HOWTO - Preventing Relaying
Many people want to get a free ride from your system by using
it for relaying their mail. This can be due to them being
corrupt and wishing to let you take the rap for relaying their
junk, or them being lazy and unable to make their own systems
work. In any case this is a theft of service and needs to be
stopped.
Relay Configuration Options
These are fully detailed in the Exim Specification Document. The specific
section on relaying is here
- Firstly you need to specify the local mail domains as
tightly as possible. local_domains should only cover
domains that really are local - this is relevant since exim
allows any sender to mail to these domains (since you have
told exim those domains are local you are not actually
relaying by sending to them.
- Any domains that are not finally handled by the local exim,
but can legitmately be relayed through (ie domains you act as
backup MX for) should be specified in the
relay_domains, although a short cut for doing this is
setting relay_domains_include_local_mx which can be
used to abuse your mail server by adding MXes pointing at you,
but raises the bar so much higher than it is normally good
enough.
- You probably want to be able to relay out from local
machines on the same network - be careful here since any open
machine on your network could be used to do unauthorised
relaying. The control of hosts that can relay is done with the
host_accept_relay
option.
The standard settings for a workstation, allowing relaying
through the loopback (since packages such as MH post mail this
way), would be:-
relay_domains =
no_relay_domains_include_local_mx
no_relay_match_host_or_sender
host_accept_relay = 127.0.0.1/8
this is actually the default settings other than that for
host_accept_relay.
The information to do more complicated manipulations can be
found in the specification document and is outside the scope of
this note.
Nigel Metheringham
$Id: relay.html,v 1.1.1.1 2000/05/22 19:54:43 nigel Exp $