I have need to run sendmail on a server computer with two NICs, one is
connected to the internet and the other to a LAN. One of the computers
on the LAN needs to connect and send email to internet locations. I
seem to have this part working but in my quest to tighten up who could
relay mail I discovered that the server computer can relay mail even
with the Connect:localhost RELAY, Connect:127 RELAY and Connect:IPv6:::1
RELAY commented out. Can the localhost always relay mail? If I wanted
to prevent that I can change it to REJECT and it does prevent relay. I
get this message from mail: "cannot send message: Process exited with a
non-zero status". I went through the bat book looking but didn't find
anything.

# /etc/mail/access
# Copyright (c) 1998,2004 Richard Nelson <cowboy@debian.org>.
# Time-stamp: <1998/10/27 10:00:00 cowboy>
# GPL'd config file, please feed any gripes, suggestions, etc. to me
# # Function:
# Access Control for this smtp server - determines:
# * Who we accept mail from
# * Who we accept relaying from
# * Who we will not send to
# # Usage:
# FEATURE(access_db[, type [-o] /etc/mail/access])dnl
# makemap hash access < access
# # Format:
# lhs:
# email addr <user@[host.domain]>
# domain name unless FEATURE(relay_hosts_only) is used,
# then this is a fqdn - and relay-domains ($=R)
# must also be fqdns.
# network number must end on an octet boundary, or
# you're stuck going the longwinded way ;-{
# rhs:
# OK accept mail even if other rules in the
# running ruleset would reject it.
# RELAY Allow domain to relay through your SMTP
# server. RELAY also serves an implicit
# OK for the other checks.
# REJECT reject the sender/recipient with a general
# purpose message that can be customized.
# confREJECT_MSG [550 Access denied] will be issued
# DISCARD discard the message completely using
# the $#discard mailer.
# ### any text where ### is an RFC 821 compliant error code
# and "any text" is a message to return for
# the command
# Examples:
# spammer@aol.com REJECT
# FREE.STEALTH.MAILER@ 550 Spam not accepted
# # Notes:
# With FEATURE(blacklist_recipients) this is also possible:
# badlocaluser 550 Mailbox disabled for this username
# host.mydomain.com 550 That host does not accept mail
# user@otherhost.mydomain.com 550 Mailbox disabled for this recipient
# # Related:
# define(`confREJECT_MSG', `550 Access denied')dnl
# define(`confCR_FILE', `-o /etc/mail/relay-domains')dnl <<- $=R
# FEATURE(relay_hosts_only)dnl
# FEATURE(relay_entire_domain)dnl <<- relays any host in the $=m class
# FEATURE(relay_based_on_MX)dnl <<- relaying for boxes MX'd to you
# FEATURE(blacklist_recipients)dnl
# FEATURE(rbl[,alternate server])dnl
# FEATURE(orbs[,alternate server])dnl <<- Debian addition
# FEATURE(orca[,alternate server])dnl <<- Debian addition
# FEATURE(accept_unqualified_senders)dnl
# FEATURE(accept_unresolvable_domains)dnl
# # Local addresses 10.x.x.x, 127.x.x.x, 172.16-31.x.x 192.168.x.x can relay
# Note Well! You *must* make sure these address can't be spoofed externally
# Note, outbound relaying is controlled by connection and/or auth
# If you're not firewalled, and you don't have a lan, comment these out
# If you're not firewalled, and you have a lan, get firewalled *NOW*
# GreetPause - delay to check for spammers
# Client Connection rate (and #) control
#Connect:localhost RELAY
#GreetPause:localhost 0
#ClientRate:localhost 0
#ClientConn:localhost 0
#Connect:10 RELAY
#GreetPause:10 0
#ClientRate:10 0
#ClientConn:10 0
#Connect:127 RELAY
#GreetPause:127 0
#ClientRate:127 0
#ClientConn:127 0
#Connect:IPv6:::1 RELAY
#GreetPause:IPv6:::1 0
#ClientRate:IPv6:::1 0
#ClientConn:IPv6:::1 0
# #Connect:172.16 RELAY
#Connect:172.17 RELAY
#Connect:172.18 RELAY
#Connect:172.19 RELAY
#Connect:172.20 RELAY
#Connect:172.21 RELAY
#Connect:172.22 RELAY
#Connect:172.23 RELAY
#Connect:172.24 RELAY
#Connect:172.25 RELAY
#Connect:172.26 RELAY
#Connect:172.27 RELAY
#Connect:172.28 RELAY
#Connect:172.29 RELAY
#Connect:172.30 RELAY
#Connect:172.31 RELAY
#Connect:192.168 RELAY
#GreetPause:192.168 0
#ClientRate:192.168 0
#ClientConn:192.168 0
# Defaults
GreetPause: 5000
ClientRate: 10
ClientConn: 10
# # Don't offer AUTH on local network
#SRV_Features:192.168.1 A
# # Hosts with to allow relaying
# #
# Hosts that validly forward to me
#GreetPause:<ip> 0
#ClientRate:<ip> 30
#ClientConn:<ip> 0
# # Whitelisted users
# Spam:postmaster@ FRIEND
Spam:abuse@ FRIEND
Spam:spam@ FRIEND
# # Blacklisted users
# #Connect:rampellsoft.com 554 Email directly, not through didtheyreadit.com
reject@ REJECT
#cyberpromo.com REJECT
#From:MAILER-DAEMON@store2.netvisao.pt REJECT
# # Block invalid IPs
# #Connect:0 REJECT whilst invalid, this also blocks sendmail -bs -Am
Connect:169.254 REJECT
Connect:192.0.2 REJECT
Connect:224 REJECT
Connect:255 REJECT

Connect:172.0.10.7 RELAY

--

Knute Johnson

Knute Johnson wrote:

> Can the localhost always relay mail? If I wanted

Yes.

SRelay_ok
# anything originating locally is ok
# check IP address
R$* $: $&{client_addr}
R$@ $@ RELAY originated locally
R0 $@ RELAY originated locally
R127.0.0.1 $@ RELAY originated locally
RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
RIPv6:::1 $@ RELAY originated locally
R$=R $* $@ RELAY relayable IP address

> to prevent that I can change it to REJECT and it does prevent relay. I

Why do you want to prevent it?
"What's the problem you are trying to solve?"

> get this message from mail: "cannot send message: Process exited with a
> non-zero status". I went through the bat book looking but didn't find

Probably an error from the MSP which tries to send via the local
daemon.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:

> I seem to have this part working but in my quest to tighten up who
> could relay mail I discovered that the server computer can relay mail
> even with the Connect:localhost RELAY, Connect:127
> RELAY and Connect:IPv6:::1 RELAY commented out. Can the localhost
> always relay mail?

I don't know why you want to stop this.

Any software on your machine can send mails to other machines completely
independent of sendmail, just use "telnet <hostname> 25" to do it on
your own. Any SMTP client can do this.

If you have software on your machine that you don't trust, remove it or
restrict it in a protected environment.

If you fear that somebody might spoof the localhost IP address ranges,
it is not a risk. It can't complete the TCP handshake nor the SMTP
session, so no relaying by outside attackers is possible by allowing
127.0.0.0/8 and ::1/128 to relay.

On 6/4/23 03:55, Marco Moock wrote:
> Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:
>
>> I seem to have this part working but in my quest to tighten up who
>> could relay mail I discovered that the server computer can relay mail
>> even with the Connect:localhost RELAY, Connect:127
>> RELAY and Connect:IPv6:::1 RELAY commented out. Can the localhost
>> always relay mail?
>
> I don't know why you want to stop this.
>

Thanks for the reply. It was mostly about not understanding that the
localhost can always relay regardless of the settings in the access
database.

--

Knute Johnson

On 6/4/23 01:31, Claus Aßmann wrote:
> Knute Johnson wrote:
>
>> Can the localhost always relay mail? If I wanted
>
> Yes.
>
> SRelay_ok
> # anything originating locally is ok
> # check IP address
> R$* $: $&{client_addr}
> R$@ $@ RELAY originated locally
> R0 $@ RELAY originated locally
> R127.0.0.1 $@ RELAY originated locally
> RIPv6:0:0:0:0:0:0:0:1 $@ RELAY originated locally
> RIPv6:::1 $@ RELAY originated locally
> R$=R $* $@ RELAY relayable IP address
>

Thanks Claus. I didn't think to look in sendmail.cf. I was mostly
curious about what I thought was a conflict between commenting out the
localhost entries in the access database and localhost still being able
to relay.

--

Knute Johnson

Am 04.06.2023 um 10:38:31 Uhr schrieb Knute Johnson:

> On 6/4/23 03:55, Marco Moock wrote:
> > Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:
> >
> >> I seem to have this part working but in my quest to tighten up who
> >> could relay mail I discovered that the server computer can relay
> >> mail even with the Connect:localhost RELAY, Connect:127
> >> RELAY and Connect:IPv6:::1 RELAY commented out. Can the localhost
> >> always relay mail?
> >
> > I don't know why you want to stop this.
> >
>
> Thanks for the reply. It was mostly about not understanding that the
> localhost can always relay regardless of the settings in the access
> database.

Then I ask a question:

Why is that configured this way?

What is the purpose of the localhost entries in the access_db if
localhost relaying is allowed by other options too?

On 6/5/23 04:52, Marco Moock wrote:
> Am 04.06.2023 um 10:38:31 Uhr schrieb Knute Johnson:
>
>> On 6/4/23 03:55, Marco Moock wrote:
>>> Am 03.06.2023 um 21:05:18 Uhr schrieb Knute Johnson:

> Then I ask a question:
>
> Why is that configured this way?
>
> What is the purpose of the localhost entries in the access_db if
> localhost relaying is allowed by other options too?
>

I don't know. The file comes from the Debian repository that way.
This is not the first thing I have found in the access file that
doesn't comport with the way sendmail works.

--

Knute Johnson