Google Answers: Sendmail Configuration: How do disable CC forwarding to foreign machines

View Question

Q: Sendmail Configuration: How do disable CC forwarding to foreign machines ( No Answer, 0 Comments )

Question

Subject: Sendmail Configuration: How do disable CC forwarding to foreign machines
Category: Computers
Asked by: hooji-ga
List Price: $55.00

Posted: 03 Jul 2003 21:31 PDT
Expires: 06 Jul 2003 08:14 PDT
Question ID: 225023

Problem: Spammers are abusing my smtp (sendmail) mailserver by sending messages to existing addresses in my company, and CC'ing (or BCC'ing) those messages to many other "foreign" (outside my domain) addresses. My sendmail accepts the message (only if the TO address is a local address), but then will dutifully foward copies to all CC (or BCC) addresses, even if those addresses are outside my domain. Question: If my domain is foo.com, how do I configure my sendmail server not to take on delivery of a message to other CC'd recipients (outside foo.com). Ideally my server will inform the remote server that it can only deliver the messages locally, and that it is up to the remote server to deliver the messages to other recipients (that way legitimate messages will not be interfered with). My mail server machine is running Red Hat Linux 6.1, and my sendmail version is reported as 8.9.3/8.8.7. Please contact me if further details are required.
Request for Question Clarification by answerguru-ga on 04 Jul 2003 00:27 PDT Hi hooji-ga, I came across a newsgroup posting of someone who wanted to do just what you have described - a link is provided in the message thread: http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=2428e0d6.0203250213.5c68ce99%40posting.google.com&rnum=2&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26q%3Dprevent%2Bexternal%2Bsending%2Bgroup%253Acomp.mail.sendmail%26meta%3Dgroup%253Dcomp.mail.sendmail "Relay messages only from authenticated users, give SMTP passwords to the privileged users." http://www.sendmail.org/%7Eca/email/auth.html Since I'm not a subject matter expert for sendmail I am posting this as a clarification. If it does meet your requirement please let me know and I'll post this as the official answer. Thanks, answerguru-ga
Clarification of Question by hooji-ga on 04 Jul 2003 01:05 PDT Thanks for the response answerguru-ga, but it is not quite what I am looking for. This SMTP server is not used by any user to send out going mail, it is only used to receive incoming mail for our domain (call it "foo.com"). Right now, if the server receives a message addressed "To: joe@foo.com CC: randomuser@aol.com", then my server will accept the message, and deliver it to our local user joe, and also take on the duty of passing the message on to randomuser@aol.com. My ideal solution (if possible) would be to have our server refuse to take on the duty of passing on messages to non-local recipients. In the above case, I would like the message to still be delivered to local user joe, but I don't want our server to deliver the message to randomuser@aol.com; instead our server should let the sending server know that it is up to him to deliver the message to the aol recipient. Hope that made things a little clearer. Thanks.
Clarification of Question by hooji-ga on 04 Jul 2003 01:08 PDT Further clarification: The preferred answer will include specific lines of configuration code that need to be added to our sendmail.cf file in order to get the desired behavior. An explanation of how/why this solves the problem should be included so that we can understand the code.
Request for Question Clarification by sycophant-ga on 05 Jul 2003 20:23 PDT Hi hooji, I am a little confused by the situation you describe. The way email operates, CC and BCC only exist in the header of the email. Regardless of what the CC in an email header says, no email server will try to deliver it. If I were sending an email with the following headers from my computer: To: joebloggs@someisp.com CC: someotherguy@aol.com Then when I hit send in my email client it will connect to my ISPs SMTP server, which is configured to relay all mail received from it's own users, for anywhere. My ISP would get it, and analyse the message envelope, not the headers, and determine that the email was to be delivered to a user at someisp.com and a user at aol.com. It would then connect to the advertised mail server for each domain name, and pass the email on to that mail server. That mail server would look at the envelope to address (still not the headers of the message) and deliver the email as necessary. If your mail server is configured not to relay (fairly simple in Sendmail) then it simply won't. Sendmail will never look at the headers of the message to determine what to do with an email, they are not trusted. It takes all the information it needs from the communication it has with the mail server or client that it received the email from. The only part of your mail chain that might look at the headers is the MUA - either the user's email client, or user-level mail software such as Procmail. Your server, should never, under any circumstances, regardless of CC headers, deliver mail from outside it's own network to any domains it it not configured to handle. To test this, and also the lack of relation about the headers, try this - telnet to your mailserver from a machine it doesn't trust, on port 25, and engage in the followin exchange. (SMTP server lines indicated by an , everything else is your input) 220 foo.com ESMTP Sendmail 8.9.3/8.8.7 helo (your ip address) 250 foo.com Hello hostname [ip address], pleased to meet you mail from: random@aol.com 250 2.1.0 random@aol.com... Sender ok rcpt to: youraddress@foo.com 250 2.1.5 youraddress@foo.com... Recipient ok rcpt to: john@anotherisp.com 550 5.7.1 john@anotherisp.com... Relaying denied. (It should be something like this) 354 Enter mail, end with "." on a line by itself To: youraddress@foo.com From: random@aol.com CC: john@anotherisp.com Subject: A test message This is the first line. . 250 2.0.0 h663CG8O028002 Message accepted for delivery The fact that it denies the RCPT command to another ISP means that it will not deliver to that address, regardless of what the mail headers say. However, it might be a good idea to get a newer version of Sendmail if you can, 8.9.3 is fairly old. Try the above, and check your mail logs (sorry, I can't remember quite where they are on RedHat) - but I don't actually think your server is relaying to the CC addresses. That's just not how email works. If this is a bit rambling for you, or if you want to know more, let me know. Also, if you are still unsure I might be able to give you some things to try anyhow. Also, check the following RFCs, they define the way email is handled: http://www.faqs.org/rfcs/rfc2821.html RFC2821 SMTP http://www.faqs.org/rfcs/rfc2822.html RFC2822 Internet Message Format Regards, Sycophant-ga

Answer

There is no answer at this time.

