Misc about the check_* rulesets in sendmail 8.8 and later
Last Update 2000-02-06
This document tries to answer some of the frequently asked questions about the
check_*
rulesets in
sendmail 8.8 and beyond.
check_rcpt
can be used to prevent unauthorized
relaying,
which means that neither the
sender
nor the
recipient
are local or allowed to use the mailserver.
The algorithm works like this
(the steps are reversed
in the HACKs for sendmail 8.8):
-
Local or allowed recipient:
Check the address given as
RCPT.
Is it a
local
address
or is it an address for which we relay?
If yes: the mail is accepted,
i.e., no error is generated.
(This is the case:
external to internal.)
If no: goto next step.
-
Local or authorized sender:
Check the IP number
(${client_addr})
or the name
(${client_name})
of the host which tries to send e-mail through this system.
Is it a
local
system?
If yes: it can do whatever it wants.
(This is the case:
internal to external
or
internal to internal.)
If no: an error is generated, relaying is denied.
There are some things which needs to be considered with algorithm:
-
What is a
local
(or allowed) recipient?
-
What is a
local
(or authorized) sender?
Detecting whether the recipient address is local
isn't an easy task because there are many ways to specify an address.
sendmail
considers all elements of class
$=w
as local, so these are allowed by default.
However, it isn't sufficient to check whether an address ends
in an element of this class, since this can be fooled,
e.g.,
<user%remote.site@local.site>.
Hence the ruleset
remove_local
(repeatedly) removes the local part of an address.
If there is still some domain part available after this process,
it is considered as a relay attempt.
In addition to class
$=w
a
$={RelayTo}
class can be used to specify allowed recipient domains
or individual hosts
(enabled by
HACK(use_relayto)
.)
Allowing relaying to other systems
than local ones
has some
problems.
The address of the recipient is listed as
to=
in the sendmail logfile, or as
arg1=
if
check_rcpt
denied the operation.
As already said, the address of the sender is determined by
${client_addr}
or
${client_name},
it is
not
based on the envelope
MAIL FROM
address!
Hence
check_rcpt
can not be fooled by giving a false
MAIL FROM
address, it doesn't check this address at all
(unless some feature
(8.8 HACKs: _ALLOW_SOME_,
8.9:
relay_local_from
)
is explicitly defined.)
Which hosts you consider as
local
with respect to sending e-mail through your system
is listed in classes
$={LocalIP}
(for
${client_addr},
enabled by
HACK(use_ip)
)
or
$={LocalNames}
(for
${client_name},
enabled by
HACK(use_names)
),
respectively.
This IP address is listed as
relay=
in the sendmail logfile.
If both
HACKs
are used, it is a logical
OR
condition:
the client IP address must be in
$={LocalIP},
or
the client name must be in
$={LocalNames},
Why doesn't
check_rcpt
simply use
(like the
anti-spam rules at sendmail.org)
just one class to specify
local senders and local recipients?
This is possible by specifying
HACK(use_names,`/etc/sendmail.cR')
HACK(use_relayto,`/etc/sendmail.cR')
However, the use of separate classes allows finer control.
Even though it might not be necessary in common cases,
someone would have asked for this feature
(judging from the number of
available options. )
As it turned out, this degree of control is requested
by several users due to the
shortcomings of the rulesets in 8.9.
Hence
sendmail 8.10
introduces
tag for the LHS
of the
access map.
[(links)]
[Hints]
[Avoiding UBE]
[cf/README]
[New]
Copyright ©
Claus Aßmann
Please send comments to:
<ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated
or incomplete.
Please
contact me
if you find an error.