbot.com)
Date: Mon Jul 19 2004 - 13:53:45 EDT
This is a sendmail issue on a Sun, so I am trying both the sunmanagers
mailing list and sendmail.org for ideas. I'm hoping someone on this list
has worked on this problem, because frankly this list has better
responses. ;^)
Our company mailserver is running Sendmail 8.11.7. (Sun-shipped and
patched, Solaris 8). I have replaced the solaris-generic.mc with a
specific mc for this server that still has FEATURE(relay_entire_domain)
but does not have either FEATURE(accept_unqualified_senders) or
FEATURE(accept_unresolvable_domains).
FEATURE(relay_entire_domain) must be enabled. Since all inbound and
outbound mail goes through a filtering company, and they can and do
use multiple servers, we need to accept email from the entire domain.
The problem: if a virus/spam/worm/etc gets into our internal network,
this mailhost will happily relay it to other hosts in the domain. What
we want to accomplish is to have these messages blocked and legitimate
messages go through.
The restrictions on relaying all check the username or domain name of the
sender: FEATURE(relay_entire_domain), FEATURE(accept_unqualified_senders),
and FEATURE(accept_unresolvable_domains) all check the user name and domain
in the mail message. I want to restrict based on the IP or name of the
server sending the mail.
We can use DNS to our advantage here, since servers that should be relaying
through the mailhost are all resolvable in DNS and machines that should not
be allowed to relay are not in DNS.
We want to disallow email where the RELAY used is not resolvable in DNS:
we want to allow mail where the IP of the sending relay can be resolved. ie,
Jul 16 09:57:52 gateway sendmail[18354]: [ID 801593 mail.info] i6GEvqK18354: from=<user@subzone.cbot.com>, size=630, class=0, nrcpts=1, msgid=<200407161457.i6GEvpe27803@server.subzone.cbot.com>, proto=ESMTP, daemon=MTA-IPv4, relay=mailhost.subzone.cbot.com [192.168.1.1]
we want to block email where the IP of the sending relay cannot be resolved. ie,
Jul 16 09:37:54 portal sendmail[18131]: [ID 801593 mail.info] i6GEbrK18131: from=<user@cbot.com>, size=347, class=0, nrcpts=1, msgid=<200407161437.i6GEbrK18131@gateway.cbot.com>, proto=SMTP, daemon=MTA-IPv4, relay=[192.168.1.2]
Note the difference between relay=mailhost.subzone.cbot.com [192.168.1.1]
and relay=[192.168.1.2]. The former can be resolved in DNS, the latter cannot.
Attempts at using the access database is not doing what we want. In the
/etc/mail/access we currently have:
subzone.cbot.com RELAY
10.1 RELAY
but an unqualified host on the 192.168 network can still relay so that did
not fix the problem.
TIA and I will summarize.
+-----------------------------------------------------------------------+
| Christopher L. Barnard O When I was a boy I was told that |
| cbarnard@tsg.cbot.com / \ anybody could become president. |
| (312) 347-4901 O---O Now I'm beginning to believe it. |
| http://www.cs.uchicago.edu/~cbarnard --Clarence Darrow |
+----------PGP public key available via finger or PGP keyserver---------+
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:29:06 EDT