Best Way to Control Relaying?

Thu May 18 04:11:08 IST 2006

Muhammad Nauman wrote:
> but what i ment to say was exactly what ALEX stated as :
>
>> What Kai means, more accurately, is that, to _your customers_, you 
>> _are_ an
>> open relay. This also means that to _viruses_ and _spyware_ running 
>> on your
>> customers' machines, you _are_ an open relay.
> 1.change REC_AUTH to REC_FULL_AUTH
> 2. SMTP AUTH
>
> Now it will be great help here again - if any one can tell me one best 
> HOWTO
> which do'nt fuss up with MailScanner or any running Program.
>
It's good to know when a service provider improves their installation in 
order to benefit his customers and reduce the amount of unwanted traffic 
for the entire Internet. I've even heard that for every time an admin 
implements SMTP AUTH, an angel gets its wings! :-)

In any case, both points I mentioned are easy to implement:

1. Just edit /usr/share/sendmail-cf/m4/cfhead.m4 to read
        _REC_FULL_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)
instead of
        _REC_AUTH_$?{auth_ssf} bits=${auth_ssf}$.)
2. Add the following somewhere near the top (mine's on line 35, along 
with some similar settings - I don't know if the order is important):
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')dnl

3. Make sure saslauthd is running (and set to run on startup) with:
chkconfig saslauthd on
service saslauthd start

Then rebuild sendmail.cf by issuing:
m4 < /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

... and let your users know you're going to be asking for authentication 
from now on. Give them a few days to set their mail clients to "my 
server requires authentication". After your deadline, take away the 
"xx.xxx.xxx.xxx RELAY" lines from /etc/mail/access and regenerate it 
using make -C /etc/mail so that the changes activate.

After than restart MailScanner and you should be set.

Good luck!