On Mon, 18 Jun 2001 16:57:01 +0300, Hetz Ben Hamo <[EMAIL PROTECTED]> wrote:
>
> It has been decided here that the company will allow home user to send their
> emails through the corporate mail server.
>
> Naturally - I didn't want to open a relay, so someone suggested that I setup
> the sendmail to ask for user/pass for smtp operations...
[I read all the answers to this question up to this hour]
I had the same problem. I could not use the pop-than-send solution
because I did open the pop3 (110) port to the world. The authentication
is problematic because you need to change the mail clients. I was left
with 2 ways. The 1st which is still used is to let a list of users use
the mail relay no matter what their IP is (the originating IP is
reported in the mail headers). This can be accomplished by sendmail
using the access table. The line is looking like this:
From:[EMAIL PROTECTED] RELAY
The check is on the mail From: line (and as you can see it does not
have to be from your mail domain). Of course you have to enable the
access checks in your sendmail.cf:
# Access list database (for spam stomping)
Kaccess hash -o /etc/mail/access
I think I changed (really copied from 8.10 to 8.9.3) some of the
rewriting rules (to check the from only) here are the relevant parts:
######################################################################
### check_relay -- check hostname/address on SMTP startup
######################################################################
SLocal_check_relay
Scheck_relay
R$* $: $1 $| $>"Local_check_relay" $1
R$* $| $* $| $#$* $#$3
R$* $| $* $| $* $@ $>"Basic_check_relay" $1 $| $2
SBasic_check_relay
# check for deferred delivery mode
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
R$+ $| $+ $: $>LookUpDomain < $1 > <?> < $2 > <+From>
R<?> <$+> $: $>LookUpAddress < $1 > <?> < $1 > <+From> no: another
lookup
R<?> < $+ > $: $1
R<OK> < $* > $@ OK
R<RELAY> < $* > $@ RELAY
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<DISCARD> $* $#discard $: discard
R<$+> $* $#error $@ 5.7.1 $: $1
######################################################################
### check_mail -- check SMTP `MAIL FROM:' command argument
######################################################################
SLocal_check_mail
Scheck_mail
R$* $: $1 $| $>"Local_check_mail" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_mail" $1
SBasic_check_mail
# check for deferred delivery mode
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
R<> $@ <OK>
R$* $: <?> $>CanonAddr $1
R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots
# handle non-DNS hostnames (*.bitnet, *.decnet, *.uucp, etc)
R<?> $* < $* $=P > $* $: <OK> $1 < @ $2 $3 > $4
R<?> $* < @ $+ > $* $: <OK> $1 < @ $2 > $3 ... unresolvable OK
# handle case of @localhost on address
R<$+> $* < @localhost > $: < ? $&{client_name} > <$1> $2 < @localhost >
R<$+> $* < @localhost.$m >
$: < ? $&{client_name} > <$1> $2 < @localhost.$m >
R<$+> $* < @localhost.UUCP >
$: < ? $&{client_name} > <$1> $2 < @localhost.UUCP >
R<? $=w> <$+> $* <?> <$2> $3
R<? $+> <$+> $* $#error $@ 5.5.4 $: "553 Real domain name required"
R<?> <$+> $* $: <$1> $2
# lookup localpart (user@)
R<$+> $* < @ $+ > $* $: <USER $(access $2@ $: ? $) > <$1> $2 < @ $3 > $4
# no match, try full address (user@domain rest)
R<USER ?> <$+> $* < @ $* > $*
$: <USER $(access $2@$3$4 $: ? $) > <$1> $2 < @ $3 > $4
# no match, try address (user@domain)
R<USER ?> <$+> $+ < @ $+ > $*
$: <USER $(access $2@$3 $: ? $) > <$1> $2 < @ $3 > $4
# no match, try (sub)domain (domain)
R<USER ?> <$+> $* < @ $+ > $*
$: $>LookUpDomain <$3> <$1> <> <+To>
# check unqualified user in access database
R<?> $* $: <USER $(access $1@ $: ? $) > <?> $1
# retransform for further use
R<USER $+> <$+> $* $: <$1> $3
# handle case of no @domain on address
R<?> $* $: < ? $&{client_name} > $1
R<?> $* $@ <OK> ...local unqualed ok
R<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required"
...remote is not
# check results
R<?> $* $@ <OK>
R<OK> $* $@ <OK>
R<TEMP> $* $#error $@ 4.1.8 $: "451 Sender domain must resolve"
R<PERM> $* $#error $@ 5.1.8 $: "501 Sender domain must exist"
R<RELAY> $* $@ <RELAY>
R<DISCARD> $* $#discard $: discard
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<$+> $* $#error $@ 5.7.1 $: $1 error from access db
The 2nd way is using SSH tunneling. It is simpler and safer, but it
has one catch - the user must have an account (not all my mail clients
have UNIX accounts). Forward ports 110 and 25 and it'll work like magic
with any mail client. Nobody can steal your password (use key
authentication with/without passphrase) and nobody can read your mail!
I use the Cygwin OpenSSH with rxvt on M$ Windoz. On linux, use OpenSSH
with console or xterm.
Ehud.
--
@@@@@@ @@@ @@@@@@ @ @ Ehud Karni &yod;&nun;&resh;&qof; &dalet;&vav;&he;&alef;
@ @ @ @@ @ Senior System Support &bet;&shin;&het;&mem; &tav;&vav;&kaf;&resh;&ayin;&mem;&bet; &he;&kaf;&yod;&mem;&tav;
@ @ @ @ @ @@ Mivtach - Simon &fnun;&vav;&mem;&yod;&samekh; - &het;&tet;&bet;&mem;
@ @ @ @ @ @ Insurance agencies &het;&vav;&tet;&bet;&lamed; &tav;&vav;&yod;&vav;&nun;&kaf;&vav;&samekh;
Better Safe Than Sorry Tel: +972-3-6212-757 Fax: +972-3-6292-544
http://www.simonwiesel.co.il mailto:[EMAIL PROTECTED]
Ehud Karni Mivtach - Simon Insurance /"\
Tel: +972-3-6212-757 Fax: +972-3-6292-544 \ / ASCII Ribbon Campaign
(USA) Fax and voice mail: 1-815-5509341 X Against HTML Mail
Better Safe Than Sorry / \
mailto:[EMAIL PROTECTED] http://www.simonwiesel.co.il
================================================================To unsubscribe, send
mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
