How do I always require AUTH?
Philippe Chaintreuil
e-mail from an account on my server to someone who isn't on my server.
(ie, from news...@parallaxshift.com to j...@aol.com, requires AUTH.)
However, if someone sends mail from someone on my server to someone on
my server, AUTH is not required apparently. (ie,
news...@parallaxshift.com to ju...@parallaxshift.com does *not* require
AUTH). Any ideas on how to fix this, so that anyone sending mail with a
MAIL FROM: of my server has to go through AUTH?
(I prefer .mc file changes to changing the code in the .cf files.)
Thanks in advance!
-- Philippe Chaintreuil
ynotssor
news:dff972$hdt$1...@domitilla.aioe.org
> However, if someone sends mail from someone on my server to someone on
> my server, AUTH is not required apparently. (ie,
> news...@parallaxshift.com to ju...@parallaxshift.com does *not*
> require AUTH). Any ideas on how to fix this, so that anyone sending
> mail with a MAIL FROM: of my server has to go through AUTH?
That would certainly break things; how would crond||atd email the notice of
a scheduled task completion||failure?
Philippe Chaintreuil
Okay, so maybe localhost would get a free pass from the access.db or
something. My current problem is that people can spam me by faking mail
from my server, to my server. At this point, this is about 90% of my spam.
-- Philippe Chaintreuil
Kari Hurtta
As far I know, normally there is NO any relation between MAIL FROM
and when AUTH is required.
Normally there is relation between RCPT TO and when AUTH is required.
In other words config usually is 'require auth for relaying'.
/ Kari Hurtta
Joseph Brennan
> I have AUTH (SASL) set up and it is required whenever someone sends an
> e-mail from an account on my server to someone who isn't on my server.
> (ie, from news...@parallaxshift.com to j...@aol.com, requires AUTH.)
> However, if someone sends mail from someone on my server to someone on
> my server, AUTH is not required apparently. (ie,
> news...@parallaxshift.com to ju...@parallaxshift.com does *not* require
> AUTH). Any ideas on how to fix this, so that anyone sending mail with a
> MAIL FROM: of my server has to go through AUTH?
You mean allow mail from any us...@example.com to come in, but not mail
from one specific domain, us...@parallaxshift.com? So it would be harder
for your own users to send mail than for anyone else.
Probably doable with Local_check_mail. First check for any value of
$&{auth_type} and return OK. Then check whether the sender address
is in your domain and return error (possibly by using access.db with
an entry for parallaxshift.com REJECT).
Joseph Brennan Columbia University in the City of New York
bre...@columbia.edu
Gushi
because your server is supposed to accept mail for your domain. It has
nothing to do with the address they're coming from.
Part of the problem here, simply put, is that the same protocol used
for USERS to send mail is the protocol for SERVERS to send mail.
I.e. when a user f...@bar.com connects to his server to send mail to
b...@bar.com, it is JUST AS IF j...@aol.com had sent mail to b...@bar.com,
and AOL's mail server had sent it through. There's NO difference in
the protocol (other than the auth phase), which if you're delivering to
a locally accepted domain is not required.
EHLO domainname
MAIL FROM b...@aol.com
RCPT TO b...@baz.com
Now, that said -- all your users REALLY SHOULD be using the mail
submission port anyway (587), and auth should be required on that (as
it is, most ISPs are blocking 25 now anyway -- and auth being required
is important to prevent people from trying to directly deliver spam to
that port).
If you *REALLY* have a problem with 90 percent of your spam coming from
forged things @yourdomain, you might want to look into SPF. It
shouldn't affect your users (because they're using AUTH), but if you
set the records properly, saying "my mail will come from my server ONLY
(with the hard fail option)"
As a side note, I had a problem similar to this with my spamfiltering
stuff (SpamAssassin), because I had whitelisted anything@mydomain,
instead of writing a proper rule to actually LOOK for the AUTH header
in the signature.
maraboli
before sending an email to any destination (even to my own domain), I
just
have nothing listed in access.db with the RHS as RELAY.
This means that I do not allow RELAY to anyone unless they AUTH first.
This
server forwards all email to the Message Store server (MS MTA) where
users retreive email via IMAP or POP.
best regards,
Gushi
as the original poster's server is. (if it wasn't, he wouldn't be
getting any spam). Correct?
Marcelo Maraboli
my domain (will become the MSA on port 587). Outside MTAs
connect to another server (the MX) with no AUTH and very
strict rules...
the IETF recommends to separate internal (trusted?) SMTP users
from external inbound SMTP conections, that is why there
is a future Message Submission Protocol to be standarized...
