Misc about the check_* rulesets in sendmail 8.8

Last Update 2000-04-04

This document tries to answer some of the frequently asked questions about the check_* rulesets in sendmail 8.8.

Dangerous? DNS check in check_mail

The DNS check in check_mail contains the comment:

# no DNS entry? this is dangerous!
for the rule:
R$*<@$*$~P>$*	$#error $@ 4.1.8 $: "451 unresolvable host name, check your configuration."		no real name
Why is this dangerous?

Some MTAs may react on the reply code, which indicates a temporary error, with very fast retries. This may tie up some of your resources and quickly fill your logfile.

sendmail 8.9 can distinguish between temporary and permanent DNS failures, so this isn't a problem in the new version.

check_compat: Problem with .forward

check_compat has several problems which doesn't make it useful to prevent relaying. These are based on the fact that the ruleset operates on the sender and recipient address given in the envelope. So the straight-forward approach to deny access if one of these address is not local doesn't work with forwarding. In this case, the sender address is not changed, hence an e-mail from an external site to a local address which is forward to an external site will be rejected as unauthorized relaying attempt.

Let's take an example:The sender is A@extern.site the recipient is B@local.site and B has a .forward installed with C@external.site (here we naturally assume that only local.site is local to your site.) In this case, the e-mail will be accepted when sent from A to B, but it can't be fowarded to C, since check_compat is called with A@extern.site $| C@external.site, which will be rejected in our scenario.

As explained elsewhere, it is not well advised to base the decision about a relay attempt on the envelope MAIL FROM address. However, this is what the proposed simple check_compat ruleset does.

{client_name}, {client_addr}

sendmail 8.8 introduced several new macros: {client_name}, {client_addr}, and {client_port} that have the name, IP address, and port number of the SMTP client, respectively. That is, these macros are only defined during SMTP transactions. In other cases, they are empty.

If {client_addr} can't be resolved (by the name services available to sendmail) or the forward and reverse lookup do not match, then {client_name} will be [${client_addr}] i.e., the IP address in square brackets.

[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.