Misc about the check_* rulesets in sendmail 8.8 and later

Last Update 2000-02-06

This document tries to answer some of the frequently asked questions about the check_* rulesets in sendmail 8.8 and beyond.

Anti-relaying: how does it work?

check_rcpt can be used to prevent unauthorized relaying, which means that neither the sender nor the recipient are local or allowed to use the mailserver.
The algorithm works like this (the steps are reversed in the HACKs for sendmail 8.8):
  1. Local or allowed recipient: Check the address given as RCPT. Is it a local address or is it an address for which we relay?
    If yes: the mail is accepted, i.e., no error is generated. (This is the case: external to internal.)
    If no: goto next step.
  2. Local or authorized sender: Check the IP number (${client_addr}) or the name (${client_name}) of the host which tries to send e-mail through this system. Is it a local system?
    If yes: it can do whatever it wants. (This is the case: internal to external or internal to internal.)
    If no: an error is generated, relaying is denied.
There are some things which needs to be considered with algorithm:
  1. What is a local (or allowed) recipient?
  2. What is a local (or authorized) sender?

Local/Allowed Recipient

Detecting whether the recipient address is local isn't an easy task because there are many ways to specify an address. sendmail considers all elements of class $=w as local, so these are allowed by default. However, it isn't sufficient to check whether an address ends in an element of this class, since this can be fooled, e.g., <user%remote.site@local.site>. Hence the ruleset remove_local (repeatedly) removes the local part of an address. If there is still some domain part available after this process, it is considered as a relay attempt.

In addition to class $=w a $={RelayTo} class can be used to specify allowed recipient domains or individual hosts (enabled by HACK(use_relayto) .) Allowing relaying to other systems than local ones has some problems.

The address of the recipient is listed as to= in the sendmail logfile, or as arg1= if check_rcpt denied the operation.

Local Sender

As already said, the address of the sender is determined by ${client_addr} or ${client_name}, it is not based on the envelope MAIL FROM address! Hence check_rcpt can not be fooled by giving a false MAIL FROM address, it doesn't check this address at all (unless some feature (8.8 HACKs: _ALLOW_SOME_, 8.9: relay_local_from) is explicitly defined.)

Which hosts you consider as local with respect to sending e-mail through your system is listed in classes $={LocalIP} (for ${client_addr}, enabled by HACK(use_ip) ) or $={LocalNames} (for ${client_name}, enabled by HACK(use_names) ), respectively. This IP address is listed as relay= in the sendmail logfile. If both HACKs are used, it is a logical OR condition: the client IP address must be in $={LocalIP}, or the client name must be in $={LocalNames},

Why Different Classes for Local Senders and Local Recipients in 8.8?

Why doesn't check_rcpt simply use (like the anti-spam rules at sendmail.org) just one class to specify local senders and local recipients? This is possible by specifying
However, the use of separate classes allows finer control. Even though it might not be necessary in common cases, someone would have asked for this feature (judging from the number of available options. )

As it turned out, this degree of control is requested by several users due to the shortcomings of the rulesets in 8.9. Hence sendmail 8.10 introduces tag for the LHS of the access map.

[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.