Allowing authenticated external users to relay mails from anywhere through internal sendmail

Posted on 2000-05-05
Medium Priority
Last Modified: 2010-03-18
I have setup a sendmail (8.10.0) on a Redhat Linux 6.1 machine.  Since anti-relay is by default on, users cannot send mails through the company sendmail server from home or any other places.
I suppose the best way to allow that is to use some kind of authentication mechanism according to user address name before the user can relay their mails.  Anyone knows how that can be done.  Is SMTP AUTH a good way?  If so, how is it setup?
Question by:kevintsang
  • 2
  • 2
  • 2
  • +1
LVL 40

Expert Comment

ID: 2784179
Caveat... I've not yet tried to enable that feature on an 8.10.1. But my reading of the doc's indicate that it would be the easiest way to allow per-user relaying. It looks to me that you need a functioning Cyrus SASL (avail at http://asg.web.cmu.edu/) for authenticating users.

Another possibility is to set up a Web mail interface for your users. That can be run over an SSL enabled http server and it side-steps the anti-relay problem as your remote users are always within the domain. A pretty good free web mail system can be found at http://www.horde.org/imp/ and another that I've not tried is at http://jwebmail.sourceforge.net/.

From a security stand point, only allowing access to the mail system via http (or preferrably https) is better than allowing direct SMTP/IMAP/POP. It also has the advantage on not requiring per-client setup's. As long as the remote client system has a Web browser that user is "good to go".

Expert Comment

ID: 2794817

at my place of work, we have a firewall that stops up from doing just that, however, we have punched holes in it by allowing access through the firewall based on ip address.



Expert Comment

ID: 2802464
Sendmail 8.10 has some decent relay rule controls,
but you sendmail.cf must be configured with
the appropriate features. In paticular it sounds
like you could make good use of the access_db
feature, which will allow you to add/reject
hosts in a /etc/mail/access hashed file, in the
same manner that the aliases and mailertable db's
are handled.

I suggest you take a look at ...
for an overview.  If you are not familiar with
customizing your sendmail.cf with m4, you'll
either need to dig into "the" Sendmail book or
have a sendmail guru create one for you.

After reading that web page tho, take a look at
your current /etc/mail directory and sendmail.cf
file ... what you need make already be configured
in there.

I have RH 6.1 loaded at home and will take a look
at what they ship by default tonite (at work
running Solaris now!).

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Expert Comment

ID: 2802831
Under RH 6.1 (and probably other Linuxes), /etc/mail has the proper config ...
there's and access file you can modify to allow host and user@host entry to
the smtp service. When done just run "make" as root when in that directory and
it should rehash the .db files.

Bear in mind that allowing user@host accesdoes open some potential abuse

Actuall user password authentication say against an ldap service is much more
complex but as I understand it possible ... I haven't done that yet but probably
will in the near future.


Author Comment

ID: 2813520
THanks for your input.  I've made the SMTP AUTH work.
In my case, web-based interface is already in place but I haven't found one that can totally replace a mail client program like outlook.  Our users need those functions like rule-based filtering and subfolders under folder, etc.
We have to rely on SMTP AUTH because we would never have any clue where the user is connecting from and thus we can never allow access based on IP.
Basically, I need to know if there is a better way because I believe there should be people out there facing similar problem.
LVL 40

Accepted Solution

jlevie earned 200 total points
ID: 2814800
SMTP AUTH is the best way to allow your server to be used by roaming users without leaving your site wide open to un-wanted relaying. In my opinion the only thing better would be SMTP AUTH/POP/IMAP over SSL.

Expert Comment

ID: 2814883
if you are using a exchange mail server, it does have a web mail client that emulates outlook, and has most of the functionality

Author Comment

ID: 2816907
rtheriot, we tried the Outlook Web Access already.  It is pretty good already but still can't fulfill all of our requirements.  For example, web-based interface does not allow offline email access.  Mobile users are not online all the time.  Anyway, appreciate your help.

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Watch the video to know the simple way to remove or recover or reset lost or forgotten passwords of Outlook PST file. With Kernel Outlook Password Recovery tool such operation is very easy to perform. It is a freeware with limitation to use with 500…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question