Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

relaying setup question

0 views
Skip to first unread message

woody

unread,
Sep 26, 2008, 10:20:39 AM9/26/08
to
Hello all,

At my job site we are running sendmail and we allow internal hosts (IPs on
the local subnet) to relay. This seems to me to be a misconfiguration but
the Unix admin has had it configured this way for sometime. Is this the BIG
hole I think it is? Does it allow any email to be sent from our internal
hosts using any domain?

Our relay-domains file looks something like this.

abcdomain.com
mail.abcdomain.com
10.1. (this represents our local IP range)

Our clients are using POP and IMAP. The mail.log file has entries for
ordinary abcdomain.com email that have relay statements using the internal
IP addresses. I make this statement only because I am tempted to remove the
IP address range but I don't want to prevent POP and IMAP from working.

Thank you for reading this and forgive me if this is sendmail 101 material.

Woody


Grant Taylor

unread,
Sep 26, 2008, 11:33:45 AM9/26/08
to
On 09/26/08 09:20, woody wrote:
> Is this the BIG hole I think it is? Does it allow any email to be
> sent from our internal hosts using any domain?

IMHO allowing relay from your internal network is not that big of a
deal. Remember that you are only allowing from a controlled area / IP
address space. So if your firewall does reverse path filtering and / or
prevents spoofing of your IP address space, you should be fine.

Yes, allowing your internal network to relay will allow them to relay
for any source domain that they want to. So this may be an issue to
you, I don't know. However you will have the internal IP that did the
relaying and you can fairly easily go back to the system that did the
relaying. Besides, if an internal system is compromised to the point
that it is sending email that it should not, chances are good that you
have a larger problem.

> Our relay-domains file looks something like this.
>
> abcdomain.com
> mail.abcdomain.com

The two above lines bother me more than the line below. With the above
line, any one that claims to be from (|mail.)abcdomain.com will be
allowed to relay if Sendmail is configured to relay based on sending domain.

> 10.1. (this represents our local IP range)

It is much safer to allow relaying based on the sending IP address range
than it is based on the sending email address. The sending email
address is trivial to spoof, where as spoofing sending IPs is much
harder and also much easier to detect and prevent / reject.

Grant. . . .

Carl Byington

unread,
Sep 27, 2008, 1:22:37 AM9/27/08
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 26 Sep 2008 10:33:45 -0500, Grant Taylor wrote:

[snip]


>> Our relay-domains file looks something like this.
>>
>> abcdomain.com
>> mail.abcdomain.com

> The two above lines bother me more than the line below. With the above
> line, any one that claims to be from (|mail.)abcdomain.com will be
> allowed
> to relay if Sendmail is configured to relay based on sending domain.

I don't think so. My understanding is that those two lines will allow
relaying from any ip address with a reverse dns name in those domains, and
where that reverse dns name has an A record that matches the original ip
address.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFI3cMKL6j7milTFsERAnZeAJ9JyTk5Hg43RZbTBlbfCj/yRYeNgACcCSie
oPAHoDElqihah8sIqc8zhdM=
=7Z8p
-----END PGP SIGNATURE-----

0 new messages