[Techtalk] Allow all relays through sendmail

Brian Sweeney bsweeney at physics.ucsb.edu
Tue Nov 20 10:06:20 EST 2001

I will add myself to the long list of people saying...DON'T OPEN RELAY. 
  Not ONLY are you allowing your own system to be abused, you're giving 
spammers a way to get to other people.  To me, Running an open relay is 
pretty irresponsible without a REALLY good reason.  And I've yet to hear 
one ;-).

> My usual solution in a case like this would be to set up POP-before-SMTP 
> relaying: when a user successfully authenticates via POP, their IP 
> address is added to /etc/mail/access, and makemap is run to re-compile 
> /etc/mail/access.db. The IP is retained for N minutes, where the usual 
> value for N is 15.

That's what I used to do as well. However, several people I work with 
have had lots of success with SMTP AUTH.  It's incorporated into a lot 
of mail clients nowadays (Pine, Netscape/Mozilla, Outlook/Outlook 
Express).  There's a list of clients on sendmail's site that support it 
currently, along with what encryption they support.

An excerpt from Sendmail's site 

	SMTP AUTH allows relaying for senders who have successfully 

	authenticated themselves. Per default, relaying is allowed 

	for any user who authenticated via a trusted mechanism, i.e., 

	one that is defined via TRUST_AUTH_MECH(`list of mechanisms')
	This is useful for roaming users and can replace 

	POP-before-SMTP hacks if the MUA supports SMTP AUTH.

The list of clients supported is at 

Like I said, I know of a few people that have this running successfully, 
and it's what I'm planning to implement over the next few months.  Right 
now, I've got a secure http server serving a web-based interface to my 
mailserver, which authenticates and then allows people to send or 
receive mail.  Of course, this restricts users to a web-based mail 
client, but hey, it works for now =).

Hope you get it working!


More information about the Techtalk mailing list