| Previous | Contents | Index |
One application of access control mappings is to prevent people from relaying SMTP mail through your PMDF system; for instance, to prevent people from using your PMDF system to relay junk mail to hundreds or thousands of Internet mail boxes.
By default PMDF does not prevent SMTP relaying activity: for starters, SMTP relaying is not necessarily a bad thing. Sites should only block such activity if it is causing them difficulty. Morever, note that local users using POP or IMAP depend upon PMDF to act as an SMTP relay. Blocking unauthorized relaying while allowing it for legitimate local users requires configuring PMDF to know how to distinguish between the two classes of users. Configuring PMDF to make this distinction is the topic of the next section.
16.1.6.1 Differentiating Between Internal and External Mail
In order to block mail relaying activities, you must first be able to
differentiate between "internal" mail originated at your site
and "external" mail originated out on the Internet and
passing through your system back out to the Internet. The former class
of mail you want to permit; the latter class you want to block. This
differentiation is achieved using the switchchannel
keyword on your inbound SMTP channel, usually the tcp_local channel.
The switchchannel keyword works by causing the PMDF SMTP
server to look at the actual IP address associated with the incoming
SMTP connection. PMDF uses that IP address, in conjunction with your
rewrite rules, to differentiate between an SMTP connection originated
within your domain and a connection from outside of your domain. This
information can then be used to segregate the message traffic between
internal and external traffic.3
Let's now actually change your PMDF configuration so that you can
differentiate between your internal and external message traffic. This
is done by editing your PMDF configuration file, pmdf.cnf,
located in the PMDF table directory.
defaults noswitchchannel |
! final rewrite rules defaults noswitchchannel ! Local channel l ... |
noswitchchannel
keyword to it.
switchchannel and remotehost keywords,
e.g.,
tcp_local smtp single_sys mx switchchannel remotehost TCP-DAEMON |
tcp_auth smtp single_sys mx allowswitchchannel routelocal TCP-INTERNAL |
routelocal channel keyword is used to cause
short-circuited rewriting of source routed addresses through this
channel, thereby blocking possible attempts to relay by means of
looping through internal SMTP hosts via explicitly source routed
addresses.
.example.com $U%$H$D@TCP-INTERNAL [a.b.] $U%[a.b.$L]@TCP-INTERNAL$E$R |
With the above configuration changes, SMTP mail generated within your domain will come in via the tcp_internal channel. All other SMTP mail will come in via the tcp_local channel. You can therefore distinguish between internal and external mail based upon which channel it comes in on.
How does the above work? The key is the switchchannel
keyword. In Step 2 above, that keyword is applied to the tcp_local
channel. When a message comes in your SMTP server, that keyword causes
the server to look at the source IP address associated with the
incoming connection. The server attempts a reverse-pointing envelope
rewrite of the literal IP address of the incoming connection, looking
for an associated channel. If that rewrite matches a local host of
yours, then the rewrite rules added in Step 4 cause the address to
rewrite to the tcp_internal channel added in Step 3. Since the
tcp_internal channel is marked with the allowswitchchannel
keyword, the message is "switched" to the tcp_internal
channel and comes in on that channel. If the message comes in from an
external source, the IP address will not correspond to an internal
source. In that case the reverse-pointing envelope rewrite will either
rewrite to the tcp_local channel or to some other channel. However, it
will not rewrite to the tcp_internal channel and since all other
channels were marked noswitchchannel in Step 1, the
message will not "switch" to another channel and will remain
with the tcp_local channel.
Note that any mapping table or conversion file entries which use the string "tcp_local" can need to be changed to either "tcp_*" or "tcp_internal" depending upon the usage. |
16.1.6.2 Differentiating Authenticated Users' Mail
Sometimes administratively "local" users of IMAP and POP
clients can want to submit their messages when they aren't physically
local (aren't physically on your network). Though such message
submissions come in from an external IP address---for instance,
arbitrary Internet Service Providers---if your users use mail clients
that can perform SASL authentication, then their authenticated
connections can be distinguished from arbitrary other external
connections. The authenticated submissions you can then permit, while
denying non-authenticated relay submission attempts. Differentiating
between authenticated and non-authenticated connections is achieved
using the saslswitchchannel keyword on your inbound SMTP
channel, usually the tcp_local channel.
The saslswitchchannel keyword takes an argument specifying
the channel to switch to; if an SMTP sender succeeds in authenticating,
then their submitted messages are considered to come in the specified
switched to channel.
