check_rcpt
ruleset against unauthorized
relaying
has a problem with "roaming" users,
since it accepts outgoing mails only
from local addresses.
This problem can be solved in at least two ways:
FROM
address is one which seems ok to us.
So list in the class
F{LocalIP} /etc/mail/LocalIPthe IP addresses of the hosts you will allow to relay through your mail server, for example
134.245 127.0.0.1Next, you need to define a map
# list of domains and addresses which can send mail through # our relay if they appear in MAIL FROM: Kallow dbm -a@ALLOWED /etc/mail/allowcontaining the names of domains or full e-mail addresses which may use your system. As usual, you can also define a class of addresses for which you act as a relay (for incoming mail):
F{RelayTo} /etc/mail/RelayToThe rulesets (available by
define(`_ALLOW_SOME_') HACK(check_rcpt4)in check.tar) now look like this:
# check for allowed addresses Sallow # lookup domain in database R$*<@$+> $:$1<@$(allow $2$)> # exists? return R$*<@$*@ALLOWED> $@$1<@$2@ALLOWED> # lookup address in database R$*<@$+> $:$1<@$(allow $1@$2 $:$2$)> # exists? return R$*<@$*@ALLOWED> $@$1<@$2@ALLOWED> # remove one subdomain, try again R$*<@$-.$-.$+> $: $>allow $1<@$3.$4> Scheck_rcpt # make sure you have TABs here, not BLANKs! sendmail will complain otherwise... # first: get client address R$+ $: $(dequote "" $&{client_addr} $) $| $1 R0 $| $* $@ ok client_addr is 0 for sendmail -bs R$={LocalIP}$* $| $* $@ ok from here # not local, check rcpt R$* $| $* $: $>3 $2 # remove local part R$+ $:$>remove_local $1 R$*<@$+>$* $: <RELAY> # now get and canonify the FROM address R$* $: $1 $| $>3 $(dequote "" $&f $) # compare it with an "allowed" domain R$* $| $*<@$*.>$* $: $1 $| $>allow $2<@$3> # match: ok R$* $| $*<@$*@ALLOWED>$* $@ ok # nope, it's a relay attempt R<RELAY> $| $* $#error $@ 5.7.1 $: 550 we do not relay Sremove_local # remove RelayTo part (maybe repeatedly) R$*<@$*$={RelayTo}.>$* $>3 $1 $4 R$*<@$=w.>$* $: $>remove_local $>3 $1 $3 R$*<@$*>$* $@ $1<@$2>$3 # dequote local part R$- $: $>3 $(dequote $1 $) R$*<@$*>$* $: $>remove_local $1<@$2>$3All explanations (and enhancements) for the original
check_rcpt
ruleset apply here too.
William R. Thomas sent me a single PERL script which does all of the work. Harlan Stenn sent me a modified version of this PERL script, which should be used instead. (Last Update: 1998-04-24)
Dynamic Relay Authorization Control written by Gary Mills and POP3-Authenticated Relaying written by Curt Sampson are other proposals.