Introduction

Previous page
Table of content
Next page

A mail relay is a system that resends mail that it receives. When mail that should be delivered by some other host arrives at the mail relay host, the system decides whether it should relay the mail. If relaying is allowed, the relay host sends the mail on to the destination address. If relaying is denied, a "Relaying denied" error message is returned to the sender. This chapter contains recipes that control when relaying is allowed or denied and recipes to configure a system to make use of a mail relay.

Relaying is different from forwarding. Mail that is forwarded arrives at the system addressed to the local host; it is forwarded only if the host is instructed to do so by the aliases database or the .forward file. Mail that is relayed arrives at the system addressed to some other host; it is only relayed if sendmail is configured to allow relaying.

In the same way that sendmail must be configured to act as a mail relay, a system must be configured to use a mail relay. Any system running sendmail can directly deliver its own mail; sendmail does not depend on relays by default. However, there are a variety of different sendmail configurations that use relay servers:


Relaying all mail

A system can be configured to send all of its mail to a relay. This type of configuration is called a null client , not because the sendmail.cf file is empty, but because the system depends on an external host for all email service.


Relaying local mail

A system can be configured to use a relay for mail that is normally delivered by the local mailer, while delivering all other mail itself. Thus, mail from one user to another, even when those users are both logged into the same client, is sent through a relay server.


Relaying mail to external hosts

sendmail can be configured to send all mail bound for external hosts through a mail relay. Only mail delivered by the local mailer is not sent to the relay.


Relaying mail for pseudodomains

sendmail can be configured to send "non-SMTP" mail to a mail relay host for delivery. Pseudodomains are internal tags used by sendmail to identify mail that is not standard SMTP mail. Special configuration commands exist for sending UUCP, BITNET, DECnet, and FAX mail to a mail relay host when that mail is identified by a pseudodomain.

Mail is sent to the mail relay host via the SMTP relay mailer. The configuration of the relay mailer can be changed with the m4 macros RELAY_MAILER_ARGS , RELAY_MAILER_FLAGS , RELAY_MAILER_QGRP , and RELAY_MAILER_MAXMSG . sendmail can even be configured to use a different mailer for relaying by specifying a different mailer name with the confRELAY_MAILER define. However, changing the mailer name or fiddling with the relay mailer configuration is generally a bad idea because it creates an unnecessarily complex configuration that must be maintained . It is better to configure a mail relay host that is capable of handling standard SMTP mail than it is to create a custom mailer for every system that uses the relay host for the simple reason that there are fewer systems to maintain.

By default, sendmail does not relay mail ”thus, a default sendmail system does not consider itself a mail relay. There is a good reason for this: relaying opens a system to the possibility of being abused by spammers. Spammers love to find a system that they can relay through in order to hide the true source of the spam mail. Everything you do to create a relay weakens this security. Therefore, care must be taken to use only those configuration tools that you really need to get the job done.

Several features are available that turn a sendmail system into a mail relay:


promiscuous_relay

This feature tells sendmail to relay mail from any source to any destination. It should not be used on a system that is accessible from the Internet because it creates an open relay that will quickly be found and exploited by spammers.


relay_local_from

This causes sendmail to relay any mail in which the envelope sender address contains the name of a host in the local domain. Because the envelope sender address in mail is easily forged, spammers can exploit a relay that uses this feature. For this reason, the relay_local_from feature should be avoided.


relay_mail_from

This feature tells sendmail to relay mail if the envelope sender address of that mail contains the name of a host in any domain listed in the relay-domains file or listed as RELAY in the access database. Because the envelope sender address in mail is easily forged, spammers can exploit a relay that uses this feature if they can figure out the entries in the relay-domains file or the access database. For this reason, the relay_mail_from feature should be avoided.


relay_based_on_MX

This feature enables relaying for any host or domain that lists the local host as its mail exchanger . The disadvantage of this feature is that you lose direct control over which systems can use your system as a relay, and you place that control into the hands of others ”the domain administrators. Domain administrators can simply place MX records in their domains to enable relaying through your system.


relay_entire_domain

When this feature is specified, sendmail relays mail for any host in a domain identified in class $=m . Class $=m contains the name of the local host's domain, as determined by sendmail during startup. Thus, this feature enables relaying for hosts in the local domain.


relay_hosts_only

By default, values in the relay-domains file or the access database are interpreted as domain names , and relaying is granted to any of the hosts in those domains. This feature changes that. When relay_hosts_only is specified, the values in the relay-domains file and in the access database are interpreted as hostnames, and mail is only relayed for the specific hosts listed in those files.

Other than the relay_hosts_only feature, which works with the relay-domains file and the access database, the features listed above tend to reduce the amount of control the sendmail administrator has over relaying. Generally, a better way to enable relaying is by using the relay-domains file. Using the relay-domains file requires no special m4 configuration because sendmail reads this file by default. To use it, all you need to do is create a text file named relay-domains that contains a list of the domains for which relaying is allowed.

Entries in the relay-domains file enable relaying to or from the domains listed in the file. To have more control over the condition in which relaying is approved, use the access database. The access database is not designed specifically for relaying ”it has broader security applications. However, it can be used to control relaying as demonstrated in Recipe 3.10.

For maximum security, use SMTP AUTH or STARTTLS to authenticate the hosts granted relay privileges. Chapter 7 and Chapter 8 cover these security protocols.

Because spammers may abuse a mail relay, special care should be taken to thoroughly test the relay configuration. If your server fails any of the tests, adjust the configuration to close the security hole. No tests are infallible, but they do provide clear indications of possible configuration problems.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
MySQL Cookbook
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
FileMaker 8 Functions and Scripts Desk Reference
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy