Solved

Allowing authenticated external users to relay mails from anywhere through internal sendmail

Posted on 2000-05-05
8
362 Views
Last Modified: 2010-03-18
I have setup a sendmail (8.10.0) on a Redhat Linux 6.1 machine.  Since anti-relay is by default on, users cannot send mails through the company sendmail server from home or any other places.
I suppose the best way to allow that is to use some kind of authentication mechanism according to user address name before the user can relay their mails.  Anyone knows how that can be done.  Is SMTP AUTH a good way?  If so, how is it setup?
0
Comment
Question by:kevintsang
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 2784179
Caveat... I've not yet tried to enable that feature on an 8.10.1. But my reading of the doc's indicate that it would be the easiest way to allow per-user relaying. It looks to me that you need a functioning Cyrus SASL (avail at http://asg.web.cmu.edu/) for authenticating users.

Another possibility is to set up a Web mail interface for your users. That can be run over an SSL enabled http server and it side-steps the anti-relay problem as your remote users are always within the domain. A pretty good free web mail system can be found at http://www.horde.org/imp/ and another that I've not tried is at http://jwebmail.sourceforge.net/.

From a security stand point, only allowing access to the mail system via http (or preferrably https) is better than allowing direct SMTP/IMAP/POP. It also has the advantage on not requiring per-client setup's. As long as the remote client system has a Web browser that user is "good to go".
0
 
LVL 1

Expert Comment

by:rtheriot
ID: 2794817
Kevin,

at my place of work, we have a firewall that stops up from doing just that, however, we have punched holes in it by allowing access through the firewall based on ip address.

hth

0
 

Expert Comment

by:unixway52
ID: 2802464
Sendmail 8.10 has some decent relay rule controls,
but you sendmail.cf must be configured with
the appropriate features. In paticular it sounds
like you could make good use of the access_db
feature, which will allow you to add/reject
hosts in a /etc/mail/access hashed file, in the
same manner that the aliases and mailertable db's
are handled.

I suggest you take a look at ...
http://www.sendmail.org/tips/relaying.html
for an overview.  If you are not familiar with
customizing your sendmail.cf with m4, you'll
either need to dig into "the" Sendmail book or
have a sendmail guru create one for you.

After reading that web page tho, take a look at
your current /etc/mail directory and sendmail.cf
file ... what you need make already be configured
in there.

I have RH 6.1 loaded at home and will take a look
at what they ship by default tonite (at work
running Solaris now!).

0
 

Expert Comment

by:unixway52
ID: 2802831
Under RH 6.1 (and probably other Linuxes), /etc/mail has the proper config ...
there's and access file you can modify to allow host and user@host entry to
the smtp service. When done just run "make" as root when in that directory and
it should rehash the .db files.

Bear in mind that allowing user@host accesdoes open some potential abuse
problems.

Actuall user password authentication say against an ldap service is much more
complex but as I understand it possible ... I haven't done that yet but probably
will in the near future.

 
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:kevintsang
ID: 2813520
THanks for your input.  I've made the SMTP AUTH work.
In my case, web-based interface is already in place but I haven't found one that can totally replace a mail client program like outlook.  Our users need those functions like rule-based filtering and subfolders under folder, etc.
We have to rely on SMTP AUTH because we would never have any clue where the user is connecting from and thus we can never allow access based on IP.
Basically, I need to know if there is a better way because I believe there should be people out there facing similar problem.
0
 
LVL 40

Accepted Solution

by:
jlevie earned 100 total points
ID: 2814800
SMTP AUTH is the best way to allow your server to be used by roaming users without leaving your site wide open to un-wanted relaying. In my opinion the only thing better would be SMTP AUTH/POP/IMAP over SSL.
0
 
LVL 1

Expert Comment

by:rtheriot
ID: 2814883
if you are using a exchange mail server, it does have a web mail client that emulates outlook, and has most of the functionality
0
 

Author Comment

by:kevintsang
ID: 2816907
rtheriot, we tried the Outlook Web Access already.  It is pretty good already but still can't fulfill all of our requirements.  For example, web-based interface does not allow offline email access.  Mobile users are not online all the time.  Anyway, appreciate your help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now