>bsd# hostname
>bsd.aaaa.oo.ppp.com.ua
^^^^^^^^^^^^^^^^^^^^^^^- имя хоста
>bsd# cat /etc/mail/relay-domains
>aaaa.oo.ppp.com.ua
>oo.ppp.com.ua
два домена которые мы хотим РЕЛЕИТЬ
суммарный механизм ДОСТУПА и РЕЛЕИНГА == access + FEATURE(`relay_XXX')
можно использовать разные FEATURE(relaying):
FEATURE(relay_based_on_MX) - на базе MX
FEATURE(relay_hosts_only) - только отдельные хосты
FEATURE(`relay_entire_domain') - целиком домены
далее смотрим hostname и кто у нас почтовый relay (MX) в DNS.
Если hostname != relay(MX), в этом случае мы либо должны изменить
DNS чтобы MX'ы указывали на наш hostname, либо если IP у hostname
и relay(MX) одинаковые, достаточно все эти имена внести
в /etc/mail/local-host-names
Если IP разные, то мы должны навесить их алиасами на интерфейс, или
как сказано ранее изменить MX'ы в DNS на hostname
Если мы хотим релеить целиком домены, то добавляем в наш .mc:
FEATURE(`relay_entire_domain')
а в /etc/mail/relay-domains - домены которые будем релеить
ну и в access можно либо по доменному имени, либо по ip
(порядок прочтения правил в access имеет роль - первое попавшееся правило)
>bsd# cat /etc/mail/bsd.aaaa.oo.ppp.com.ua.mc
>divert(-1)
>#
># Copyright (c) 1983 Eric P. Allman
># Copyright (c) 1988, 1993
># The Regents of the University
>of California. All rights reserved.
>#
># Redistribution and use in source and binary forms, with or without
>
># modification, are permitted provided that the following conditions
># are met:
># 1. Redistributions of source code must retain the above copyright
># notice, this list of conditions and the following
>disclaimer.
># 2. Redistributions in binary form must reproduce the above copyright
># notice, this list of conditions and the following
>disclaimer in the
># documentation and/or other materials provided with the distribution.
>
># 3. All advertising materials mentioning features or use of this software
>
># must display the following acknowledgement:
># This product includes software developed
>by the University of
># California, Berkeley and its contributors.
>
># 4. Neither the name of the University nor the names of
>its contributors
># may be used to endorse or promote products
>derived from this software
># without specific prior written permission.
>#
># THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS''
>AND
># ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
>
># IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
># ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS
>BE LIABLE
># FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
># DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
># OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
>
># HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
>STRICT
># LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
>
># OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
>THE POSSIBILITY OF
># SUCH DAMAGE.
>#
>
>#
># This is a generic configuration file for FreeBSD 5.X and
>later systems.
># If you want to customize it, copy it to a
>name appropriate for your
># environment and do the modifications there.
>#
># The best documentation for this .mc file is:
># /usr/share/sendmail/cf/README or
># /usr/src/contrib/sendmail/cf/README
>#
>
>divert(0)
>VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.30 2005/06/14 02:25:17 gshapiro Exp $')
>OSTYPE(freebsd6)
>DOMAIN(generic)
>
>FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
>FEATURE(blacklist_recipients)
>FEATURE(local_lmtp)
>FEATURE(mailertable, `hash -o /etc/mail/mailertable')
>FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
>
>dnl Uncomment to allow relaying based on your MX records.
>dnl NOTE: This can allow sites to use your server as a
>backup MX without
>dnl your permission.
>dnl FEATURE(relay_based_on_MX)
>
>dnl DNS based black hole lists
>dnl --------------------------------
>dnl DNS based black hole lists come and go on a regular
>basis
>dnl so this file will not serve as a database of the
>available servers.
>dnl For that, visit
>dnl http://directory.google.com/Top/Computers/Internet/Abuse/Spam/Blacklists/
>
>dnl Uncomment to activate Realtime Blackhole List
>dnl information available at http://www.mail-abuse.com/
>dnl NOTE: This is a subscription service as of July 31, 2001
>
>dnl FEATURE(dnsbl)
>dnl Alternatively, you can provide your own server and rejection message:
>dnl FEATURE(dnsbl, `blackholes.mail-abuse.org', `"550 Mail from " $&{client_addr} " rejected, see http://mail-abuse.org/cgi-bin/lookup?"
