Configuring Anti-Relay in AIX 4.3.3

Contents

About this document
Updating sendmail.cf
Update the sendmail daemon with the new configuration
Other troubleshooting information

About this document

This document describes how to configure sendmail anti-relay.

The information in this document applies to AIX Version 4.3.3 and sendmail 8.9.3.

Updating sendmail.cf
  1. Ensure that the bos.net.tcp.adt and bos.adt.base filesets are installed on your system. If it is not, install it using SMIT. Check that the fileset is installed: 
    	lslpp -l bos.net.tcp.adt
        lslpp -l bos.adt.base
  2. AIX 4.3.3 ships the necessary tools and macros to generate custom sendmail configuration files. Once the filesets bos.net.tcp.adt and bos.adt.base are loaded, you can find the tools in /usr/samples/tcpip/sendmail/cf. Enter: 
    	cd /usr/samples/tcpip/sendmail/cf
  3. The file aix433.mc is under this directory and contains the features that allow for sendmail customization. The one that allows for open relay is FEATURE(promiscuous_relay)dnl. A typing error also exists in this file that you must change. Before making changes, rename the file so that you do not write over the original. Enter: 
    	cp aix433.mc aix433.norelay.mc
  4. The original file looks like the example below, except for the comments. Use the comments as a guide in editing the new file. Using your favorite editor, open the file: 
    	aix433.norelay.mc

    NOTE: The .mc file can be edited for whatever FEATURES are needed for your new sendmail.cf.

    These features are documented at http://www.sendmail.org/m4/features.html.

    Below is an example of a minimum .mc file:

    divert(0)dnl
    OSTYPE(aix43)dnl                                                             --->typing error 'aix43' changed                                                                                                                to read 'aix433'
    FEATURE(genericstable)dnl                                           --->remove line if not needed
    FEATURE(mailertable)dnl                                                --->remove line if not needed
    FEATURE(virtusertable)dnl                                           --->remove line if not needed
    FEATURE(domaintable)dnl                                                --->remove line if not needed
    FEATURE(allmasquerade)dnl
    FEATURE(promiscuous_relay)dnl                                     --->remove line to stop                                                                                                                  unauthorized relay
    FEATURE(accept_unresolvable_domains)dnl                  --->remove this line to enhance                                                                                                                   security
    FEATURE(accept_unqualified_senders)dnl                     --->remove this line to enhance                                                                                                                    security
    DOMAIN(generic)dnl
    MAILER(local)dnl
    MAILER(smtp)dnl
    MAILER(uucp)

    NOTE: If a line is not desired, it must be removed. Commenting them out does not work. The entry that is responsible for the relay is FEATURE(promiscuous_relay)dnl.

  5. Here is a basic example that will deny unauthorized relay:

    divert(0)dnl
    OSTYPE(aix433)dnl                                             --->note the edit to 'aix433'
    FEATURE(allmasquerade)dnl
    DOMAIN(generic)dnl
    MAILER(local)dnl
    MAILER(smtp)dnl

  6. Rebuild the new sendmail.cf file using the new options. You must be under the /usr/samples/tcpip/sendmail/cf directory, otherwise, it will not work. Enter: 

    	m4 ../m4/cf.m4 aix433.norelay.mc > testmail.cf
  7. Now you should have a new testmail.cf file under the /usr/samples/tcpip/sendmail/cf directory. Rename your old sendmail.cf and replace it with the new one. Enter: 

    	mv /etc/sendmail.cf /etc/sendmail.cf.orig
	mv testmail.cf /etc/sendmail.cf
  8. You must make at least one change to the new sendmail.cf. Comment out the Fw-o /etc/sendmail.cw or create the /etc/sendmail.cw entry. Also note the line in the new sendmail.cf that points to the file where you specify the hosts or domains you want to allow to relay. Using your favorite editor, open the following file: 

    	/etc/sendmail.cf

    Search for the following section and comment out the line as indicated below.

          # file containing names of hosts for which we receive email
      #Fw-o /etc/sendmail.cw

    NOTE: This is the entry for the file that will allow hosts to relay. No need to make any changes here.

    	#Hosts that will permit relaying ($=R)
	FR-o /etc/mail/relay-domains
  9. Now you must add the domains for which your server will allow relay. Using your favorite editor, edit the following file: 
    	/etc/mail/relay-domains

    NOTE: You may have to create the /etc/mail directory. Below are some sample entries.

            lab.net
        test.com
        lab.mail.edu

Update the sendmail daemon with the new configuration

Finally, you must refresh the sendmail daemon to put the new configuration into effect. Enter: 

	refresh -s sendmail
NOTE: If sendmail is not running, you need to check to see if it is active. Use the following command to complete this step. 
	lssrc -s sendmail
If sendmail is active, you will see information similar to the following: 
	Subsystem	Group	  PID    Status
	sendmail	mail	  5424   active
If it is not active, start it up by issuing the following command: 
	startsrc -s sendmail -a "-bd -q30m"

Other troubleshooting information

This section explains what to do if sendmail fails to operate.


Using startsrc to start sendmail will hide error messages from you. To gain a hint as to why sendmail is failing to run, try starting sendmail like so: 

        sendmail -bd -q30m

Any error messages will be displayed to the console as sendmail is started.




[ Doc Ref: 95626186213426     Publish Date: Jan. 11, 2002]