Another sendmail relaying problem

Cowles, Steve steve at stevecowles.com
Mon Jun 28 14:11:20 UTC 2004 

Sorry about that, I think mailman is truncating my reply when it hits a line
with a single period. Lets see if this works....


Franco wrote:
> Hi, in the /etc/mail/access i have nothing
> this is all relay blocked.
> But if someone send an e-mail to a local user and
> in his from address put other local user e-mail it
> relay without problem.
> 

Based on my understanding of your post, the behavior you describe does NOT
sound like your system is an "open relay". It's just accepting e-mail from
an external source where the "from:" address is being forged to appear like
its coming from someone in your domain space and delivering to a local user.
Although this can be annoying, think of the case where one of your 20 local
users wants to send an e-mail to another local user. You want sednmail to
accept and deliver e-mail addressed in this way.

Whether or not sendmail can be configured to block e-mail addressed in this
form, from "just" external users?... I don't know. In postfix, I block
external users from addressing e-mail in this form (at least the MAIL FROM
part, not the header from) by first testing if the e-mail was submitted from
someone in my local network. If so, ACCEPT and deliver it. If the e-mail was
submitted from an external source -and- the from address (mail from) is set
to someone in my domain, then reject. By testing in this precise order,
local users can still send e-mail to other local users, but exteternal ones
cannot. Again, I'm only testing the "MAIL FROM", not the header from. i.e.

C:\> telnet mail.mydomain.com 25

220 mail.mydomain.com ESMTP Postfix (2.1.1)
helo external.otherdomain.com
250 mail.mydomain.com
mail from: <scowles at mydomain.com>
250 Ok
rcpt to: <scowles at mydomain.com>
554 <scowles at mydomain.com>: Sender address rejected: You are NOT from
mydomain.com
DATA
554 Error: no valid recipients
quit
221 Bye
Connection to host lost.

NOTE: The above test generates a 554 (do not pass go, do not collect $200.00
so to speak) and does NOT generate a bounce. Nice! Also, this test is done
prior to the Data portion of the e-mail being read.

But if an e-mail is submitted from a system on my local network...

C:\> telnet mail.mydomain.com 25

220 mail.mydomain.com ESMTP Postfix (2.1.1)
helo enterprise.mydomain.com
250 mail.mydomain.com
mail from: <scowles at mydomain.com>
250 Ok
rcpt to: <scowles at mydomain.com>
250 Ok                           <----- From/To accepted
DATA
354 End data with <CR><LF>.<CR><LF>
From: Steve Cowles <scowles at mydomain.com>
To: Steve Cowles <scowles at mydomain.com>
Subject: This is a test. Please ignore!
            <----- Delimiter between message header/body.
This is line one of the e-mail body.

period.   <---- added period
250 Ok: queued as B177939B7
quit
221 Bye
Connection to host lost.

Postfix can also test the "header from" (or even the body) for the same
scenario and reject without generating a bounce, but see my disclaimer
below. i.e.

C:\> telnet mail.mydomain.com 25

220 mail.mydomain.com ESMTP Postfix (2.1.1)
helo external.otherdomain.com
250 mail.mydomain.com
mail from: <spammer at forged.com>
250 Ok
rcpt to: <scowles at mydomain.com>
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: Steve Cowles <scowles at mydomain.com>
To: Steve Cowles <scowles at mydomain.com>
Subject: This is a test.

This is line one of the e-mail body.

period.     <---- added period
550 Error: Forged sender address in From: message header:
scowles at mydomain.com
quit
221 Bye
Connection to host lost.

DISCLAIMER: By implementing the above header checks, you introduce a whole
new set of problems. Think of the case where you are subscribed to the
fedora list. The mailman program is going to set the "Header from:" address
to be from your address (as it should) if you submit a post. Not good! You
can probably get around this by whitelisting all connections from mailman
MTA's you subscribe to "first" in your header checks, but this would be an
administration nightmare. I only use this header check feature of postfix to
block disabled accounts or spamtrap addresss I set years ago that I no
longer use. The spammers that are smart enough to forge the header from
address (versus the MAIL FROM) still get through, but spamassassin usually
catches these.

Back to your post (sorry!) If sendmail can be configured to test/reject
e-mails that are addressed where the "mail from" address is set to someone
in your domain, its probably going to be done by editing your
/etc/mail/access file or defining your own ruleset. Sorry, I can't help you
there.

Steve Cowles

More information about the fedora-list mailing list