Comments

There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy

Problem: Spammers are abusing my smtp (sendmail) mailserver by sending messages to existing addresses in my company, and CC'ing (or BCC'ing) those messages to many other "foreign" (outside my domain) addresses. My sendmail accepts the message (only if the TO address is a local address), but then will dutifully foward copies to all CC (or BCC) addresses, even if those addresses are outside my domain. Question: If my domain is foo.com, how do I configure my sendmail server not to take on delivery of a message to other CC'd recipients (outside foo.com). Ideally my server will inform the remote server that it can only deliver the messages locally, and that it is up to the remote server to deliver the messages to other recipients (that way legitimate messages will not be interfered with). My mail server machine is running Red Hat Linux 6.1, and my sendmail version is reported as 8.9.3/8.8.7. Please contact me if further details are required.
Request for Question Clarification by answerguru-ga on 04 Jul 2003 00:27 PDT Hi hooji-ga, I came across a newsgroup posting of someone who wanted to do just what you have described - a link is provided in the message thread: http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=2428e0d6.0203250213.5c68ce99%40posting.google.com&rnum=2&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26q%3Dprevent%2Bexternal%2Bsending%2Bgroup%253Acomp.mail.sendmail%26meta%3Dgroup%253Dcomp.mail.sendmail "Relay messages only from authenticated users, give SMTP passwords to the privileged users." http://www.sendmail.org/%7Eca/email/auth.html Since I'm not a subject matter expert for sendmail I am posting this as a clarification. If it does meet your requirement please let me know and I'll post this as the official answer. Thanks, answerguru-ga
Clarification of Question by hooji-ga on 04 Jul 2003 01:05 PDT Thanks for the response answerguru-ga, but it is not quite what I am looking for. This SMTP server is not used by any user to send out going mail, it is only used to receive incoming mail for our domain (call it "foo.com"). Right now, if the server receives a message addressed "To: joe@foo.com CC: randomuser@aol.com", then my server will accept the message, and deliver it to our local user joe, and also take on the duty of passing the message on to randomuser@aol.com. My ideal solution (if possible) would be to have our server refuse to take on the duty of passing on messages to non-local recipients. In the above case, I would like the message to still be delivered to local user joe, but I don't want our server to deliver the message to randomuser@aol.com; instead our server should let the sending server know that it is up to him to deliver the message to the aol recipient. Hope that made things a little clearer. Thanks.
Clarification of Question by hooji-ga on 04 Jul 2003 01:08 PDT Further clarification: The preferred answer will include specific lines of configuration code that need to be added to our sendmail.cf file in order to get the desired behavior. An explanation of how/why this solves the problem should be included so that we can understand the code.
Request for Question Clarification by sycophant-ga on 05 Jul 2003 20:23 PDT Hi hooji, I am a little confused by the situation you describe. The way email operates, CC and BCC only exist in the header of the email. Regardless of what the CC in an email header says, no email server will try to deliver it. If I were sending an email with the following headers from my computer: To: joebloggs@someisp.com CC: someotherguy@aol.com Then when I hit send in my email client it will connect to my ISPs SMTP server, which is configured to relay all mail received from it's own users, for anywhere. My ISP would get it, and analyse the message envelope, not the headers, and determine that the email was to be delivered to a user at someisp.com and a user at aol.com. It would then connect to the advertised mail server for each domain name, and pass the email on to that mail server. That mail server would look at the envelope to address (still not the headers of the message) and deliver the email as necessary. If your mail server is configured not to relay (fairly simple in Sendmail) then it simply won't. Sendmail will never look at the headers of the message to determine what to do with an email, they are not trusted. It takes all the information it needs from the communication it has with the mail server or client that it received the email from. The only part of your mail chain that might look at the headers is the MUA - either the user's email client, or user-level mail software such as Procmail. Your server, should never, under any circumstances, regardless of CC headers, deliver mail from outside it's own network to any domains it it not configured to handle. To test this, and also the lack of relation about the headers, try this - telnet to your mailserver from a machine it doesn't trust, on port 25, and engage in the followin exchange. (SMTP server lines indicated by an , everything else is your input) 220 foo.com ESMTP Sendmail 8.9.3/8.8.7 helo (your ip address) 250 foo.com Hello hostname [ip address], pleased to meet you mail from: random@aol.com 250 2.1.0 random@aol.com... Sender ok rcpt to: youraddress@foo.com 250 2.1.5 youraddress@foo.com... Recipient ok rcpt to: john@anotherisp.com 550 5.7.1 john@anotherisp.com... Relaying denied. (It should be something like this) 354 Enter mail, end with "." on a line by itself To: youraddress@foo.com From: random@aol.com CC: john@anotherisp.com Subject: A test message This is the first line. . 250 2.0.0 h663CG8O028002 Message accepted for delivery The fact that it denies the RCPT command to another ISP means that it will not deliver to that address, regardless of what the mail headers say. However, it might be a good idea to get a newer version of Sendmail if you can, 8.9.3 is fairly old. Try the above, and check your mail logs (sorry, I can't remember quite where they are on RedHat) - but I don't actually think your server is relaying to the CC addresses. That's just not how email works. If this is a bit rambling for you, or if you want to know more, let me know. Also, if you are still unsure I might be able to give you some things to try anyhow. Also, check the following RFCs, they define the way email is handled: http://www.faqs.org/rfcs/rfc2821.html RFC2821 SMTP http://www.faqs.org/rfcs/rfc2822.html RFC2822 Internet Message Format Regards, Sycophant-ga