Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 370
  • Last Modified:

Allowing authenticated external users to relay mails from anywhere through internal sendmail

I have setup a sendmail (8.10.0) on a Redhat Linux 6.1 machine.  Since anti-relay is by default on, users cannot send mails through the company sendmail server from home or any other places.
I suppose the best way to allow that is to use some kind of authentication mechanism according to user address name before the user can relay their mails.  Anyone knows how that can be done.  Is SMTP AUTH a good way?  If so, how is it setup?
0
kevintsang
Asked:
kevintsang
  • 2
  • 2
  • 2
  • +1
1 Solution
 
jlevieCommented:
Caveat... I've not yet tried to enable that feature on an 8.10.1. But my reading of the doc's indicate that it would be the easiest way to allow per-user relaying. It looks to me that you need a functioning Cyrus SASL (avail at http://asg.web.cmu.edu/) for authenticating users.

Another possibility is to set up a Web mail interface for your users. That can be run over an SSL enabled http server and it side-steps the anti-relay problem as your remote users are always within the domain. A pretty good free web mail system can be found at http://www.horde.org/imp/ and another that I've not tried is at http://jwebmail.sourceforge.net/.

From a security stand point, only allowing access to the mail system via http (or preferrably https) is better than allowing direct SMTP/IMAP/POP. It also has the advantage on not requiring per-client setup's. As long as the remote client system has a Web browser that user is "good to go".
0
 
rtheriotCommented:
Kevin,

at my place of work, we have a firewall that stops up from doing just that, however, we have punched holes in it by allowing access through the firewall based on ip address.

hth

0
 
unixway52Commented:
Sendmail 8.10 has some decent relay rule controls,
but you sendmail.cf must be configured with
the appropriate features. In paticular it sounds
like you could make good use of the access_db
feature, which will allow you to add/reject
hosts in a /etc/mail/access hashed file, in the
same manner that the aliases and mailertable db's
are handled.

I suggest you take a look at ...
http://www.sendmail.org/tips/relaying.html
for an overview.  If you are not familiar with
customizing your sendmail.cf with m4, you'll
either need to dig into "the" Sendmail book or
have a sendmail guru create one for you.

After reading that web page tho, take a look at
your current /etc/mail directory and sendmail.cf
file ... what you need make already be configured
in there.

I have RH 6.1 loaded at home and will take a look
at what they ship by default tonite (at work
running Solaris now!).

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
unixway52Commented:
Under RH 6.1 (and probably other Linuxes), /etc/mail has the proper config ...
there's and access file you can modify to allow host and user@host entry to
the smtp service. When done just run "make" as root when in that directory and
it should rehash the .db files.

Bear in mind that allowing user@host accesdoes open some potential abuse
problems.

Actuall user password authentication say against an ldap service is much more
complex but as I understand it possible ... I haven't done that yet but probably
will in the near future.

 
0
 
kevintsangAuthor Commented:
THanks for your input.  I've made the SMTP AUTH work.
In my case, web-based interface is already in place but I haven't found one that can totally replace a mail client program like outlook.  Our users need those functions like rule-based filtering and subfolders under folder, etc.
We have to rely on SMTP AUTH because we would never have any clue where the user is connecting from and thus we can never allow access based on IP.
Basically, I need to know if there is a better way because I believe there should be people out there facing similar problem.
0
 
jlevieCommented:
SMTP AUTH is the best way to allow your server to be used by roaming users without leaving your site wide open to un-wanted relaying. In my opinion the only thing better would be SMTP AUTH/POP/IMAP over SSL.
0
 
rtheriotCommented:
if you are using a exchange mail server, it does have a web mail client that emulates outlook, and has most of the functionality
0
 
kevintsangAuthor Commented:
rtheriot, we tried the Outlook Web Access already.  It is pretty good already but still can't fulfill all of our requirements.  For example, web-based interface does not allow offline email access.  Mobile users are not online all the time.  Anyway, appreciate your help.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now