We will now continue the example of the previous section, adding in distinguishing authenticated submissions.
tcp_auth smtp single_sys mx mustsaslserver noswitchchannel TCP-AUTH |
noswitchchannel on it either explicitly or
implied by a prior defaults line). This channel should
have mustsaslserver on it.
maysaslserver
and saslswitchchannel tcp_auth to it. So your tcp_local
channel definition should now appear along the lines of:
tcp_local smtp mx single_sys maysaslserver saslswitchchannel tcp_auth \ switchchannel TCP-DAEMON |
With this configuration, SMTP mail sent by users who can authenticate with a local password will now come in the tcp_auth channel. Unauthenticated SMTP mail sent from internal hosts will still come in tcp_internal. All other SMTP mail will come in tcp_local.
16.1.6.3 Preventing Mail Relaying
Now to the point of this example: preventing unauthorized people from
relaying SMTP mail through your system. First, keep in mind that you
want to allow local users to relay SMTP mail. For instance, POP and
IMAP users rely upon using PMDF to send their mail. Note that local
users can either be physically local, in which case their messages come
in from an internal IP address, or can be physically remote but able to
authenticate themselves as "local" users. It's random people
out on the Internet who you want to prevent from using you as a relay.
With the configuration from Section 16.1.6.1 and Section 16.1.6.2, you can
differentiate between these classes of users and block the correct
class. Specifically, you want to block mail from coming in your
tcp_local channel and going back out that same channel. To that end, an
ORIG_SEND_ACCESS mapping table is used.
An ORIG_SEND_ACCESS mapping table can be used to block traffic based upon the source and destination channel. In this case, traffic from and back to the tcp_local channel is to be blocked. This is realized with the following ORIG_SEND_ACCESS mapping table:
ORIG_SEND_ACCESS tcp_local|*|tcp_local|* $NRelaying$ not$ permitted |
An ORIG_SEND_ACCESS mapping table is used rather than a SEND_ACCESS mapping table, so that the blocking will not apply to addresses that originally match the l (lowercase "L") channel (but which can expand via an alias or mailing list definition back to an "external" address). With a SEND_ACCESS mapping table one would have to go to extra lengths to allow outsiders to send to mailing lists that expand back out to "external" users, or to send to users who forward their messages back out to "external" addresses.
16.1.6.4 Allowing localhost Submissions to the SMTP Port
This section discusses a further refinement of the SMTP relay blocking
approach described above.
Some sites can want to disallow submissions to the SMTP port from clients running on the system itself; for instance, if no legitimate applications are expected to attempt this, then blocking such submissions closes one avenue by which users can spoof (forge) e-mail.
Other sites, however, can have legitimate applications that perform message submission by making a TCP/IP connection to the SMTP port of their own system. For instance, some third party mailing list expansion applications (though not PMDF's own mailing list expansion) operate in this way.
Further, to simplify their configuration such applications can connect using a loopback name or address, such as LOCALHOST or [127.0.0.1], rather than using the system's domain name. Depending on the underlying TCP/IP package, this can result in the incoming connection also appearing to come "from" LOCALHOST or [127.0.0.1], rather than coming from the system's specific domain name or IP address.
Using merely the internal vs external differentiation as shown above in Section 16.1.6.1 would result in treating SMTP submissions from clients on the host system itself as coming in the tcp_local channel. Thus if tcp_local to tcp_local message traffic is prevented, as discussed in Section 16.1.6.3, then any users or applications attempting to submit messages in such a way would not be allowed to submit messages to external addressees.
If you want to treat such submissions as "internal" submissions, for instance, in order to allow third party mailing list applications to operate even if SMTP relay blocking has been implemented, then an additional configuration step should be performed.
To the very top of the PMDF configuration file, add rewrite rules for the local host name (or LOCALHOST or [127.0.0.1], depending on from where the underlying TCP/IP package "sees" the connection as having originated) of the following form:
localhostname $U%localhostname@TCP-INTERNAL$E$R [localhostipnumber] $U%localhostname@TCP-INTERNAL$E$R LOCALHOST $U%localhostname@TCP-INTERNAL$E$R [127.0.0.1] $U%localhostname@TCP-INTERNAL$E$R |
localhostname is the official host name on
the L channel. The $E and $R control sequences on these rewrite rules,
which limit their effect to envelope From: address rewriting, mean that
normal rewriting will still apply to addresses addressed to the local
system. Yet switchchannel rewriting will use these rules
also, and hence will see message submissions from the system to its own
SMTP port as "internal" submissions.
It is not recommended to add this rewrite rule for LOCALHOST unless you absolutely require it, as it opens up your PMDF implementation to abuse by spammers who can easily set up their DNS entries to say that their name is "localhost". If at all possible, do rewriting based solely on IP addresses rather than DNS names, as IP addresses are much harder to forge. |
3 Since the source IP address is used, it is important that your network router connecting your local network to the Internet be configured to prevent "IP spoofing". Contact your router vendor for assistance if you are unsure of how to configure your router. |
| Previous | Next | Contents | Index |