1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • access database question?

    From Knute Johnson@21:1/5 to All on Sat Jun 3 21:05:18 2023
    I have need to run sendmail on a server computer with two NICs, one is connected to the internet and the other to a LAN. One of the computers
    on the LAN needs to connect and send email to internet locations. I
    seem to have this part working but in my quest to tighten up who could
    relay mail I discovered that the server computer can relay mail even
    with the Connect:localhost RELAY, Connect:127 RELAY and Connect:IPv6:::1
    RELAY commented out. Can the localhost always relay mail? If I wanted
    to prevent that I can change it to REJECT and it does prevent relay. I
    get this message from mail: "cannot send message: Process exited with a non-zero status". I went through the bat book looking but didn't find anything.


    # /etc/mail/access
    # Copyright (c) 1998,2004 Richard Nelson <[email protected]>.
    # Time-stamp: <1998/10/27 10:00:00 cowboy>
    # GPL'd config file, please feed any gripes, suggestions, etc. to me
    #
    # Function:
    # Access Control for this smtp server - determines:
    # * Who we accept mail from
    # * Who we accept relaying from
    # * Who we will not send to
    #
    # Usage:
    # FEATURE(access_db[, type [-o] /etc/mail/access])dnl
    # makemap hash access < access
    #
    # Format:
    # lhs:
    # email addr <user@[host.domain]>
    # domain name unless FEATURE(relay_hosts_only) is used,
    # then this is a fqdn - and relay-domains ($=R)
    # must also be fqdns.
    # network number must end on an octet boundary, or
    # you're stuck going the longwinded way ;-{
    # rhs:
    # OK accept mail even if other rules in the
    # running ruleset would reject it.
    # RELAY Allow domain to relay through your SMTP
    # server. RELAY also serves an implicit
    # OK for the other checks.
    # REJECT reject the sender/recipient with a general
    # purpose message that can be customized.
    # confREJECT_MSG [550 Access denied] will be issued
    # DISCARD discard the message completely using
    # the $#discard mailer.
    # ### any text where ### is an RFC 821 compliant error code
    # and "any text" is a message to return for
    # the command
    # Examples:
    # [email protected] REJECT
    # FREE.STEALTH.MAILER@ 550 Spam not accepted
    #
    # Notes:
    # With FEATURE(blacklist_recipients) this is also possible:
    # badlocaluser 550 Mailbox disabled for this username
    # host.mydomain.com 550 That host does not accept mail
    # [email protected] 550 Mailbox disabled for this recipient
    #
    # Related:
    # define(`confREJECT_MSG', `550 Access denied')dnl
    # define(`confCR_FILE', `-o /etc/mail/relay-domains')dnl <<- $=R
    # FEATURE(relay_hosts_only)dnl
    # FEATURE(relay_entire_domain)dnl <<- relays any host in the $=m class
    # FEATURE(relay_based_on_MX)dnl <<- relaying for boxes MX'd to you
    # FEATURE(blacklist_recipients)dnl
    # FEATURE(rbl[,alternate server])dnl
    # FEATURE(orbs[,alternate server])dnl <<- Debian addition
    # FEATURE(orca[,alternate server])dnl <<- Debian addition
    # FEATURE(accept_unqualified_senders)dnl
    # FEATURE(accept_unresolvable_domains)dnl
    #
    # Local addresses 10.x.x.x, 127.x.x.x, 172.16-31.x.x 192.168.x.x can relay
    # Note Well! You *must* make sure these address can't be spoofed externally
    # Note, outbound relaying is controlled by connection and/or auth
    # If you're not firewalled, and you don't have a lan, comment these out
    # If you're not firewalled, and you have a lan, get firewalled *NOW*
    # GreetPause - delay to check for spammers
    # Client Connection rate (and #) control
    #Connect:localhost RELAY
    #GreetPause:localhost 0
    #ClientRate:localhost 0
    #ClientConn:localhost 0
    #Connect:10 RELAY
    #GreetPause:10 0
    #ClientRate:10 0
    #ClientConn:10 0
    #Connect:127 RELAY
    #GreetPause:127 0
    #ClientRate:127 0
    #ClientConn:127 0
    #Connect:IPv6:::1 RELAY
    #GreetPause:IPv6:::1 0
    #ClientRate:IPv6:::1 0
    #ClientConn:IPv6:::1 0
    #
    #Connect:172.16 RELAY
    #Connect:172.17 RELAY
    #Connect:172.18 RELAY
    #Connect:172.19 RELAY
    #Connect:172.20 RELAY
    #Connect:172.21 RELAY
    #Connect:172.22 RELAY
    #Connect:172.23 RELAY
    #Connect:172.24 RELAY
    #Connect:172.25 RELAY
    #Connect:172.26 RELAY
    #Connect:172.27 RELAY
    #Connect:172.28 RELAY
    #Connect:172.29 RELAY
    #Connect:172.30 RELAY
    #Connect:172.31 RELAY
    #Connect:192.168 RELAY
    #GreetPause:192.168 0
    #ClientRate:192.168 0
    #ClientConn:192.168 0
    # Defaults
    GreetPause: 5000
    ClientRate: 10
    ClientConn: 10
    #
    # Don't offer AUTH on local network
    #SRV_Features:192.168.1 A
    #
    # Hosts with to allow relaying
    #
    #
    # Hosts that validly forward to me
    #GreetPause:<ip> 0
    #ClientRate:<ip> 30
    #ClientConn:<ip> 0
    #
    # Whitelisted users
    #
    Spam:postmaster@ FRIEND
    Spam:abuse@ FRIEND
    Spam:spam@ FRIEND
    #
    # Blacklisted users
    #
    #Connect:rampellsoft.com 554 Email directly, not through didtheyreadit.com reject@ REJECT
    #cyberpromo.com REJECT
    #From:[email protected] REJECT
    #
    # Block invalid IPs
    #
    #Connect:0 REJECT whilst invalid, this also blocks sendmail -bs -Am Connect:169.254 REJECT
    Connect:192.0.2 REJECT
    Connect:224 REJECT
    Connect:255 REJECT