>$&{client_addr}')
>
>dnl Dialup users should uncomment and define this appropriately
>dnl define(`SMART_HOST', `your.isp.mail.server')
>
>dnl Uncomment the first line to change the location of the default
>
>dnl /etc/mail/local-host-names and comment out the second line.
>dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
>define(`confCW_FILE', `-o /etc/mail/local-host-names')
>
>dnl Enable for both IPv4 and IPv6 (optional)
>DAEMON_OPTIONS(`Name=IPv4, Family=inet')
>DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')
>
>define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
>define(`confNO_RCPT_ACTION', `add-to-undisclosed')
>define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
>MAILER(local)
>MAILER(smtp)
>bsd# nslookup -q=MX aaaa.oo.ppp.com.ua
>Server: 10.2.0.15
>Address: 10.2.0.15#53
>
>aaaa.oo.ppp.com.ua mail exchanger = 10 mail.aaaa.oo.ppp.com.ua.
>aaaa.oo.ppp.com.ua mail exchanger = 10 mmm.sss.ppp.com.ua.
>
>bsd#
Допустим пример, единственно что в нем неудачно(точнее удачно) -
правильно использованы MX в DNS и все они указывают на hostname:
[unix1]~ > hostname
unix1.jinr.ru
имеем хост unix1.jinr.ru у него есть MX'ы, с меньшим весом
сам unix1.jinr.ru - значит может напрямую слать и получать
это простой случай
[unix1]~ > nslookup -q=mx unix1.jinr.ru.
Server: 159.93.17.7
Address: 159.93.17.7#53
unix1.jinr.ru mail exchanger = 100 relay.jinr.ru.
unix1.jinr.ru mail exchanger = 200 relay1.jinr.ru.
unix1.jinr.ru mail exchanger = 10 unix1.jinr.ru.
имеем домен blues.dubna.su с MX'ом на unix1 - это "виртуальный домен"
добавляем его в /etc/mail/relay-domains
[unix1]~ > nslookup -q=mx blues.dubna.su.
Server: 159.93.17.7
Address: 159.93.17.7#53
Non-authoritative answer:
blues.dubna.su mail exchanger = 10 sunct0.jinr.dubna.su.
blues.dubna.su mail exchanger = 1 unix1.jinr.dubna.su.
Authoritative answers can be found from:
blues.dubna.su nameserver = ns.dubna.su.
blues.dubna.su nameserver = ns2.dubna.su.
unix1.jinr.dubna.su internet address = 159.93.44.57
sunct0.jinr.dubna.su internet address = 159.93.17.130
ns.dubna.su internet address = 159.93.17.130
ns2.dubna.su internet address = 159.93.17.13
[unix1]~ >
есть домен xnc.dubna.su и для него MX=xnc.jinr.dubna.su
unix1 и xnc - это ОДНА машина, но с разными IP.
[unix1]~ > nslookup -q=mx xnc.dubna.su.
Server: 159.93.17.7
Address: 159.93.17.7#53
Non-authoritative answer:
xnc.dubna.su mail exchanger = 10 unix1.jinr.ru.xnc.dubna.su.
------------------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^- косяк
за это надо вставить тому кто ведет DNS (точку забыли в конце записи
и выдает склейку из двух зон)
xnc.dubna.su mail exchanger = 1 xnc.jinr.dubna.su.
