RE: Sendmail access restrictions
Here some straightforward methods for sendmail: You want to restrict to some IP's? local-host-names: 10.0.0 192.168 127.1.2.3 ... (You don't need sendmailconfig here!) Or to authenticated users? http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html Christian -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Behalf Of Stephen Gran Sent: Thursday, March 25, 2004 2:23 AM To: [EMAIL PROTECTED] Subject: Re: Sendmail access restrictions ... Ah, I see the problem - it's not _relaying_ alone I want to reject (we've got the auth part straightened out already, and we're not an open relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail access restrictions
This one time, at band camp, Christian Storch said: Here some straightforward methods for sendmail: You want to restrict to some IP's? local-host-names: 10.0.0 192.168 127.1.2.3 Sure, but this doesn't stop incoming mail addressed to this hostname, but coming from some random place, from being accepted. Or to authenticated users? http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html Already taken care of. Maybe this will make it more clear: /-frontend1\ internet---mail.foo.com \-frontend2/ [...] This is the normal flow of mail. The only other mail that should ever be accepted by mail.foo.com is mail coming from roaming users, who use auth+ssl on their connections. The mail is already flowing from frontend 12, and the auth part is set up for the users. The problem we are having is that mail is still arriving at mail.foo.com from other sites (presumably all spam), and we would like it to be rejected by sendmail. We can't close the port, due to roaming users. Local users also use webmail, so sent mail should reflect the real host name of the machine. I can't think this would be that unusual of a set up, but it doesn't seem to be as easy to do as I would think. If it's possible to force sendmail to only accept smtp auth as a hack, I would be willing to do that, although it seems that it should be possible without. I have tried the bat book, sendmail.org, etc. but I don't see what I am looking for anywhere. Thanks all, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Sendmail access restrictions
This one time, at band camp, Jon Hoffman said: I don't have a spare machine to test right now but I have seen a similar setup before, so I'll take a stab from memory. If this works post it to the list, I don't like posting un-tested configs. You might want to start by making sure you don't have anything in relay-domains, and start with a fresh access map. In access, add back your: 127.0.0.1 OK frontend1 OK frontend2 OK To:@foo.mail.com REJECT Now *that* looks about right. I am getting a spare box next week or so - I will post back with the test results. Thanks a lot. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
RE: Sendmail access restrictions
Here some straightforward methods for sendmail: You want to restrict to some IP's? local-host-names: 10.0.0 192.168 127.1.2.3 ... (You don't need sendmailconfig here!) Or to authenticated users? http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html Christian -Original Message- From: Stephen Gran [mailto:[EMAIL PROTECTED] Behalf Of Stephen Gran Sent: Thursday, March 25, 2004 2:23 AM To: debian-isp@lists.debian.org Subject: Re: Sendmail access restrictions ... Ah, I see the problem - it's not _relaying_ alone I want to reject (we've got the auth part straightened out already, and we're not an open relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | -
Re: Sendmail access restrictions
This one time, at band camp, Christian Storch said: Here some straightforward methods for sendmail: You want to restrict to some IP's? local-host-names: 10.0.0 192.168 127.1.2.3 Sure, but this doesn't stop incoming mail addressed to this hostname, but coming from some random place, from being accepted. Or to authenticated users? http://lists.debian.org/debian-isp/2004/debian-isp-200402/msg00267.html Already taken care of. Maybe this will make it more clear: /-frontend1\ internet---mail.foo.com \-frontend2/ [...] This is the normal flow of mail. The only other mail that should ever be accepted by mail.foo.com is mail coming from roaming users, who use auth+ssl on their connections. The mail is already flowing from frontend 12, and the auth part is set up for the users. The problem we are having is that mail is still arriving at mail.foo.com from other sites (presumably all spam), and we would like it to be rejected by sendmail. We can't close the port, due to roaming users. Local users also use webmail, so sent mail should reflect the real host name of the machine. I can't think this would be that unusual of a set up, but it doesn't seem to be as easy to do as I would think. If it's possible to force sendmail to only accept smtp auth as a hack, I would be willing to do that, although it seems that it should be possible without. I have tried the bat book, sendmail.org, etc. but I don't see what I am looking for anywhere. Thanks all, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpeWH67QZDJt.pgp Description: PGP signature