    Connect:172.0.10.7 RELAY



    --

    Knute Johnson

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Knute Johnson on Sun Jun 4 02:31:23 2023
    Knute Johnson wrote:

    Can the localhost always relay mail? If I wanted

    Yes.

    SRelay_ok
    # anything originating locally is ok
    # check IP address
    R$* $: $&{client_addr}
    R$@ $@ RELAY originated locally
    R0 $@ RELAY originated locally
    R127.0.0.1 $@ RELAY originated locally RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
    RIPv6:::1 $@ RELAY originated locally
    R$=R $* $@ RELAY relayable IP address

    to prevent that I can change it to REJECT and it does prevent relay. I

    Why do you want to prevent it?
    "What's the problem you are trying to solve?"

    get this message from mail: "cannot send message: Process exited with a non-zero status". I went through the bat book looking but didn't find

    Probably an error from the MSP which tries to send via the local
    daemon.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Sun Jun 4 10:55:46 2023
    Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:

    I seem to have this part working but in my quest to tighten up who
    could relay mail I discovered that the server computer can relay mail
    even with the Connect:localhost RELAY, Connect:127
    RELAY and Connect:IPv6:::1 RELAY commented out. Can the localhost
    always relay mail?

    I don't know why you want to stop this.

    Any software on your machine can send mails to other machines completely independent of sendmail, just use "telnet <hostname> 25" to do it on
    your own. Any SMTP client can do this.

    If you have software on your machine that you don't trust, remove it or restrict it in a protected environment.

    If you fear that somebody might spoof the localhost IP address ranges,
    it is not a risk. It can't complete the TCP handshake nor the SMTP
    session, so no relaying by outside attackers is possible by allowing 127.0.0.0/8 and ::1/128 to relay.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Knute Johnson@21:1/5 to All on Sun Jun 4 10:42:46 2023
    On 6/4/23 01:31, Claus Aßmann wrote:
    Knute Johnson wrote:

    Can the localhost always relay mail? If I wanted

    Yes.

    SRelay_ok
    # anything originating locally is ok
    # check IP address
    R$* $: $&{client_addr}
    R$@ $@ RELAY originated locally
    R0 $@ RELAY originated locally
    R127.0.0.1 $@ RELAY originated locally RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
    RIPv6:::1 $@ RELAY originated locally
    R$=R $* $@ RELAY relayable IP address


    Thanks Claus. I didn't think to look in sendmail.cf. I was mostly
    curious about what I thought was a conflict between commenting out the localhost entries in the access database and localhost still being able
    to relay.

    --

    Knute Johnson

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Knute Johnson@21:1/5 to Marco Moock on Sun Jun 4 10:38:31 2023
    On 6/4/23 03:55, Marco Moock wrote:
    Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:

    I seem to have this part working but in my quest to tighten up who
    could relay mail I discovered that the server computer can relay mail
    even with the Connect:localhost RELAY, Connect:127
    RELAY and Connect:IPv6:::1 RELAY commented out. Can the localhost
    always relay mail?

    I don't know why you want to stop this.


    Thanks for the reply. It was mostly about not understanding that the
    localhost can always relay regardless of the settings in the access
    database.

    --

    Knute Johnson

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Mon Jun 5 11:52:22 2023
    Am 04.06.2023 um 10:38:31 Uhr schrieb Knute Johnson:

    On 6/4/23 03:55, Marco Moock wrote:
    Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:

    I seem to have this part working but in my quest to tighten up who
    could relay mail I discovered that the server computer can relay
    mail even with the Connect:localhost RELAY, Connect:127
    RELAY and Connect:IPv6:::1 RELAY commented out. Can the localhost
    always relay mail?

    I don't know why you want to stop this.


    Thanks for the reply. It was mostly about not understanding that the localhost can always relay regardless of the settings in the access
    database.

    Then I ask a question:

    Why is that configured this way?

    What is the purpose of the localhost entries in the access_db if
    localhost relaying is allowed by other options too?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Knute Johnson@21:1/5 to Marco Moock on Tue Jun 6 13:49:38 2023
    On 6/5/23 04:52, Marco Moock wrote:
    Am 04.06.2023 um 10:38:31 Uhr schrieb Knute Johnson:

    On 6/4/23 03:55, Marco Moock wrote:
    Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:

    Then I ask a question:

    Why is that configured this way?

    What is the purpose of the localhost entries in the access_db if
    localhost relaying is allowed by other options too?


    I don't know. The file comes from the Debian repository that way.
    This is not the first thing I have found in the access file that
    doesn't comport with the way sendmail works.

    --

    Knute Johnson

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)