Recipe 3.6 Relaying Mail for All Hosts in a Domain

Previous page
Table of content
Next page

Recipe 3.6 Relaying Mail for All Hosts in a Domain

Problem

You have been asked to setup a mail relay host to relay mail for every host within the local domain.

Solution

On the mail relay host, create a relay-domains file containing the name of your local domain. For example: 

 #  cat >> /etc/mail/relay-domains  wrotethebook.com  Ctrl-D

Restart sendmail to ensure that it reads the relay-domains file: 

 #  kill -HUP `head -1 /var/run/sendmail.pid`

Discussion

No m4 configuration commands are needed to create this mail relay host. sendmail checks for a file named /etc/mail/relay-domains and adds the names it finds there to class $=R by default. There are two ways to change the default pathname of the /etc/mail/relay-domains file:


confCR_FILE

This define sets the path of the file loaded into class $=R . The confCR_FILE define is only used when it is necessary to change the default filename. For example, to load class $=R from a file named /etc/sendmail.cr , add the following line to the master configuration file: 

 define(`confCR_FILE', `/etc/sendmail.cr')

RELAY_DOMAIN_FILE

This macro specifies the path to an additional file that provides data for class $=R . If the default file, which is usually named /etc/mail/relay-domains , also exists, it is added to class $=R . For example, the following command adds data from the /etc/sendmail.cr file to class $=R : 

 RELAY_DOMAIN_FILE(`/etc/sendmail.cr')

Neither of these commands appears in this recipe because it is generally a bad idea to change the default pathname of any file used in the sendmail configuration. Other administrators may need to find information on your system. It is easier for them to do so if the information is stored in the standard location.

Before we created the relay-domains file, sendmail blocked all mail relaying ”even relaying from other hosts within the local domain. By default, sendmail does not permit relaying. A test conducted before the relay-domains file is created shows this. Below, telnet is used on rodent.wrotethebook.com to connect directly to the SMTP port on the sendmail server smtp.wrotethebook.com : 

 $  telnet 192.168.0.8 smtp  Trying 192.168.0.8... Connected to 192.168.0.8. Escape character is '^]'. 220 smtp.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 15 Aug 2003 14:25:01 - 0400  HELO rodent.wrotethebook.com  250 smtp.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you  MAIL From:<craig@rodent.wrotethebook.com>  250 2.1.0 craig@rodent.wrotethebook.com... Sender ok  RCPT To:<sara@crab.wrotethebook.com>  550 5.7.1 sara@crab.wrotethebook.com... Relaying denied  QUIT  221 2.0.0 smtp.wrotethebook.com closing connection Connection closed by foreign host.

This test shows that the "Relaying denied" error is returned to the sender, indicating that the default sendmail configuration does not allow hosts in the local domain to relay mail to any third host.

After the domain name wrotethebook.com is written into the /etc/mail/relay-domains file and sendmail is restarted, rerunning the test produces a different result: 

 $  telnet 192.168.0.8 smtp  Trying 192.168.0.8... Connected to 192.168.0.8. Escape character is '^]'. 220 smtp.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 15 Aug 2003 15:12:21 - 0400  HELO rodent.wrotethebook.com  250 smtp.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you  MAIL From:<craig@rodent.wrotethebook.com>  250 2.1.0 craig@rodent.wrotethebook.com... Sender ok  RCPT To:<sara@crab.wrotethebook.com>  250 2.1.5 sara@crab.wrotethebook.com... Recipient ok  DATA  354 Enter mail, end with "." on a line by itself  Subject: Test   This is a test of wrotethebook.com entry in the relay-domains file.   .  250 2.0.0 g8RJCLXf001550 Message accepted for delivery  QUIT  221 2.0.0 smtp.wrotethebook.com closing connection Connection closed by foreign host.

Now, hosts within the local domain are allowed to relay through smtp.wrotethebook.com ” all without any changes to the m4 configuration or any need to rebuild the sendmail.cf file. Mail from or to hosts in the wrotethebook.com domain is relayed. Mail that is neither from nor to a host in the wrotethebook.com domain is still blocked from relaying mail.

