Here's my implementation of how to protect your mail server from being used as an open relay but spammers but still allow you custommers use it to send their mail. I've written a patch for sendmail to incorporate a new database type to acces data from MySQL, the code is not finished but a big part of it is done, the code still contains bugs. It's allmost done i still have 1 or 2 bugs to fix. You can get it at http://www.colba.net/~paul/projects Here's how it works: First i created a database of the following type containing all the users you have, or all the users that will use that service (ex iPass users): +--------------+----------------+--------------+ | username | IP | permit_relay | +--------------+----------------+--------------+ | test_user | 10.0.0.0 | Y | +--------------+----------------+--------------+ | another_user | 10.0.0.1 | N | +--------------+----------------+--------------+ I'm using POP before SMTP to unlock access to the user for a certain period of time to a given IP. First a user will check his e-mail through POP and the pop deamon will authenticate a user and then update the IP in the database for that user and set the permit_relay flag to Y. the query i use is the following: update set IP = , permit_relay = 'Y' Here's the exemple of modification to Qualcomm Qpopper3.0 (right before returning POP_SUCCESS): ------------ cut here -------------------------------------------------- mysql_init(&mysql); snprintf(queryBuf,sizeof(queryBuf),"update %s set IP = '%s',permit_relay = 'Y' where username = '%s'",RELAY_TABLE,p->ipaddr,p->user); if(!mysql_real_connect(&mysql,HOST,USER,PASS,DB,0,NULL,0)) { return(pop_msg(p,POP_FAILURE,"Error connecting to database server(%s)",mysql_error(&mysql),HOST)); } mysql_query(&mysql,queryBuf); mysql_close(&mysql); return(pop_msg(p,POP_SUCCESS,"Relay Database updated")); ------------ cut here -------------------------------------------------- Then i made the following modification to chech_rcpt sendmail.cf: ------------ cut here -------------------------------------------------- . . Krelay mysql -H -U -P -D -M -L -R . . . . ###################################################################### ### check_rcpt -- check SMTP `RCPT TO:' command argument ###################################################################### SLocal_check_rcpt Scheck_rcpt R$* $: $1 $| $>"Local_check_rcpt" $1 R$* $| $#$* $#$2 R$* $| $* $@ $>"Basic_check_rcpt" $1 SBasic_check_rcpt # check for deferred delivery mode R$* $: < ${deliveryMode} > $1 R< d > $* $@ deferred R< $* > $* $: $2 R$* $: $>ParseRecipient $1 strip relayable hosts # anything terminating locally is ok R$+ < @ $=w > $@ OK R$+ < @ $* $=R > $@ OK # check for local user (i.e. unqualified address) R$* $: $1 R $* < @ $+ > $: $1 < @ $2 > # local user is ok R $+ $@ OK R<$+> $* $: $2 R$* . $1 strip trailing dots R$@ $@ OK R$=w $@ OK R$* $=R $@ OK # check IP address R$* $: $&{client_addr} R$@ $@ OK originated locally R0 $@ OK originated locally R$=R $* $@ OK relayable IP address R$* $: [ $1 ] put brackets around it... R$=w $@ OK ... and see if it is local R$ [ $* ] $: $1 Strip the [ ] R$* $: $( relay $1 $) Lookup IP in DB RY $@ OK Check the flag for "Y" # anything else is bogus R$* $#error $@ 5.7.1 $: "550 Relaying denied" ------------ cut here -------------------------------------------------- Make sure to separate Right and Left side by tabs not white spaces or sendmail will go crazy. I added: R$ [ $* ] $: $1 Strip the [ ] R$* $: $( relay $1 $) Lookup IP in DB RY $@ OK Check the flag for "Y" So it will unlock the use of the relay for the IP of the custommer. I'm also probably going to add another field to the DB with a timestamp so i can run a program every certain amount of time to expire IP after more then a certain time old by setting the permit_relay flag to "N". Ex of query to send: update
set permit_relay = 'N' where ( - ) = I'll write that as soon as i finish the MySQL patch fro sendmail. That's it For more info on POP before SMTP for sendmail visit: http://spam.abuse.net/tools/smPbS.html