Administering Mail and Messaging

Prevention of forged-spam email via sendmail (relay disable)

A feature in the sendmail.cf configuration file for UnixWare sendmail(1M) may be used to prevent your machine from being used as an SMTP mail relay. It prevents spammers from making their mail appear as if it comes from your site. You should turn this feature on in all cases except where unconditional relay capabilities are needed.

This feature uses the sendmail check_rcpt ruleset to implement a check during the SMTP dialogue. The RCPT command in SMTP specifies an envelope recipient's address:

   RCPT To: <recipient@host.domain>

The check_rcpt ruleset uses the following algorithm to determine whether to accept or reject the incoming mail during the SMTP dialogue:

If the recipient address specified by the RCPT command is a local address, accept the message.
If the recipient is addressed to the local hostname (or any of its alternate names), the local domain, or a sub-domain of the local domain, then accept the message.
If the Multihome channel is enabled, and the recipient is addressed to one of the virtual hostnames, then accept the message.
If the connecting host (sender) is listed in a table of trusted hosts, then accept the message.
If the IP address of the connecting host is listed in a table of trusted hosts, then accept the message.
Otherwise, reject the message.

If the mail is rejected, sendmail issues the following error message during the SMTP dialogue, and writes it to the system log file as well:

   Relay mail from <connecting_host> to <recipient_host> denied

By default, this feature is enabled in sendmail.cf, which must be hand-altered to disable it. To disable the check, set the Check_Rcpt macro to a null value by changing the following line in sendmail.cf:

   D{Check_Rcpt} ON

to the following:

   D{Check_Rcpt}

To create a list of trusted hosts from which mail relaying is accepted (as described in steps 4 and 5 of the algorithm above), create a file with pathname /etc/mail/table/trusted, whose entries are of the form:

   hostname        accept
   ip_address      accept

The left hand side specifies either the hostname or the IP address of the site from which we will accept mail relays. The right hand side contains the string accept. A string on the right-hand side is mandatory for the database to be created correctly. The left and right sides are separated by the <Tab> character.

For example, if you wish to accept mail relays from hostname trusted.engr.mycompany.com, add the following entry to /etc/mail/table/trusted:

   trusted.engr.mycompany.com	accept

If you want to accept relays from an IP number, an example entry might be:

   123.456.789.10                  accept

You can also use an asterisk (*) wildcard to match an entire domain or IP address range. For example:

   *.domain.com            accept
   123.456.789.*           accept

When specifying wildcards for IP addresses, you must use an asterisk for each portion of the dotted quad which will be matched. For example, the following is valid syntax:

   123.456.*.*             accept

However, this is not:

   123.456.*               accept

The list of trusted hosts is not mandatory. Do not create one if you wish to reject all attempts to use the local host as a mail relay. However, if your mail configuration includes IMAP clients which use the local host as a mail server, you will want to add the IMAP clients to the list of trusted hosts.

After you have created the file /etc/mail/table/trusted, you must create its associated database by executing the following command:

   /etc/mail/makemap hash /etc/mail/table/trusted < /etc/mail/table/trusted

As a final step, stop and restart the sendmail daemon to load all of the configuration changes by executing the following commands:

   /etc/mail/sendmailrc stop
   /etc/mail/sendmailrc start

NOTE: This feature helps guard against use of your machine as an SMTP spam relay, but does not address similar abuse for UUCP mail.