Allowing authenticated external users to relay mails from anywhere through internal sendmail

I have setup a sendmail (8.10.0) on a Redhat Linux 6.1 machine.  Since anti-relay is by default on, users cannot send mails through the company sendmail server from home or any other places.
I suppose the best way to allow that is to use some kind of authentication mechanism according to user address name before the user can relay their mails.  Anyone knows how that can be done.  Is SMTP AUTH a good way?  If so, how is it setup?
Who is Participating?
jlevieConnect With a Mentor Commented:
SMTP AUTH is the best way to allow your server to be used by roaming users without leaving your site wide open to un-wanted relaying. In my opinion the only thing better would be SMTP AUTH/POP/IMAP over SSL.
Caveat... I've not yet tried to enable that feature on an 8.10.1. But my reading of the doc's indicate that it would be the easiest way to allow per-user relaying. It looks to me that you need a functioning Cyrus SASL (avail at for authenticating users.

Another possibility is to set up a Web mail interface for your users. That can be run over an SSL enabled http server and it side-steps the anti-relay problem as your remote users are always within the domain. A pretty good free web mail system can be found at and another that I've not tried is at

From a security stand point, only allowing access to the mail system via http (or preferrably https) is better than allowing direct SMTP/IMAP/POP. It also has the advantage on not requiring per-client setup's. As long as the remote client system has a Web browser that user is "good to go".

at my place of work, we have a firewall that stops up from doing just that, however, we have punched holes in it by allowing access through the firewall based on ip address.


Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Sendmail 8.10 has some decent relay rule controls,
but you must be configured with
the appropriate features. In paticular it sounds
like you could make good use of the access_db
feature, which will allow you to add/reject
hosts in a /etc/mail/access hashed file, in the
same manner that the aliases and mailertable db's
are handled.

I suggest you take a look at ...
for an overview.  If you are not familiar with
customizing your with m4, you'll
either need to dig into "the" Sendmail book or
have a sendmail guru create one for you.

After reading that web page tho, take a look at
your current /etc/mail directory and
file ... what you need make already be configured
in there.

I have RH 6.1 loaded at home and will take a look
at what they ship by default tonite (at work
running Solaris now!).

Under RH 6.1 (and probably other Linuxes), /etc/mail has the proper config ...
there's and access file you can modify to allow host and user@host entry to
the smtp service. When done just run "make" as root when in that directory and
it should rehash the .db files.

Bear in mind that allowing user@host accesdoes open some potential abuse

Actuall user password authentication say against an ldap service is much more
complex but as I understand it possible ... I haven't done that yet but probably
will in the near future.

kevintsangAuthor Commented:
THanks for your input.  I've made the SMTP AUTH work.
In my case, web-based interface is already in place but I haven't found one that can totally replace a mail client program like outlook.  Our users need those functions like rule-based filtering and subfolders under folder, etc.
We have to rely on SMTP AUTH because we would never have any clue where the user is connecting from and thus we can never allow access based on IP.
Basically, I need to know if there is a better way because I believe there should be people out there facing similar problem.
if you are using a exchange mail server, it does have a web mail client that emulates outlook, and has most of the functionality
kevintsangAuthor Commented:
rtheriot, we tried the Outlook Web Access already.  It is pretty good already but still can't fulfill all of our requirements.  For example, web-based interface does not allow offline email access.  Mobile users are not online all the time.  Anyway, appreciate your help.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.