Stephen Gran wrote: > I think I'm being dense, but I can't figure out how to do something > like the following in /etc/mail/access: > > xxx.xxx.xxx.xxx: OK # front-end machine 1 > xxx.xxx.xxx.xxy: OK # front-end machine 2
OK. You'll want to add localhost and 127.0.0.1: localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY otherwise locally-generated mail will fail. Unless you've got a good reason NOT to trust localhost, any sendmail access map should include these or similar lines- the last one is probably all that's required. > AUTH: OK > *: REJECT But these aren't really valid. By default (at least with recent versions of sendmail), relaying is denied UNLESS you have told sendmail otherwise. To allow SMTP-AUTH users to relay mail, add the following to your sendmail.mc: TRUST_AUTH_MECH(`LOGIN PLAIN')dnl You may want to trust additional mechanisms (CRAM-MD5, DIGEST-MD5, there may be others). You'll *probably* also want TLS support, so that roaming users relaying through your server don't send password-ish information in the clear. If you go this route, you can also issue certificates to individual users and include that information in the access map. I set this up on my personal server, but not the ISP servers I admin. User information is too scattered to practically implement SMTP AUTH right now. :/ The complete set of changes for allowing SMTP AUTH to relay is in the sendmail.mc file. Mine includes the following: dnl --- STARTTLS/SMTP-AUTH options --- TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confAUTH_OPTIONS', `A,p')dnl define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/ca-deepnet.crt')dnl define(`confSERVER_CERT', `/etc/mail/certs/smtp.deepnet.crt')dnl define(`confSERVER_KEY', `/etc/mail/certs/rock.key.insecure')dnl This specifies, in respecitve order: - Trust LOGIN or PLAIN SMTP AUTH mechanisms for relay - Allow LOGIN and PLAIN authentication - Only allow easily-sniffed/bypassed/cracked AUTH mechanisms after successful STARTTLS or similar security layer - Where to find server/client certs - What to use as the CA cert - What to use as the TLS cert for this host - Which key to use for the TLS cert Unfortunately I seem to have lost the original reference I used to put this together, and that system is still running RedHat 7.3. :( Checking for Debian shows there are useful sections in /usr/share/doc/cf.README (from sendmail-doc). http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml should be useful in getting TLS going. If you're going to be doing much sendmail adinistration, you should probably pick up a copy of the current (3rd) edition of the Bat Book. Many references assume that you're installing sendmail from source; you should just be able to skip the first few steps relating to compile options as most packaged sendmail installs include at least *potential* support for all of its options. -kgd -- "Sendmail administration is not black magic. There are legitimate technical reasons why it requires the sacrificing of a live chicken." - Unknown
