Using check_rcpt in sendmail 8.8

Last Update 1999-11-24

check_rcpt

Solution?

The following is based on a proposal from Chin Huang: Create an external file
F{LocalIP} /etc/mail/localIP
containing the IP network numbers for the hosts you will allow to relay through your mail server, for example
127.0.0
192.168.1
192.168.2
If you relay mail for other systems, use also:
F{RelayTo} -o /etc/mail/RelayTo
Here is the ruleset:
Scheck_rcpt
R$+			$: $>3 $1
R$+			$: $(dequote $1 $)
R$-			$@ ok					to here
R$* % $*		$: relay attempt
R$* @ $* < @ $* . >	$: relay attempt
R$+ < @ $=w . >		$@ ok					to here
R$+ < @ $={RelayTo} . >	$@ ok		allow relay to there
R$+			$: $(dequote "" $&{client_addr} $)
R0			$@ ok		client_addr is 0 for sendmail -bs
R$={LocalIP}.$*		$@ ok					from here
R$*			$#error $@ 5.7.1 $: "571 we do not support relaying"
It uses the client address to check for relaying. Moreover, it also tries to detect addresses of the form:
foo%bar.com@relay.com
@relay.com:foo@bar.com
Note: there is a problem with these rules! But for every problem, there should be a solution.

Of course you can modify these rules so you don't have to list all subdomains you handle. For instance,

R$+ < @ $*$=w . >		$@ ok			to here
R$+ < @ $*$={RelayTo} . >	$@ ok		allow relay to there

Another Solution

Instead of listing the IP numbers for the machines which can use your relay, you can also list their names. Create an external file
F{LocalNames} /etc/mail/LocalNames
containing the names for the hosts you will allow to relay through your mail server, for example
uni-kiel.de
geomar.de
However, this is subject to DNS spoofing, so it may be better to use IP addresses.
Scheck_rcpt
R$+			$: $>3 $1
R$+			$: $(dequote $1 $)
R$-			$@ ok					to here
R$* % $*		$: relay attempt
R$* @ $* < @ $* . >	$: relay attempt
R$+ < @ $=w . >		$@ ok					to here
R$+ < @ $={RelayTo} . >	$@ ok		allow relay to there
R$+			$: $(dequote "" $&{client_name} $)
R$-			$@ ok			local names (unqualified)
R$*$={LocalNames}	$@ ok				from here
R$*			$#error $@ 5.7.1 $: "571 we do not support relaying"

[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.