Sendmail guru req'd - SMTP AUTH + TLS + Promiscuous relay?

[Josh_B]

As the title is requesting, I have a small question about Sendmail.

Currently my sendmail box is working very well, thanks, but I have to go and manually add a person to the RELAY OK list in /etc/mail/relay-domains, and in /etc/mail/access, then do makemap. This is fine for my needs, as I know which domains and IPs for which I want to allow relaying.

In the upcoming months, however, I need to be able to go to a customer's site, for example, or have mobile customers be able to relay mail from any given IP address or domain. (Virtual hosting is in the plan, too.) This means I no longer want to manually add hosts, ips, domains, etc to my config files.

Is it reasonably safe to enable promiscuous relaying, and rely on SMTP-AUTH with TLS? I think I should be ok, but you guys are the experts...

P.S. - I am very security concious, so all comments regarding security (SPAM!) are welcomed.

Thanks!

 

[Josh_B]

Another question for those who are feeling generous:

How do I enable SMTP-AUTH authentication from a MySQL db? I will search the net for some articles on how to do this, but I would like to know if this is a recommended solution. Currently AUTH is done using PAM. (Not the greatest for security, either...)

I would like to be able to add users using a script I create in PHP. I will use HTTPS for the mgmt. interface, so not to worry about that. MySQL connectivity will be a given.

Hmmm... maybe I will spend some time thinking about this first.

 

[[H]EMI_426]

I've never authenticated SMTP AUTH against MySQL before...Personally that strikes me as a somewhat bad idea. I'd prefer to use LDAP or the like. Im sure you could do virtual hosting while storing user information in LDAP as well.

I don't allow blanket relaying for anyone not e-mailing from the local machine. If they can't be bothered to use SMTP AUTH, I won't be bothered to make an exception for them.

I have SMTP AUTH using cyrus-sasl2-saslauthd and TLS working quite well with my sendmail setup, which I've documented quite clearly. If you're using Linux, well, good luck with that. Maybe my guide will be useful for a push in the right direction.

Promiscuous relaying shouldn't be needed at all as long as you have SMTP AUTHenticated relaying set up properly. The machine won't relay unless the user authenticates properly.

Spam == security? That's an interesting thought. I'm generally not worried about spam causing a security problem for my mail server...I guess you're talking about for client machines, though. ClamAV works quite well when you run it as a milter for sendmail. SpamAssassin does a pretty good job for tagging spam, but I'm not sure how well SA would tie in to LDAPped users. Running SA as a sendmail milter is generally not the best way to do it, but I suppose it couldn't hurt if you use some safe defaults.

 

[XOR != OR]

If you are running linux, and have PAM available, you can do all sorts of neat things. I have this setup, and sendmail is authing against my AD domain ( which, I suppose I could have done ldap auth, but this was cooler ).

Linky: http://www.madboa.com/geek/sendmail-auth/

 

[Josh_B]

If you are running linux, and have PAM available, you can do all sorts of neat things. I have this setup, and sendmail is authing against my AD domain ( which, I suppose I could have done ldap auth, but this was cooler ).

Linky: http://www.madboa.com/geek/sendmail-auth/

Nice one!

Thanks for the info, gents.

I am still a sendmail noob, but I have quite a bit of experience in Linux. I am sure with some time I can get it right.

 

[Josh_B]

Crap... no virtual hosting w. TLS, as obviously the cert is tied to one domain.

Hmm.... how to get around this?

 

[[H]EMI_426]

Set your MX for all the domains to point to the FQDN that the SSL cert is signed for?

This is not a problem with sendmail, this is a problem with SSL. Same thing goes for Apache...You can't do named virtual hosts on the same IP with multiple SSL certificates.

 

[Josh_B]

Set your MX for all the domains to point to the FQDN that the SSL cert is signed for?

This is not a problem with sendmail, this is a problem with SSL. Same thing goes for Apache...You can't do named virtual hosts on the same IP with multiple SSL certificates.

Yes, that makes sense, given that an SSL cert is supposed to identify a single entity as being legit.

I think you are right. I can have mail.burstyns.com (IN A) the same as always, and then set the MX record for all of my v. hosted domains to the same mail server.

Thanks for helping me work this out.

 

[Josh_B]

If you are running linux, and have PAM available, you can do all sorts of neat things. I have this setup, and sendmail is authing against my AD domain ( which, I suppose I could have done ldap auth, but this was cooler ).

Linky: http://www.madboa.com/geek/sendmail-auth/

Thanks for your instructions... my server is working great now!

Well done...