Friday, September 25, 2009

SENDMAIL Notes 9: Sendmail Relay


Default configuration of the sendmail Denies the Relay from other hosts.
But the following option makes the sendmail to run as open relay

FEATURE(`promiscuous_relay')

    This option allows for any clients to connect to our SMTP and can send mail to any destination.

Testing a Open relay:
Try to connect to the Server from outside of the network and follow the procedure.
The Following Example shows the server that denies the Open Relay:

[root@kiran ~]# telnet 192.168.10.2 25
Trying 192.168.10.2...
Connected to fazi.com (192.168.10.2).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Wed, 23 Sep 2009 06:35:20 +0400

Mail from: kiran@domain.com
250 2.1.0 kiran@domain.com... Sender ok
Rcpt To: kiran@anotherdomain.com
550 5.7.1 kiran@anotherdomain.com... Relaying denied
quit
221 2.0.0 centos.com closing connection
Connection closed by foreign host.
[root@kiran ~]#

The Follwoing Example Shows the server that allows Open relay:

[root@kiran ~]# telnet 192.168.10.2 25
Trying 192.168.10.2...
Connected to fazi.com (192.168.10.2).
Escape character is '^]'.
220 centos.com ESMTP Sendmail 8.14.2/8.14.2; Wed, 23 Sep 2009 06:43:14 +0400

Helo domain.com
250 centos.com Hello mail1.kiran.com [192.168.10.1], pleased to meet you
Mail From:kiran@domain.com
250 2.1.0 kiran@domain.com... Sender ok
Rcpt To:kiran@anydomain.com
250 2.1.5 kiran@anydomain.com... Recipient ok
Data
354 Enter mail, end with "." on a line by itself
This is to test the Open relay

.

250 2.0.0 n8N2hEOp009181 Message accepted for delivery
Quit
221 2.0.0 centos.com closing connection
Connection closed by foreign host.

[root@kiran ~]#

    The destination of the mail should be resolvable to sendmail for any kind of relay.

Relay in Sendmail:
    Relay in sendmail can be achieved by 2 common ways

1. Using the Relay-domains.
2. Using the access database.


1. Using relay-domains file:
    This is very easy way to implementing the relay access.
Edit sendmail.mc

RELAY_DOMAIN_FILE(`/etc/mail/relay-domains')

    The file path to the relay-domains can be any where. Sendmail refer this while getting a new mail from any host.
/etc/mail/relay-domains file can contain each IP Address of the hosts on each line (Hostname of FQDN is permissible here and this has to be resolved properly).
Example:-

192.168.1.1
10.0.0.1
172.16.0.1

    Compile and Restart the sendmail service

RELAY_DOMAIN_FILE(`-o /etc/mail/relay-domains')

    Here the "-o" option makes the sendmail to loading the Relay Domain File as optional. This means if the file is not present still the sendmail starts the daemon.

2. Using the Access DB:
    It extends the functionality of relay domains, defined by two columns.
Left Hand Side Column:
Users
Hosts
Ip Address
Right hand Side Column:
Relay
Reject
Discard
To enable this have to turn on the following feature.

FEATURE(`access_db', `hash -o -T /etc/mail/access')dnl

    The Feature enables the access db for Relay. hash is the type of database, "-o" makes the sendmail to run even if the access db file is not found, i.e makes the file optional. -T this allows access db to return the smtp errors to client and next to this we have the database location.

Now Create the access_db file:

#vi /etc/mail/access
connect:192.168.1.2    RELAY
connect:192.168.10.9    REJECT

#makemap hash access < access

    If any errors are generated re-compile the makemap by ./Bulid && ./Build install from the source directory.

    Here from the ip 192.168.1.2 sendmail will relay mail to outer world and from 192.168.10.9 will reject the relay to outer world This will make the sendmail to reject all the inbound mail traffic from the host 192.168.10.9.
Any update to the access doesn't need sendmail reload to take effect. Because for each query sendmail makes query to the access.db file.

Other rules in access file:

From:kiran@mail1.kiran.com    REJECT
To:jithu@    RELAY

    As defined in this rule the msg send from user kiran@mail1.kiran.com will be rejected.We can specify in the second column REJECT,RELAY,OK or 550 errors too.
    In To:jithu@ REJECT any mail send to user jithu will be REJECTED.
    To parse this rule in access db file by sendmail we have to enable the following Macro Feature in the sendmail.cf file.

FEATURE(`relay_mail_from')

    This FEATURE has to define after the FEATURE(`access_db').This will enable the sendmail to parse the access.db to check the permission of Relay in user basis.i.e, it checks the mail envelop for relay.

    Now compile the sendmail.cf file and restart the service.

    This will show the warning about the open relay. so use this option carefully.


No comments:

Post a Comment

tag ur valuable ideas below