Sendmail Relay Configuration Options

Mail servers must often be set up as relays. In such a configuration, the server accepts mail from one system and passes it on to another. One common relay configuration is that of a departmental mail server, which accepts mail from many clients and passes the mail on to destination systems. For instance, Figure 25.1's mail.example.com is configured in this way. Another relay configuration involves telling sendmail to use another system as a relay. For instance, if Figure 25.1's client.example.com were a Linux system, you might configure it to use mail.example.com as an outgoing relay. Using outgoing relays enables you to use the relay computer as a control point for mail. In some cases, you must configure your system in this way. For instance, your LAN or ISP might be configured to block outgoing SMTP connections except to the authorized mail server.

Configuring Sendmail to Relay Mail

Sendmail provides many relaying options. The most common configuration involves a feature that can be defined in the sendmail m4file using a line such as this:

Red Hat's default configuration adds some extra options to this definition. Slackware's standard configuration doesn't define this option; therefore, if you want to use it, you must add it to the m4 configuration file and rebuild the sendmail.effile, as described earlier, in "Sendmail Configuration Files." Once the option is present, you can edit the /etc/mail/access file. A typical file might resemble the one shown in Listing 25.1.

Listing 25.1 : A Typical access File for Controlling Mail Relaying

# Allow relaying from localhost... localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY

# Relay for the local network 172.25.98 RELAY

Red Hat's default file resembles Listing 25.1, except that Red Hat's default lacks the final entry. Listing 25.1 first approves relaying for the local computer, using three methods of identifying that computer—by two names (localhost.localdomain and localhost) and by IP address (127.0.0.1). If you activate the access_db feature, your /etc/mail/access file must contain these entries if your system is to reliably handle mail from the local computer. (Some programs call sendmail in such a way that these entries aren't necessary, but others use the loopback network interface, which requires that sendmail relay for localhost or its aliases.) To relay for more systems, you must add them to the list, as Listing 25.1 does. That example relays for the 172.25.98.0/24 network. If you prefer, you can specify individual computers or list them by domain name or hostname, but using IP addresses ensures that an attacker won't be able to compromise a DNS server to abuse your system's relaying abilities.

Because this section is about relaying, all of the examples in Listing 25.1 specify the RELAY option. You can provide other words, though, to achieve different effects:

OK You can tell sendmail to accept mail for delivery even if another rule would cause it to be rejected. For instance, you might override a block on a network for specific hosts using OK.

RELAY This option enables relaying. Although this section emphasizes relaying for clients in the specified network, this option is actually bi-directional. For instance, Listing 25.1 enables outside systems to relay mail to servers in the 172.25.98.0/24 network.

REJECT This option blocks mail coming from or addressed to the specified hostname or network. Sendmail generates a bounce reply when an attempt is made to send to or from the forbidden systems. You might use it to block a known spammer's domain, for example.

DISCARD This option works much like REJECT, but sendmail won't generate a bounce message.

ERROR\nnn text This option also works like REJECT, but instead of generating a standard bounce message, it replies with the error code number (nnri) and message (text) that you define.

After you modify the /etc/mail/access file, you must create a binary database file from the plain-text file. To do so, you use the makemap command:

# makemap hash /etc/mail/access.db < /etc/mail/access

Some configurations, including Red Hat's, include this command in their sendmail SysV startup scripts, so you can skip this step if you restart the server using these scripts. When you're done, restart sendmail and test the new relaying configuration.

In addition to the accessdb feature, sendmail supports a variety of additional relaying options. Most of these options include the word relay in their names, such as relay_entire_domain or relay_local_from. Most of these options implement relay rules that can be implemented through the /etc/mail/access file, though, so chances are you won't need them.

Warning One relay option you should avoid is called promiscuous_relay. This option configures the system to relay from any host to any server. Such a configuration is dangerous because spammers can easily abuse it. In fact, you should be cautious when configuring relaying to prevent your system from relaying from any untrusted source. The upcoming section, "Stopping

Outgoing Spam," covers this topic in more detail. Configuring Sendmail to Use a Relay

If your system must relay mail through another server, you can configure sendmail to accommodate this requirement. To do so, add the following line to the sendmail m4 configuration file and recompile the sendmail.effile:

FEATUREfnullclient', 'relay.mail.server)

The procedure to modify the m4 configuration file is described earlier, in "Sendmail Configuration Files." Replace relay.mail. server with the hostname of the mail server that's to function as a relay, such as your departmental or ISP's mail server. You may also need to delete a couple of lines or comment them out by preceding the lines with

MAILER(local)dnl MAILER(smtp)dnl

These lines duplicate the functionality included in the relay configuration, so including them along with the relay configuration may cause m4 to complain when you try to build a new sendmail.cf file. Not all configurations use these lines in their default files, though. For instance, Red Hat's configuration lacks the MAILER(local)dnl line but adds a line for Procmail.

Tip Some people use Linux computers, and especially notebooks, with multiple ISPs. In such a case, you may need to configure sendmail to relay through one ISP's mail server at some times and another ISP's mail server at other times. One trick that can help you do this is to prepare two sendmail.effiles, one for relaying through each ISP's mail server. You can then copy the appropriate file to /etc/sendmail.cf and restart sendmail whenever you need to switch the outgoing mail relay. This same trick works with Postfix and Exim configurations, as well.

Team LiB

Team LiB

^ previous

0 0

Post a comment