(currently not IETF standard).
best regards,
sures...@yahoo.co.in
Hi all ,
Like Philippe I am also facing the same problem . I want all
the mails to be authenticated whether they are sent to my same server
or outside server.Even though I removed all relay statements in my
access.db file the problem is the same . If any knowledgable person
knows the answer kindly post it.
suresh
Joseph Brennan
> Like Philippe I am also facing the same problem . I want all
> the mails to be authenticated whether they are sent to my same server
> or outside server.Even though I removed all relay statements in my
> access.db file the problem is the same . If any knowledgable person
> knows the answer kindly post it.
Test this.
SLocal_check_mail
R$* $: $1 $| $&{auth_type}
R$* $| $+ $@ good: sent with auth
R$* $| $* $: $1 $| $>A <$&{client_addr}> <?> <+ connect> <>
R$* $| < RELAY > < > $@ good: access.db says RELAY
R$* $# error $@ 5.7.1 $: 553 Authentication required
And make sure access.db has at least: Connect:127.0.0.1 RELAY
Joseph Brennan
sures...@yahoo.co.in
Thanks for your reply . I appreciate your
reply . It is working fine. But There is a small problem in it . When I
send mails to local domain users the authentication is required and
when I authenticate the mails are going to the users . But When I send
mails to outside domains the mails are bounced back to me . They are
not delivered .Why this is happening . Prevoiusly sending mails to
outside domains was not a problem . What entries Do I need to add for
sending mails outside . Kindly guide me.
One more issue that the lines given by you
should be placed in the "sendmail.cf" file . How can I add the same
feature using the sendmail.mc file because when I add some more
features in sendmail.mc and build the sendmail.cf file the old contents
are overwritten by them . So Each time I need to give the same lines
again and again in the sendmail.cf file .So If there is possibility to
give the same feature in sendmail.mc file it will be very useful .
Kindly inform me if you know . Once Again I really thank you for your
effort and the suggestion give to me. I am expecting the final solution
.
Thanks in advance
Suresh
sures...@yahoo.co.in
I am really sorry for my previous query
because the mails are going to local users and outside users without
any problem . The authetication is working fine . But I want the same
effect to be placed in sendmail.mc file instead of adding the given
contents in sendmail.cf file . Because changes in sendmail.mc file is
more easy and more user friendly than in sendmail.cf file . Kindly give
your precious suggesstions .
Suresh Kumar
Kari Hurtta
Tim Daneliuk
<SNIP>
> Now, that said -- all your users REALLY SHOULD be using the mail
> submission port anyway (587), and auth should be required on that (as
> it is, most ISPs are blocking 25 now anyway -- and auth being required
> is important to prevent people from trying to directly deliver spam to
> that port).
Can you say a bit more about this, or perhaps provide a URL to some
relevant docs please. I am unclear on just why using the submit port
is better, how it works, etc ...
--
----------------------------------------------------------------------------
Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/
sures...@yahoo.co.in
where and how can I add these lines to sendmail.mc file .
your suggestions will be appreciated .
Suresh
sures...@yahoo.co.in
Thanks for you reply for my query . I
could not completely understand what to do exactly with the
sendmail.mc file . Even I don't know where to add the above lines that
you have mentioned in the sendmail.mc file . If you give some clear
details about that will be helpful not only for me but for whomever see
this page. If anybody knows the way to do kindly help me . Thanks
for your time and effort .
Suresh Kumar
Gushi
may know better) is no standard m4 macro. Thus it has to be done "the
hard way".
Gushi
My post stated that he should be using the submission port, WITH AUTH
REQUIRED (i.e. add M=a to DaemonPortOptions)
If you'd like details on why it's better/suggested, check here:
http://www.faqs.org/rfcs/rfc2476.html
Or search for "587" in RFC3013.
Kari Hurtta
* You asked:
But I want the same
effect to be placed in sendmail.mc file instead of adding the given
contents in sendmail.cf fil
* I answered:
For example
LOCAL_RULESETS
SLocal_check_mail
...
* Your original ruleset on sendmail.cf was following I suppose:
SLocal_check_mail
R$* $: $1 $| $&{auth_type}
R$* $| $+ $@ good: sent with auth
R$* $| $* $: $1 $| $>A <$&{client_addr}> <?> <+ connect> <>
R$* $| < RELAY > < > $@ good: access.db says RELAY
R$* $# error $@ 5.7.1 $: 553 Authentication required
* You wanted put that on sendmail.cf. Right?
