Relay control in sendmail 8.8,9 for roaming users

Last Update 2000-09-20
News (2000-07-19): sendmail 8.11 implements SMTP STARTTLS and SMTP AUTH which allows users to authenticate themselves and subsequently turn on relaying for them without requiring any of the "hacks" listed below. Note: This information is outdated, see relay control in sendmail for roaming users instead, which refers to newer features and versions.


The check_rcpt ruleset against unauthorized relaying has a problem with "roaming" users, since it accepts outgoing mails only from local addresses. This problem can be solved in at least two ways:
  1. specify domains or e-mail addresses which can use your system no matter from where they connect,
  2. authorize relaying based on authentification provided by a modified POP daemon.

Another way will be SMTP AUTH as described in RFC 2554. However, this is not implemented in sendmail 8.9 because it has been released before the RFC was available. It is planned for the next version (no release date known).

Allow relaying based on MAIL FROM

This code is for sendmail 8.8, a version for 8.9 can be found elsewhere. The first proposal just adds another test: first, we check whether it is a local client: it can do whatever it want. Next, we remove the local part, maybe repeatedly. If it still has routing information in it, it seems to be a relay attempt. We mark it as such and check now whether the FROM address is one which seems ok to us. So list in the class
F{LocalIP} /etc/mail/LocalIP
the IP addresses of the hosts you will allow to relay through your mail server, for example
Next, you need to define a map
# list of domains and addresses which can send mail through
# our relay if they appear in MAIL FROM:
Kallow dbm -a@ALLOWED /etc/mail/allow
containing the names of domains or full e-mail addresses which may use your system. As usual, you can also define a class of addresses for which you act as a relay (for incoming mail):
F{RelayTo} /etc/mail/RelayTo
The rulesets (available by
in check.tar) now look like this:
# check for allowed addresses
# lookup domain in database
R$*<@$+>		$:$1<@$(allow $2$)>
# exists? return
R$*<@$*@ALLOWED>	$@$1<@$2@ALLOWED>
# lookup address in database
R$*<@$+>		$:$1<@$(allow $1@$2 $:$2$)>
# exists? return
R$*<@$*@ALLOWED>	$@$1<@$2@ALLOWED>
# remove one subdomain, try again
R$*<@$-.$-.$+>		$: $>allow $1<@$3.$4>

# make sure you have TABs here, not BLANKs! sendmail will complain otherwise...
# first: get client address
R$+			$: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*		$@ ok		client_addr is 0 for sendmail -bs
R$={LocalIP}$* $| $*	$@ ok		from here
# not local, check rcpt
R$* $| $*		$: $>3 $2
# remove local part
R$+			$:$>remove_local $1
R$*<@$+>$*		$: <RELAY>
# now get and canonify the FROM address
R$*			$: $1 $| $>3 $(dequote "" $&f $)
# compare it with an "allowed" domain
R$* $| $*<@$*.>$*	$: $1 $| $>allow $2<@$3>
# match: ok
R$* $| $*<@$*@ALLOWED>$*	$@ ok
# nope, it's a relay attempt
R<RELAY> $| $*	$#error $@ 5.7.1 $: 550 we do not relay

# remove RelayTo part (maybe repeatedly)
R$*<@$*$={RelayTo}.>$*	$>3 $1 $4
R$*<@$=w.>$*		$: $>remove_local $>3 $1 $3
R$*<@$*>$*		$@ $1<@$2>$3
# dequote local part
R$-			$: $>3 $(dequote $1 $)
R$*<@$*>$*		$: $>remove_local $1<@$2>$3

All explanations (and enhancements) for the original check_rcpt ruleset apply here too.

Authorize relaying based on authentification provided by a modified POP daemon

Another proposal requires a modification to a POP daemon and some utilities. This is an idea from John Levine, described by Scott Hazen Mueller. It has been implemented by Neil Harkins and John Levine . This feature can be enabled in my HACKs for 8.8 with the option _POPAUTH_ and is also available for 8.9.

William R. Thomas sent me a single PERL script which does all of the work. Harlan Stenn sent me a modified version of this PERL script, which should be used instead. (Last Update: 1998-04-24)

Dynamic Relay Authorization Control written by Gary Mills and POP3-Authenticated Relaying written by Curt Sampson are other proposals.

[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.