[Techtalk] Sendmail selective relaying solution

Didar Hussain didar at mailandnews.com
Sat Jun 8 15:45:07 EST 2002


Hi everybody,

Thank you to all those who tried to help me solve my problem.
Let me help you recollect the problem. I wanted "selective" relaying
through Sendmail. 

The need was that all users could send mail to other users in the
organisation i.e., say user1 at ourdomain.com can send to user2 at ourdomain.com.
But, barring a few allowed users, they cannot send mail to addresses
outside (Net addresses). Everyone can receive mail from anywhere, though.

The following solution is what I came up with. These lines go at the end
of /etc/mail/sendmail.mc after all the normal definitions. It has been
tested on Sendmail Version 8.9.3. I hope the comments are helpful. 


LOCAL_CONFIG
# Declare a CLASS {LetRelay} containing the users that
# are allowed te relay to recipients on the Net
# The usernames *only* are entered in the file 
# "/etc/mail/relayble" - one per line

F{LetRelay}/etc/mail/relayble



LOCAL_RULESETS
# This ruleset checks the recipient address

SLocal_check_rcpt
# This ruleset receives the address in the SMTP RCPT TO command
# First off, parse the address by sending it to ruleset 3

R$*				$: $>3 $1

# If the address is to anyone in "ourdomain.com", then allow it 
# through and don't do further checking

R$+ < @ ourdomain.com . >		$@ OK

# If it is not, then we check the sender address
# We replace the LHS with the sender (MAIL FROM) address stored in the
# "$&f" MACRO and send it to ruleset 3 for parsing

R$+ < @ $+ >			$: $>3 $&f

# If the sender is in CLASS {LetRelay}, then he is allowed to relay

R$={LetRelay} < @ ourdomain.com . >	$@ OK

# If he is not in the class, the he gets an error

R$*				$#error $@ UNAVAILABLE $: Relaying denied

# END of ruleset Local_check_rcpt


Of course, this is the lazy way to do things and it is also utterly
*useless*! Anybody can fake the sender address and get relaying
privileges. The real way to solve this problem is to use SMTP AUTH
or STARTTLS for authorised relaying. I couldn't do it because the
concerned person (read: Suit) didn't wan't "hassles" for the users!


Didar



More information about the Techtalk mailing list