Alternatives

There are four alternative solutions: the RELAY_DOMAIN macro, the relay_entire_domain feature, the promiscuous_relay feature, and the relay_local_from feature.

The example in the Solution section adds only one domain name to class $=R . It is possible to add individual domains to class $=R from inside the m4 configuration by using the RELAY_DOMAIN macro. The following lines added to the sendmail configuration would have the same effect as the relay-domains file defined above: 

 dnl RELAY_DOMAIN adds a domain name to class R RELAY_DOMAIN(`wrotethebook.com')

However, the RELAY_DOMAIN command requires modifying the m4 configuration and rebuilding and reinstalling the sendmail.cf file. Using the relay-domains file does not have these requirements, which makes the relay-domains file simpler to use.

There are a few other alternative solutions to this problem. We could have used the relay_entire_domain feature to enable relaying for hosts in the local domain. The following command added to a basic configuration would produce the same result as this recipe: 

 dnl A feature that relays mail for the local domain FEATURE(`relay_entire_domain')dnl

The relay_entire_domain feature adds a few rewrite rules that relay mail from any host in a domain listed in class $=m . By default, class $=m contains the domain name of the server system. Thus, class $=m contains wrotethebook.com on a server named smtp.wrotethebook.com .

This alternative solution works well, but was rejected for a few reasons. First, this solution is slightly more complex that the one used in this recipe. Using the relay_entire_domain feature requires modifications to the m4 configuration, which means that the sendmail.cf file must be rebuilt and reinstalled before sendmail is restarted. Using the relay-domains file only requires sendmail to be restarted.

Second, the value in class $=m is determined internally by sendmail. It is usually correct, so this might be a minor point, but setting the value in relay-domains gives the administrator more control. Third, relay-domains is self-documenting . Looking in the file quickly tells you which domains the server is configured to relay mail.

Fourth, the relay-domains file is very flexible. The problem section describes creating a mail relay for other hosts in the local domain, which is the most common relaying example. However, any domain can be listed in the relay-domains file, and mail originating from any host in that domain will be relayed. For example, imagine we wanted to create a mail relay that would relay mail for the wrotethebook.com domain, the ora.com domain, the oreilly.com domain and the sybex.com domain. To do that we would just need the following relay-domains file: 

 #  cat /etc/mail/relay-domains  wrotethebook.com ora.com oreilly.com sybex.com

This recipe is used to permit relaying from any host in a specified domain. These reasons give the relay-domains file a slight advantage over the relay_entire_domain feature for this specific application, which is why relay-domains was chosen for this recipe.

Two other alternative solutions were rejected for security reasons:


promiscuous_relay

This feature turns on relaying for all hosts, which includes the local domain, so it would solve our problem. However, this feature would cause many more problems than it would solve because spammers would quickly find and abuse the relay. Never use the promiscuous_relay feature. Even if your host is protected by a firewall, you need to secure your own system from attack ”this is a basic tenet of "defense in depth security." Creating an open relay is always a bad idea.


relay_local_from

This feature sounds like a great solution for the problem. It turns on relaying for mail if the email address in the envelope sender address of the mail contains the name of a host in the local domain. The problem is that this feature depends solely on the email address in the envelope sender address. Unfortunately, spammers can easily rewrite the envelope sender address on the spam to make it appear that it originates from your local domain. For this reason, it was rejected as a possible solution for our problem.

See Also

The sendmail book covers the RELAY_DOMAIN_FILE macro in 7.4.1.2, the relay_entire_domain feature in 7.4.5, the relay_local_from feature in 7.4.7, and the promiscuous_relay feature in 7.4.3. The cf/README contains current information about all of these relay features.


Previous page
Table of content
Next page
Sendmail Cookbook
sendmail Cookbook
ISBN: 0596004710
EAN: 2147483647
Year: 2005
Pages: 178
Authors: Craig Hunt
BUY ON AMAZON
Building Web Applications with UML (2nd Edition)
C++ GUI Programming with Qt 3
Postfix: The Definitive Guide
101 Microsoft Visual Basic .NET Applications
The Java Tutorial: A Short Course on the Basics, 4th Edition
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy