0

Server is running sendmail 8.14

From any machine:

$ telnet mydomain.com 25
HELO mydomain.com
MAIL FROM: <me@mydomain.com>
RCPT TO: <me@mydomain.com>
DATA
this is spam
.

How do I require authentication for any mail that claims to be from a local domain?

This seems like a no-brainer anti-spam feature.

FROM         TO           RESULT
any          non-local    "Relaying denied. Proper authentication required."
non-local    local        success [1]
local        local        success [2]

[1] This is acceptable. Outsiders can send to local users without any kind of authentication. Various DNS checks can be done.

[2] This is the problem. Why should I allow anyone to mail a local user while claiming to be a local user?

Marco
  • 103
  • 3
  • [Similar question](http://serverfault.com/questions/446566/spam-mail-through-smtp-and-user-spoofing) with no solution. – Marco Jan 29 '13 at 22:29
  • They're not claiming to "be a local user". They're claiming to have mail *from* a local user. What kind of "authentication" are you thinking of? – David Schwartz Jan 29 '13 at 23:17
  • When would that not be the same thing? The only place where mail-from-a-local-domain is going to originate is my server (via user's SMTP client). – Marco Jan 29 '13 at 23:45
  • Okay, so say it originated a local user's SMTP client. Now whatever agent has it is is delivering it to its final destination, your mail server. – David Schwartz Jan 29 '13 at 23:55
  • Er, what agent? When a user sends mail, there is a direct port-25 TCP connection from their SMTP client to my server. If the destination email address is local (and valid), the mail is moved to the appropriate local inbox. – Marco Jan 30 '13 at 00:39
  • There's no law that ensures that this is what always happens. – David Schwartz Jan 30 '13 at 00:41
  • If their SMTP client has "mydomain.com" as the outgoing server, is there any way that could NOT happen? – Marco Jan 30 '13 at 00:54
  • Who knows? They might be on a network that intercepts outbound mail and redirects it to their ISP's mail server for rate limiting. Their client might ignore the mail server setting under some conditions. The mail might have originated with one of your users and gone to a destination in another domain and then gotten remailed back to a different one of your local users. There are ways to fight spam, this isn't one of them. – David Schwartz Jan 30 '13 at 01:01
  • Hmmm. Thanks for taking the time to reply. I'm still not buying it. I know some ISPs require all mail goes through them, but in that case they make you enter "smtp.isp.net" in your client. What if I can guarantee (and/or require) that all clients connect directly as I described. Can I have sendmail require authentication for FROM:local_addr just as it requires it for TO:non_local_addr? Based on your replies, I'm guessing there is no simple setting that will accomplish this. – Marco Jan 30 '13 at 01:37

1 Answers1

1

As noted here:

You can require the use of SMTP AUTH for relaying by simply turning off other means of relaying for incoming mail, e.g., the access map or class R. That is, if you have my.domain in /etc/mail/relay-domains or "my.domain RELAY" in the access map, then remove the entry from class R (/etc/mail/relay-domains) and use "To:my.domain RELAY" in the access map.

adamo
  • 6,867
  • 3
  • 29
  • 58