Friday, September 25, 2009

SENDMAIL Notes 9: Sendmail Relay

Default configuration of the sendmail Denies the Relay from other hosts.
But the following option makes the sendmail to run as open relay


    This option allows for any clients to connect to our SMTP and can send mail to any destination.

Testing a Open relay:
Try to connect to the Server from outside of the network and follow the procedure.
The Following Example shows the server that denies the Open Relay:

[root@kiran ~]# telnet 25
Connected to (
Escape character is '^]'.
220 ESMTP Sendmail 8.14.2/8.14.2; Wed, 23 Sep 2009 06:35:20 +0400

Mail from:
250 2.1.0 Sender ok
Rcpt To:
550 5.7.1 Relaying denied
221 2.0.0 closing connection
Connection closed by foreign host.
[root@kiran ~]#

The Follwoing Example Shows the server that allows Open relay:

[root@kiran ~]# telnet 25
Connected to (
Escape character is '^]'.
220 ESMTP Sendmail 8.14.2/8.14.2; Wed, 23 Sep 2009 06:43:14 +0400

250 Hello [], pleased to meet you
250 2.1.0 Sender ok
250 2.1.5 Recipient ok
354 Enter mail, end with "." on a line by itself
This is to test the Open relay


250 2.0.0 n8N2hEOp009181 Message accepted for delivery
221 2.0.0 closing connection
Connection closed by foreign host.

[root@kiran ~]#

    The destination of the mail should be resolvable to sendmail for any kind of relay.

Relay in Sendmail:
    Relay in sendmail can be achieved by 2 common ways

1. Using the Relay-domains.
2. Using the access database.

1. Using relay-domains file:
    This is very easy way to implementing the relay access.


    The file path to the relay-domains can be any where. Sendmail refer this while getting a new mail from any host.
/etc/mail/relay-domains file can contain each IP Address of the hosts on each line (Hostname of FQDN is permissible here and this has to be resolved properly).

    Compile and Restart the sendmail service

RELAY_DOMAIN_FILE(`-o /etc/mail/relay-domains')

    Here the "-o" option makes the sendmail to loading the Relay Domain File as optional. This means if the file is not present still the sendmail starts the daemon.

2. Using the Access DB:
    It extends the functionality of relay domains, defined by two columns.
Left Hand Side Column:
Ip Address
Right hand Side Column:
To enable this have to turn on the following feature.

FEATURE(`access_db', `hash -o -T /etc/mail/access')dnl

    The Feature enables the access db for Relay. hash is the type of database, "-o" makes the sendmail to run even if the access db file is not found, i.e makes the file optional. -T this allows access db to return the smtp errors to client and next to this we have the database location.

Now Create the access_db file:

#vi /etc/mail/access
connect:    RELAY
connect:    REJECT

#makemap hash access < access

    If any errors are generated re-compile the makemap by ./Bulid && ./Build install from the source directory.

    Here from the ip sendmail will relay mail to outer world and from will reject the relay to outer world This will make the sendmail to reject all the inbound mail traffic from the host
Any update to the access doesn't need sendmail reload to take effect. Because for each query sendmail makes query to the access.db file.

Other rules in access file:    REJECT
To:jithu@    RELAY

    As defined in this rule the msg send from user will be rejected.We can specify in the second column REJECT,RELAY,OK or 550 errors too.
    In To:jithu@ REJECT any mail send to user jithu will be REJECTED.
    To parse this rule in access db file by sendmail we have to enable the following Macro Feature in the file.


    This FEATURE has to define after the FEATURE(`access_db').This will enable the sendmail to parse the access.db to check the permission of Relay in user basis.i.e, it checks the mail envelop for relay.

    Now compile the file and restart the service.

    This will show the warning about the open relay. so use this option carefully.

No comments:

Post a Comment

tag ur valuable ideas below