[prev in list] [next in list] [prev in thread] [next in thread]
List: novalug
Subject: Re: [novalug] Sendmail - Allow mail to orginiate only from localhost
From: Richard Rognlie <rrognlie () gamerz ! net>
Date: 2004-06-28 9:08:14
Message-ID: 20040628090814.GN2638 () gamerz ! net
[Download RAW message or body]
On Sun, Jun 27, 2004 at 08:48:55AM -0400, Miles D. Oliver wrote:
>
> Either I'm missing something or I've not formulated my google searches
> correctly.
>
> I currently run a mailserver with multiple virutal domains. With the
> virtual domains only 1 of them needs to allow mail relaying from a
> different site, a friend on a different network relays mail for his
> domain from his mail client off this server.
>
> All the other domains originate mail from the server itself only
> (localhost). I use Squirrelmail or pine for the domains or mail is
> generated from web pages.
>
> One of the domains on this server is mmoliver.org I'll use it for the
> example I'm trying to find a solution for.
>
> With my current mail setup you can connect to my server at port 25, and
> use the MAIL FROM: tag from another host, using a valid name on my
> server, coming from a site other than localhost and you can generate
> mail.
you can do this with custom rules pretty easily.
> In the below example, I can connect from another server (192.168.11.195)
> to my mailserver (192.168.11.71), and claim to be a user on my server
> (miles@mmoliver.org) and generate a mail message.
>
> moliver@web ~]$ telnet 192.168.11.71 25
> Trying 192.168.11.71...
> Connected to 192.168.11.71.
> Escape character is '^]'.
> 220 linux.lgi.com ESMTP Sendmail 8.12.11/8.12.11; Sun, 27 Jun 2004
> 08:25:14 -0400
> helo lgi.com
> 250 linux.lgi.com Hello [192.168.11.195], pleased to meet you
> mail from:miles@mmoliver.org
> 250 2.1.0 miles@mmoliver.org... Sender ok
> rcpt to:moliver@linux.lgi.com
> 250 2.1.5 moliver@linux.lgi.com... Recipient ok
>
> You can claim to be the user miles@mmoliver.org, coming from
> 192.168.11.195 and pass mail. In my view you should not be able to do
> this.
>
> What I want to be able to do is to is to STOP the above type of message
> generation if the user is valid and the connection is made from a place
> OTHER than localhost.
>
> Like the below example.
>
> moliver@web ~]$ telnet 192.168.11.71 25
> Trying 192.168.11.71...
> Connected to 192.168.11.71.
> Escape character is '^]'.
> 220 linux.lgi.com ESMTP Sendmail 8.12.11/8.12.11; Sun, 27 Jun 2004
> 08:25:14 -0400
> helo lgi.com
> 250 linux.lgi.com Hello [192.168.11.195], pleased to meet you
> mail from:miles@mmoliver.org
> 250 2.1.0 miles@mmoliver.org... ADDRESS NOT FROM LOCALHOST - REJECTED
>
> All mail from the mmoliver.org domain that does not ORIGINATE from
> localhost is rejected.
>
> There has got to be a way to do this. I haven't been able to find a way to
> so far. It has been problem for me for a long time and I need to find a
> way to get this fixed. I don't like that you can connect to my server,
> claim to be an address on my server and send mail as me.
>
> Anybody know how I can get around this? I'm using FC2 with the
> sendmail.mc file that comes with the sendmail RPM with my own parameters.
First let's define a file with the list of "protected" domains (the
ones that can only come from localhost)
LOCAL_CONFIG
F{protected} /etc/mail/protected-domains
LOCAL_RULESETS
SLocal_check_mail
R$* $: $1 $| $>canonify $1
R$* $| $* < @ $={protected}. > $* $: $1 $| $2<@$3.>$4 $| $&{client_addr}
R$* $| $* $| 127.0.0.1 $@ $1 ok
R$* $| $* $| $* $#error $@ 5.5.4 $: "550 Address not from LOCALHOST - Rejected"
R$* $| $* $@ $1 not a protected domain
--
/ \__ | Richard Rognlie / Sendmail Ninja / Gamerz.NET Lackey
\__/ \ | http://www.gamerz.net/~rrognlie <rrognlie at gamerz.net>
/ \__/ | I didn't say it was your fault,
\__/ | I only said I was going to blame you for it
_______________________________________________
novalug mailing list
novalug@tux.org
http://www.tux.org/mailman/listinfo/novalug
for subscribe/unsubscribe see web page
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic