Recipe 3.10 Relaying Only Outbound Mail

Problem

You have been asked to configure a mail relay host to handle only outbound mail. The host is to relay mail sent from selected hosts without relaying mail addressed to those hosts .

Solution

Add support for the access database to the sendmail configuration by using the access_db feature. Here is the required FEATURE macro:

 dnl Add support for the access database FEATURE(`access_db') 

Build an access database that defines all of the clients from which this server should accept mail for relaying. The access database entries should be in the form of Connect : address RELAY , where address is the IP address or DNS name of the source from which mail will be accepted.

Rebuild and reinstall sendmail.cf , then restart sendmail. These steps are covered in Recipe 1.8.

Discussion

Mail from, or addressed to, any domain defined in the relay-domains file is relayed. Thus, the relay-domains file creates a relay that handles both inbound and outbound mail, which is generally the configuration used. Occasionally, however, network designers decide to use separate systems for inbound and outbound mail. For example, a mail exchanger for all inbound mail and a mail relay host for all outbound mail might be placed on two physically separate systems. The access database provides the fine-grained control necessary to implement these design decisions. The access_db feature adds support for the access database to the sendmail configuration.

Entries in the access file, from which the access database is built, contain two basic fields:

• The conditional test that determines whether an action is taken

• The action taken when the condition is met

The conditional test can contain various types of data depending on what the access database entry is being used for. For relaying, the conditional test usually includes an address, which can be a full or partial domain name, hostname, or IP address. It can also be a full email address or just the user portion of an email address. Here is an example of creating an access database entry that relays mail received via a connection from any host in the local wrotethebook.com domain:

 #  cd /etc/mail  #  cat > access   Connect:wrotethebook.com        RELAY   Ctrl-D  #  makemap hash access < access  

The example uses the domain name wrotethebook.com as the data in the conditional test because we want to relay mail for every host in that domain. An alternative would be to use the network address to relay mail for every host on the local network, for example:

 Connect:192.168.0     RELAY 

The keyword Connect : that is placed before the data in the conditional test is called a tag . A tag is used to limit the scope of the test. Tags are optional. Normally, the data in the conditional test field of an entry in the access database are tested against three different values ”the sender and recipient addresses from the message envelope, and the IP address of the remote system that connected to the server to transfer the mail. If any one of these three addresses matches the conditional data in the access database, the condition is met, and the action defined in the database is taken. Use a tag to change this default behavior and limit the conditional test to one of the three possible addresses. The basic tag values are:

To :

Only the recipient address in the message envelope is matched against the conditional test data.

From :

Only the sender address in the message envelope is matched against the conditional test data.

Connect :

Only the IP address of the remote system that initiated the connection over which the mail was received is matched against the conditional test data.

The example above uses the Connect : tag to limit relaying to only those hosts that connect to the relay server from the wrotethebook.com domain. Mail from any other source is not relayed.

The action field in the sample access file entry contains the keyword RELAY , which simply means that the server should relay mail that matches the specified conditional test. RELAY is the only keyword that directly relates to relaying. Several other action keywords are covered in Chapter 7.

The access file must be converted to a hash database before sendmail can use it. The makemap program does the required conversion. It reads ASCII text from stdin and writes out a database of the specified type to the specified file. In our example, note that the input and output names appear the same. They're not. The input file is named access and the output file is named access.db . However, you do not need to add the .db extension to the output filename. makemap automatically adds the correct extension based on the type of database specified. makemap is provided as part of the sendmail distribution.

After building the access database, building sendmail.cf , and restarting sendmail, the system relays mail from clients in the local domain but will not relay mail to those clients if the mail originates in some other domain. ^[6] Two tests show this. The first test is mail sent from a host in the local domain to a remote host:

^[6] sendmail does not need to be restarted when a database changes. The only reason a restart was needed for this recipe was because the sendmail.cf file changed.

 $  telnet smtp.wrotethebook.com smtp  Trying 192.168.0.8... Connected to smtp. Escape character is '^]'. 220 smtp.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 15 Aug 2003 16:47:57 - 0400  HELO rodent.wrotethebook.com  250 smtp.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to  meet you  MAIL From:<craig@rodent.wrotethebook.com>  250 2.1.0 craig@rodent.wrotethebook.com... Sender ok  RCPT To:<tyler@example.com>  250 2.1.5 tyler@example.com... Recipient ok  QUIT  221 2.0.0 smtp.wrotethebook.com closing connection Connection closed by foreign host. 

The second test is mail sent from a remote host to a host in the local domain. If the local domain was specified in the relay-domain file, this mail would be accepted. This test shows that with the access database from this recipe, the mail is rejected:

 $  telnet smtp.wrotethebopok.com smtp  Trying 192.168.0.8... Connected to smtp. Escape character is '^]'. 220 smtp.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 15 Aug 2003 16:52:07 - 0400  HELO example.com  250 smtp.wrotethebook.com Hello example.com {10.20.3.3], pleased to meet you  MAIL From:<tyler@example.com>  250 2.1.0 tyler@example.com... Sender ok  RCPT To:<craig@rodent.wrotethebook.com>  550 5.7.1 craig@rodent.wrotethebook.com... Relaying denied  QUIT  221 2.0.0 smtp.wrotethebook.com closing connection Connection closed by foreign host. 

See Also

Chapter 6 provides more information about the access database. The Finer control by using tags for the LHS of the access map section of the cf/README file provides additional information about tags. The sendmail book covers the access database in Section 7.5.