sendmail help

Dear Lazyweb,

With sendmail 8.13 on FC4, I currently have this behavior:

  1. any host can connect to the smtp port;
  2. relaying and local delivery are allowed if STARTTLS+AUTH are used;
  3. relaying and local delivery are allowed if the connecting host is one of the ones listed in /etc/mail/access;
  4. else local delivery is allowed.

What I want is to replace item #4 with "else mail is not accepted for delivery". I only want to accept "" delivery if it's from my ISP's mail hosts, or AUTH. I don't want direct-connect spammers and viruses to be able to deliver to me.

Someone suggested FEATURE(relay_hosts_only) but that doesn't seem to do anything.

(As always, feel free to answer my sendmail question with "don't use sendmail" if you'd like me to ban you.)

Tags: , , ,

19 Responses:

  1. cantsin says:

    i don't see what the problem is?

    just don't accept the relay?

  2. mark242 says:

    I can't give you a definitive one-line answer as I don't know the specifics of your mc file. However, you should look at STARTTLS docs, specifically the section where you can put into your access file whether or not an e-mail must be encrypted.

    My assumption is that this line in your access file will work: ENCR:112

    • jwz says:

      "How do I demand that all mail be encrypted" is not what I was asking. The messages in #2 are not.

      The .mc file is pretty much stock FC4, except for the confCACERT stuff, and TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')

      • mark242 says:

        AUTH should always skip any relay checks in the stock mc file. You can try: OK allow TLS messages without AUTH (if you assume that hosts using TLS are likely not spammers), but I'm unaware of an access wildcard to just stop local delivery by default. It's possible that FEATURE(`blacklist_recipients') would work in conjunction with your rules, or it's possible that it would wind up rejecting every message to you.

  3. pfig says:

    have you had a look at having qpsmtpd as a frontend to sendmail?

  4. alierak says:

    Disclaimer: I don't use sendmail.

    That said, I wonder if there's some kludge you can put at the bottom of an access db to reject everything not specified earlier. If it takes CIDR notation, well, maybe "0/0 REJECT"?

  5. merovingian says:

    (untested, but I believe this is the right command.)

    Add this line to the mail server's
    Kaccess hash -o /etc/mail/access

    • kfringe says:

      That is equivalent to FEATURE(`access_db', `hash -T /etc/mail/access_map') in a file.

      I think the question is more specific than that. JWZ has the relaying figured out. What he wants to do is reject attempts at local delivery. Let's rephrase the question.

      How can sendmail be configured to to have a default deny stance on all activity from the MAIL verb forward in an smtp session?

  6. errorval says:

    What about undefining confLOCAL_MAILER and using an empty localtable (with FEATURE(localtable))? Sendmail should then reject any messages that are to be delivered locally, and if you ever have an exception you can add it to the localtable file, or alias around it, or use .forward.

    Not sure this would work, but it's worth a try, I suppose.

    • mark242 says:

      It shouldn't work, and if it does it's a bug. Sendmail always uses the local mailer when performing final delivery for an address on that box (see virtusertable for how this works). If you turn off the local mailer, it simply won't accept e-mails for users on that machine, period, no matter how you try to trick it.

  7. cacepi says:

    Someone suggested FEATURE(relay_hosts_only) but that doesn't seem to do anything.

    Oh, so that's what you wanted to do. Sorry for suggesting that, as relay_hosts_only doesn't cover deliver, just who can send mail through your server.

    You could try using Milter to set up a list of trusted users or networks. It looks like milter-greylist does what you want, but I've never tried it.

  8. terras says:

    I don't think sendmail has the ability to selectively allow inbound hosts, out of the box. If you are willing to run sendmail under xinetd, it's a relatively simple matter to add an 'only_from = [your ISP's SMTP servers]' to the sendmail config entry.

    • jwz says:

      If I wanted to do that, I'd just use a firewall rule, not xinetd. That doesn't do what I'm asking for.