It is just what I said:
LOCAL_RULESETS
SLocal_check_mail
R$* $: $1 $| $&{auth_type}
R$* $| $+ $@ good: sent with auth
R$* $| $* $: $1 $| $>A <$&{client_addr}> <?> <+ connect> <>
R$* $| < RELAY > < > $@ good: access.db says RELAY
R$* $# error $@ 5.7.1 $: 553 Authentication required
I have NOT looked what that ruleset is supposed to do. I just answered
your question.
* cf/README says:
Beware: MAILER declarations
should always be at the end of the configuration file. The general
rules are that the order should be:
VERSIONID
OSTYPE
DOMAIN
FEATURE
local macro definitions
MAILER
LOCAL_CONFIG
LOCAL_RULE_*
LOCAL_RULESETS
There are a few exceptions to this rule. Local macro definitions which
influence a FEATURE() should be done before that feature. For example,
a define(`PROCMAIL_MAILER_PATH', ...) should be done before
FEATURE(`local_procmail').
/ Kari Hurtta
sures...@yahoo.co.in
I am sorry if I was not clear in my question . I will make it
clear .
* You sent some piece of code and asked to try it .
LOCAL_RULESETS
SLocal_check_mail
R$* $: $1 $| $&{auth_type}
R$* $| $+ $@ good: sent with auth
R$* $| $* $: $1 $| $>A <$&{client_addr}> <?> <+ connect>
<>
R$* $| < RELAY > < > $@ good: access.db says RELAY
R$* $# error $@ 5.7.1 $: 553 Authentication
required
* Then I checked my sendmail.cf file and there is no such lines in
my sendmail.cf file . There is only a single line in my sendmail.cf
file
SLocal_check_mail
So I added the five lines you had given below this line in
the sendmail.cf file and restarted the service . The authentication
worked fine . After that I made some other changes in sendmail.mc file
for some other purpose and give the command to activate them
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Then I checked for the added lines in the sendmail.cf file
.They were not there . So I understood when we make the sendmail.cf
file each time using the sendmail.mc updations the manual entries in
the sendmail.cf file will be overwritten. So I added the feature in the
sendmail.mc file to make the changes permenant .
FEATURE(`Local_check_mail')dnl
But it says some error message . There is no such feature
in the directory " /usr/share/sendmail-cf/feature " . I am using
sendmail.8.12.11 version. That is why I was asking you what entries
have to be added in the sendmail.mc to have the same effect as you
mentioned and where to be added . I really thank you for your effort
and the detailed reply for me . I hope you will understand my position
and give me a solution or suggestion to solve this issue completely . I
am expecting your reply .
Give me guidelines what needs to be done clearly.
Thanks once again.
Suresh Kumar
bOnK
> Give me guidelines what needs to be done clearly.
You have to add the code Kari gave you to - the bottom of - your .mc file
--
bOnK
Kari Hurtta
> * You sent some piece of code and asked to try it .
>
> LOCAL_RULESETS
> SLocal_check_mail
> R$* $: $1 $| $&{auth_type}
> R$* $| $+ $@ good: sent with auth
> R$* $| $* $: $1 $| $>A <$&{client_addr}> <?> <+ connect>
> <>
> R$* $| < RELAY > < > $@ good: access.db says RELAY
> R$* $# error $@ 5.7.1 $: 553 Authentication
> required
No.
1)
From: Joseph Brennan <bre...@columbia.edu>
Message-ID: <slrndim04q....@papaya.cc.columbia.edu>
wrote:
<<<< start quote
Test this.
SLocal_check_mail
R$* $: $1 $| $&{auth_type}
R$* $| $+ $@ good: sent with auth
R$* $| $* $: $1 $| $>A <$&{client_addr}> <?> <+ connect> <>
R$* $| < RELAY > < > $@ good: access.db says RELAY
R$* $# error $@ 5.7.1 $: 553 Authentication required
>>>> end quote
2)
From: sures...@yahoo.co.in
Message-ID: <1127110583....@o13g2000cwo.googlegroups.com>
you answered
<<<< start quote
Thanks for your reply . I appreciate your
reply . It is working fine.
>>>> end quote
and then you asked
<<<< start quote
One more issue that the lines given by you
should be placed in the "sendmail.cf" file . How can I add the same
feature using the sendmail.mc file
>>>> end quote
I did not given ruleset. I answered how to put that ruleset to .mc
file.
/ Kari Hurtta