37.5. Configuring Relaying
In the early days of the Internet, mail servers could safely deliver mail to local domains and forward all other email to another MTA, regardless of its source. Today, allowing your server to forward any email that it receives is an invitation for spammers to use your system as a relay. A well-configured server should only accept email for non-local domains from trusted client hosts, such as those on the company network or home LAN. Email sent to local domains is safe, and can be accepted from anywhere.
For this reason, the Sendmail packages that come with modern Linux distributions are configured by default to prevent the server accepting non-local email from anywhere excpt the same system. If you are setting up a mail server for a company or for your home LAN, you will need follow these steps to allow other hosts to relay mail as well. If Sendmail on your system is an open relay (one that accepts non-local email from anywhere), people sending out millions of spam email messages can use it to cover their tracks. Even if you are running a small mail server for a tiny company that you think no spammer will ever know about, it is still a very bad idea to leave your system open to relaying.
1. | On the module's main page, click on the Relay Domains icon to bring up a form for entering relay networks and domains. |
2. | In the Domains to which relaying is allowed field, add the address of the network from which you want to allow clients to relay. It should be entered without any trailing zeros, for example, 192.168.1. More than one network can be entered, as can specific IP addresses. You can also enter domain names like foo.com to which Sendmail will allow relaying. Any received email message (no matter what its source) that is destined for a specified domain will be delivered to the appropriate server. This can be useful if your system is a mail gateway for other domains that cannot be reached directly by the rest of the Internet, as explained in Section 37.7 “Configuring Domain Routing”. |
3. | Click the Save button to activate the new relay domains list. |
One side effect of Sendmail's relaying restrictions is that there is no way to use your system as a server for outgoing email when you are connecting from an untrusted network. In fact, that is the whole point. It can sometimes be annoying—if you dial into many different ISPs and don't want to reconfigure your mail client to use a different outgoing mail server for each one, for example. In an ideal world, it would be possible to use your own mail server for outgoing email no matter where you are connecting from, but this is normally impossible without turning off relay restrictions altogether.
There has been an attempt to solve this problem by adding extensions to the SMTP protocol to support authentication, so that clients who log in with a username and password are allowed to relay. Unfortunately, these extensions are not widely supported by mail clients or Sendmail yet, and there is no support in this Webmin module for configuring them.
Another solution involves trusting clients that make a POP3 connection before SMTP, which most mail client programs do. This requires cooperation between the POP3 server and Sendmail, however, which are usually unrelated programs. At the time of writing, Webmin does not support the configuration of Sendmail and a POP3 server to do this either.