Re: Sendmail access restrictions
This one time, at band camp, Jon Hoffman said: I don't have a spare machine to test right now but I have seen a similar setup before, so I'll take a stab from memory. If this works post it to the list, I don't like posting un-tested configs. You might want to start by making sure you don't have anything in relay-domains, and start with a fresh access map. In access, add back your: 127.0.0.1 OK frontend1 OK frontend2 OK To:@foo.mail.com REJECT Now *that* looks about right. I am getting a spare box next week or so - I will post back with the test results. Thanks a lot. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpuR4bQ3ympj.pgp Description: PGP signature
Re: Sendmail access restrictions
Stephen Gran wrote: I think I'm being dense, but I can't figure out how to do something like the following in /etc/mail/access: xxx.xxx.xxx.xxx: OK # front-end machine 1 xxx.xxx.xxx.xxy: OK # front-end machine 2 OK. You'll want to add localhost and 127.0.0.1: localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY otherwise locally-generated mail will fail. Unless you've got a good reason NOT to trust localhost, any sendmail access map should include these or similar lines- the last one is probably all that's required. AUTH: OK *: REJECT But these aren't really valid. By default (at least with recent versions of sendmail), relaying is denied UNLESS you have told sendmail otherwise. To allow SMTP-AUTH users to relay mail, add the following to your sendmail.mc: TRUST_AUTH_MECH(`LOGIN PLAIN')dnl You may want to trust additional mechanisms (CRAM-MD5, DIGEST-MD5, there may be others). You'll *probably* also want TLS support, so that roaming users relaying through your server don't send password-ish information in the clear. If you go this route, you can also issue certificates to individual users and include that information in the access map. I set this up on my personal server, but not the ISP servers I admin. User information is too scattered to practically implement SMTP AUTH right now. :/ The complete set of changes for allowing SMTP AUTH to relay is in the sendmail.mc file. Mine includes the following: dnl --- STARTTLS/SMTP-AUTH options --- TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A,p')dnl define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/ca-deepnet.crt')dnl define(`confSERVER_CERT', `/etc/mail/certs/smtp.deepnet.crt')dnl define(`confSERVER_KEY', `/etc/mail/certs/rock.key.insecure')dnl This specifies, in respecitve order: - Trust LOGIN or PLAIN SMTP AUTH mechanisms for relay - Allow LOGIN and PLAIN authentication - Only allow easily-sniffed/bypassed/cracked AUTH mechanisms after successful STARTTLS or similar security layer - Where to find server/client certs - What to use as the CA cert - What to use as the TLS cert for this host - Which key to use for the TLS cert Unfortunately I seem to have lost the original reference I used to put this together, and that system is still running RedHat 7.3. :( Checking for Debian shows there are useful sections in /usr/share/doc/cf.README (from sendmail-doc). http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml should be useful in getting TLS going. If you're going to be doing much sendmail adinistration, you should probably pick up a copy of the current (3rd) edition of the Bat Book. Many references assume that you're installing sendmail from source; you should just be able to skip the first few steps relating to compile options as most packaged sendmail installs include at least *potential* support for all of its options. -kgd -- Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken. - Unknown -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail access restrictions
This one time, at band camp, Kris Deugau said: Stephen Gran wrote: I think I'm being dense, but I can't figure out how to do something like the following in /etc/mail/access: xxx.xxx.xxx.xxx: OK # front-end machine 1 xxx.xxx.xxx.xxy: OK # front-end machine 2 OK. You'll want to add localhost and 127.0.0.1: localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY That is quite helpful, thanks. otherwise locally-generated mail will fail. Unless you've got a good reason NOT to trust localhost, any sendmail access map should include these or similar lines- the last one is probably all that's required. AUTH: OK *: REJECT But these aren't really valid. I understand - they were rough logic for what I want, not actual lines - I said I couldn't figure it out :) By default (at least with recent versions of sendmail), relaying is denied UNLESS you have told sendmail otherwise. Ah, I see the problem - it's not _relaying_ alone I want to reject (we've got the auth part straightened out already, and we're not an open relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgp0.pgp Description: PGP signature
