have you tried yanking out relaying based on mx and just adding the IPs of the machines you want to relay for in your /etc/mail/access file? if you try that, don't forget to do a makemap on the file afterwards. and uh, you may have to bump sendmail too.
=jay On Thu, 12 Dec 2002, John Hunter wrote: > Why am I posting from yahoo, eh? Glad you asked... > > Yesterday the university sysadmin guys called me and > informed me that my > mailserver was being used as a relay. I plugged most > of that hole. > Then this morning the harddrive on my router up and > died on me. I had > a tar backup, but apparently forgot the -a flag so my > symlinks were > all fucked up. But now the router is back, sendmail > is restored, and > the day is almost done. That's just some background > -- needed to vent > a minute. > > Everything seems to be working except for 2 residual > problems, both > related to sendmail. That's where you guys come in. > > To plug the relay hole I upgraded to sendmail 8.12.6, > which is > supposed to have saner defaults than older versions. > Here's my setup. > > My mailserver 192.168.1.4 named mother.paradise.lost > is behind a > firewall 128.135.97.130 named nitace.bsd.uchicago.edu. > The mail > server serves the entire 192.168.1.* LAN. For > historical reasons, we > still use [EMAIL PROTECTED] for our email > addresses. That > name has it's mx bit set to nitace.bsd.uchicago.edu. > > Here's my sendmail.mc > > divert(0)dnl > VERSIONID(`$Id: generic-linux.mc,v 8.1 1999/09/24 > 22:48:05 gshapiro Exp $') > FEATURE(`always_add_domain')dnl > MASQUERADE_AS(`ace.bsd.uchicago.edu') > FEATURE(`masquerade_envelope')dnl > > OSTYPE(linux)dnl > DOMAIN(generic)dnl > MAILER(local)dnl > MAILER(smtp)dnl > > Cwlocalhost.localdomain > Cwace.bsd.uchicago.edu > Cwnitace.bsd.uchicago.edu > > > > I have 2 problems: I can't send mail out with the > sender name > [EMAIL PROTECTED] Apparently relaying is > being denied from > the LAN (the paradise.lost domain). Also, the > security admin ran > smtprc and informed me that even after the upgrade, I > am still > vulnerable to some relay exploits. > > I used to have this in sendmail.mc: > > FEATURE(`relay_based_on_MX')dnl > > which I think is what enabled my relaying from inside > the LAN to > work. Unfortunately, I think it is also what allowed > the spammers to > abuse me. > > Suggestions? > > Thanks, > John Hunter > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > _______________________________________________ > Bits mailing list > [EMAIL PROTECTED] > http://www.sugoi.org/mailman/listinfo/bits > _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