Authoritative answers can be found from:
xnc.dubna.su nameserver = ns2.dubna.su.
xnc.dubna.su nameserver = ns.dubna.su.
xnc.jinr.dubna.su internet address = 159.93.44.59
ns.dubna.su internet address = 159.93.17.130
ns2.dubna.su internet address = 159.93.17.13
[unix1]~ >
итак для домена xnc.dubna.su почтовый релей:
xnc.jinr.dubna.su = 159.93.44.59
[unix1]~ > ifconfig -a | grep "\.59"
inet 159.93.44.59 netmask 0xffffffff broadcast 159.93.44.59
[unix1]~ >
так как unix1 == xnc, нам необходимо навесить алиас на интерфейс
для xnc.jinr.dubna.su, что и сделано выше
Так как мы хотим релеить xnc.dubna.su - добавляем в relay-domains,
но это не все, так как почта будет приходить на xnc.jinr.dubna.su
- мы должны прописать его в local-host-names
Вот такие манипуляции необходимо проделывать, понимая ЧТО и в КАКОМ
случае КУДА прописывать и при этом НЕ ЗАБЫВАТЬ:
[unix1]~ > grep kev.pp.ru /etc/mail/access
kev.pp.ru OK
[unix1]~ > echo "/map access kev.pp.ru" | sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> map_lookup: access (kev.pp.ru) returns OK (0)
> [unix1]~ > echo "/map access 159.93.17.121" | sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> map_lookup: access (159.93.17.121) returns REJECT (0)
> [unix1]~ > grep 159.93.17.121 /etc/mail/access
159.93.17.121 REJECT
[unix1]~ >
ну и кроме это есть ЛОГИ и telnet by hands, например:
[unix1]~ > nslookup -q=mx kev.pp.ru.
Server: 159.93.17.7
Address: 159.93.17.7#53
Non-authoritative answer:
kev.pp.ru mail exchanger = 50 unix1.jinr.dubna.su.
kev.pp.ru mail exchanger = 100 ns.jinr.dubna.su.
Authoritative answers can be found from:
kev.pp.ru nameserver = ns.demos.su.
kev.pp.ru nameserver = ns1.demos.net.
unix1.jinr.dubna.su internet address = 159.93.44.57
ns.jinr.dubna.su internet address = 159.93.17.130
ns.demos.su internet address = 194.87.0.9
ns.demos.su internet address = 194.87.0.8
ns1.demos.net internet address = 194.58.241.26
[unix1]~ >
смотрим далее:
[unix1]~ > grep kev /etc/mail/*
/etc/mail/access:kev.pp.ru OK
Binary file /etc/mail/access.db matches
/etc/mail/local-host-names:kev
/etc/mail/local-host-names:kev.pp.ru
/etc/mail/virtusertable:evgeny@kev.pp.ru kev
[unix1]~ >
проверяем:
[proxy]~ > telnet unix1.jinr.dubna.su 25
Trying 159.93.44.57...
Connected to unix1.jinr.dubna.su.
Escape character is '^]'.
220 JINR-Net ESMTP Lavr-Antispam-MTA; Non-authorized relaying DENIED.
mail from: lavr@dubna.ru
250 2.1.0 lavr@dubna.ru... Sender ok
rcpt to: evgeny@kev.pp.ru
250 2.1.5 evgeny@kev.pp.ru... Recipient ok
rset
250 2.0.0 Reset state
mail from: <lavr@dubna.ru>
250 2.1.0 <lavr@dubna.ru>... Sender ok
rcpt to: <lavr@unix1.jinr.ru>
250 2.1.5 <lavr@unix1.jinr.ru>... Recipient ok
rset
250 2.0.0 Reset state
quit
221 2.0.0 unix1.jinr.ru closing connection
Connection closed by foreign host.
[proxy]~ >
[proxy]~ > telnet xnc.jinr.dubna.su 25
Trying 159.93.44.59...
Connected to xnc.jinr.dubna.su.
Escape character is '^]'.
220 JINR-Net ESMTP Lavr-Antispam-MTA; Non-authorized relaying DENIED.
mail from: kuku@dubna.ru
250 2.1.0 kuku@dubna.ru... Sender ok
rcpt to: babka@blues.dubna.su
250 2.1.5 babka@blues.dubna.su... Recipient ok
rset
250 2.0.0 Reset state
quit
221 2.0.0 unix1.jinr.ru closing connection
Connection closed by foreign host.
[proxy]~ >
Чтобы проверять на РЕЛЕИНГ - нужно проверять с тех машин которым
запрещен релеинг через НАШ релей, обычно это делают извне.
Чтобы увидеть КОГО мы релеим - см.выше, плюс MX в DNS.