Re: Sendmail access restrictions
Stephen Gran said: relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. This is trivial to do with mimedefang-sendmail. I do it already. You can also verify that all mail sent from your domain actually is from a user that exists in your domain. and mimedefang can use clam too! -- --Luke CS Sysadmin, Montana State University-Bozeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail access restrictions
Stephen Gran wrote: I think I'm being dense, but I can't figure out how to do something like the following in /etc/mail/access: xxx.xxx.xxx.xxx: OK # front-end machine 1 xxx.xxx.xxx.xxy: OK # front-end machine 2 OK. You'll want to add localhost and 127.0.0.1: localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY otherwise locally-generated mail will fail. Unless you've got a good reason NOT to trust localhost, any sendmail access map should include these or similar lines- the last one is probably all that's required. AUTH: OK *: REJECT But these aren't really valid. By default (at least with recent versions of sendmail), relaying is denied UNLESS you have told sendmail otherwise. To allow SMTP-AUTH users to relay mail, add the following to your sendmail.mc: TRUST_AUTH_MECH(`LOGIN PLAIN')dnl You may want to trust additional mechanisms (CRAM-MD5, DIGEST-MD5, there may be others). You'll *probably* also want TLS support, so that roaming users relaying through your server don't send password-ish information in the clear. If you go this route, you can also issue certificates to individual users and include that information in the access map. I set this up on my personal server, but not the ISP servers I admin. User information is too scattered to practically implement SMTP AUTH right now. :/ The complete set of changes for allowing SMTP AUTH to relay is in the sendmail.mc file. Mine includes the following: dnl --- STARTTLS/SMTP-AUTH options --- TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A,p')dnl define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/ca-deepnet.crt')dnl define(`confSERVER_CERT', `/etc/mail/certs/smtp.deepnet.crt')dnl define(`confSERVER_KEY', `/etc/mail/certs/rock.key.insecure')dnl This specifies, in respecitve order: - Trust LOGIN or PLAIN SMTP AUTH mechanisms for relay - Allow LOGIN and PLAIN authentication - Only allow easily-sniffed/bypassed/cracked AUTH mechanisms after successful STARTTLS or similar security layer - Where to find server/client certs - What to use as the CA cert - What to use as the TLS cert for this host - Which key to use for the TLS cert Unfortunately I seem to have lost the original reference I used to put this together, and that system is still running RedHat 7.3. :( Checking for Debian shows there are useful sections in /usr/share/doc/cf.README (from sendmail-doc). http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml should be useful in getting TLS going. If you're going to be doing much sendmail adinistration, you should probably pick up a copy of the current (3rd) edition of the Bat Book. Many references assume that you're installing sendmail from source; you should just be able to skip the first few steps relating to compile options as most packaged sendmail installs include at least *potential* support for all of its options. -kgd -- Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken. - Unknown
Re: Sendmail access restrictions
This one time, at band camp, Kris Deugau said: Stephen Gran wrote: I think I'm being dense, but I can't figure out how to do something like the following in /etc/mail/access: xxx.xxx.xxx.xxx: OK # front-end machine 1 xxx.xxx.xxx.xxy: OK # front-end machine 2 OK. You'll want to add localhost and 127.0.0.1: localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY That is quite helpful, thanks. otherwise locally-generated mail will fail. Unless you've got a good reason NOT to trust localhost, any sendmail access map should include these or similar lines- the last one is probably all that's required. AUTH: OK *: REJECT But these aren't really valid. I understand - they were rough logic for what I want, not actual lines - I said I couldn't figure it out :) By default (at least with recent versions of sendmail), relaying is denied UNLESS you have told sendmail otherwise. Ah, I see the problem - it's not _relaying_ alone I want to reject (we've got the auth part straightened out already, and we're not an open relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpFWaU2XcquE.pgp Description: PGP signature
Re: Sendmail access restrictions
Stephen Gran said: relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for [EMAIL PROTECTED] is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. This is trivial to do with mimedefang-sendmail. I do it already. You can also verify that all mail sent from your domain actually is from a user that exists in your domain. and mimedefang can use clam too! -- --Luke CS Sysadmin, Montana State University-Bozeman
