These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX02/Sendmail Gotchas

Classnotes | UNIX02 | RecentChanges | Preferences

Before we break today, we should look at some "gotchas" to be aware of with respect to Sendmail.

Relaying

Many older versions of Sendmail come with open relaying enabled by default. However, if you are using any reasonably modern Linux or BSD (from within the last four years or so) Sendmail will have open relaying disabled by default.

Because there may be a number of times when relaying is needed in a limitted or controlled way, Sendmail has had several relaying features added. The access database is perhaps the safest way to enable controlled relaying, and it is covered on page 592 of the book. However, some quick methods that may be fraught with problems follow:

 FEATURE(`relay_entire_domain')
 RELAY_DOMAIN('domain1, domain2, ...')
 RELAY_DOMAIN_FILE(`filename')
 FEATURE('relay_hosts_only')

These allow relaying across your local domain, a list of domains, a file containing a list of domains, or a list contained in the access database respectively. You will need to make an exception if you use SMART_HOST or MAIL_HUB designations to route mail through. The server which relays will have to have the FEATURE(`relay_entire_domain') enabled.

 FEATURE('promiscuous_relay')
 FEATURE('relay_based_on_MX')
 FEATURE('loose_relay_check')
 FEATURE('relay_local_from')

These features are all fraught with problems. promiscuous_relay will turn your server into an open relay. Do not use it. relay_based_on_MX can be problematic because you do not control what sites point their MX at you, thus forgeries can be quite simple. loose_relay_check will solve many configuration headaches elsewhere, but allows a "% hack" form of addressing spammers abuse (see page 518). relay_local_from trusts the from address associated with the message, and can be very easily forged (in fact, on many servers which are misconfigured, this is the #1 source of spam).

Local Delivery Only

Occassionally, you will encounter a system which, by default, only allows local mail to be delivered locally. This means users on the system can send mail to other users on the system, and to the outside world, but external mail is rejected.

If you find a system which is behaving this way, the following entry is the likely culprit in your sendmail.mc file:

 DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Header Checking

Spammers often try to hide their identities. Since Sendmail 8.9, if the From address is not of the form user@valid.domain, mail is rejected. This behaviour can be waived by the following features:
 FEATURE(`accept_unresolvable_domains')
 FEATURE(`accept_unqualified_domains')

The first allows mail from domains that do not exist or do not resolve. The second allows From addresses that contain only a user name with no host or domain portion.

You will probably never want to use the first, but there are some buggy e-mail clients out there which may require you to use the second. You will have to determine for yourself if you need it.



Classnotes | UNIX02 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited August 30, 2003 3:43 am (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.