[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: sendmail, multiple domains, safe relaying, mx backup
- To: http://www.greenlake.com/~mark (Mark Lewin)
- Subject: Re: FW: sendmail, multiple domains, safe relaying, mx backup
- From: http://dummy.us.eu.org/robert (robert)
- Date: Sat, 14 Dec 2002 00:30:05 -0500
- Cc: http://www.muppetlabs.com/~jonl, http://www.hotmail.com/~jonathan_locke
- In-Reply-To: <001301bf5ad9$414afde0$13a310d1@pipo.greenlake.com>
- Keywords: http://www.greenlake.com/~mark
Hi.
My usual suggestion about sendmail is this: don't. Use qmail instead --
www.qmail.org. It's far more secure and far, far simpler to configure.
Read particular responses below.
> From: http://www.greenlake.com/~mark (Mark Lewin)
> Date: Sun Mar 21, 1:05am
>
> Hi Robert!
>
> Jon Locke suggested I forward this to you. Hope all is going well!
Did you get my Happy Winter Solstice message?
> Thanks,
> Mark
>
> -----Original Message-----
>
> Hi Jon!
>
> Are you a sendmail expert? Do you know one? Mike Lempriere
> and I are trying to set up a sendmail 8.9.x daemon to handle
> relaying and MX backup tasks correctly without becoming a mule
> for spammers. Any help you can provide would be appreciated.
> (We're M4 illiterate but willing to learn.)
>
> Here's the scenario:
>
> 1. we want to configure a FreeBSD box running sendmail to host
> multiple domains. sendmail will accept mail for any address
> at any of these domains. Some of the domain mail will go to
> local POP3 mailboxes, other mail will explicitly forward to external
> accounts.
>
> AAA.COM -> local user accounts
> BBB.COM -> local user accounts
> CCC.COM -> forwarded to external user http://www.AOL.COM/~BOB
This is done with qmail's "virtual domains", a very excellent concept.
> 2. this sendmail must also be an MX backup for other domains,
> so that when their MX primary is down, this machine spools
> their email until they are back online.
I'm not exactly sure how to do this with qmail, but I know it can be done.
It may be in the FAQ.
> Ideally we'd like to enumerate
> the domains for which we're willing to provide MX backup services,
> but a more promiscuous RELAY_BASED_ON_MX could be ok?
>
> XXX.COM
> YYY.COM
> ZZZ.COM
>
> 3. we also want to allow users in the local physical LAN of the
> sendmail box to be able to send outgoing email to any recipient.
> that is, sendmail should perform unrestricted relaying on behalf
> of local senders. This should be specified in terms of IP addresses.
Right, this is a given. At my work, I set up qmail so it goes through
tcp_wrappers; you have to compile tcpd with -DPROCESS_OPTIONS. (I did
this recently so I remember. :-) It's so much simpler dealing with
/etc/hosts.allow than any of that /etc/sendmail.cf shit.
> 4. for various dumb ISP reasons, a couple of non-local users "need"
> to use this sendmail for SMTP services. Unfortunately they don't
> have static IP addresses; they get whatever their ISP assigns them
> each time they dial in. What's the most secure way to configure
> sendmail to do relaying on their behalf without opening the system
> up to potential spammer abuse?
>
> This is "nice-to-have" only; the non-local users really should move
> to better ISPs.
Again, this can be handled through the tcp_wrappers mechanism.
> 5. Other than these cases, the daemon must restrict relaying so
> as not to allow spammers to hijack it.
This is the default for qmail. In fact, it takes a bit of work to
_disable_ it (hence, the mechanisms you must employ above).
> Piece of cake, right? :-)
Not with sendmail, not IMHE.
> Thanks,
> Mark