# Need to close Open Relay



## fullauto (Jun 30, 2013)

I could use a nudge in the right direction. I was called a while back from someone at my ISP telling me that I was running an open relay and that my machine was spamming. I thought I had that fixed, but apparently not. I went through and did the Documented file on this site (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/SMTP-Auth.html)

I was under the impression that with AUTH set, that anyone trying to relay mail through my server would require a login and pass. It works great for that, but it is rejecting mail from the outside world TO users in my system. I haven't had the machine on in months, because I just got frustrated.

I would greatly appreciate any help.

/etc/mail/access:

```
by default we allow relaying from localhost...
localhost.localdomain           RELAY
localhost                       RELAY
127.0.0.1                       RELAY
192.168.1                       RELAY

# Allow Connect from local server IPs
Connect:192.168.1               OK

# Accept Mail
# paypal.com                    OK


# Reject Mail
posterclub@e.allposters.com     REJECT
posterclub@email.allposters.com REJECT
plastmarket.com                 REJECT
```

/etc/mail/hermes.mc:

```
divert(-1)
divert(0)

VERSIONID(`$FreeBSD: release/9.0.0/etc/sendmail/freebsd.mc 223068 2011-06-14 04:33:43Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(relay_entire_domain)
FEATURE(`authinfo')dnl
MASQUERADE_AS(`SpreadSpectrum.net')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl

dnl FEATURE(`SMART_HOST', `spreadspectrum.net')dnl

dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl       your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For that, visit
dnl http://www.google.com/Top/Computers/Internet/E-mail/Spam/Blacklists/

dnl Uncomment to activate your chosen DNS based blacklist
dnl FEATURE(dnsbl, `dnsbl.example.com')
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `dnsbl.example.com', ``"550 Mail from " $&{client_addr} " rejected'')

dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')
dnl Enable for both IPv4 and IPv6 (optional)
dnl DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=465, Name=MTA-TLS, M=a')dnl
DAEMON_OPTIONS(`Name=IPv4, Port=25, Family=inet, Modifiers=a, Name=MTA-TLS')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')

dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

dnl SSL Options
define(`confCACERT_PATH',`/etc/CertAuth')dnl
define(`confCACERT',`/etc/CertAuth/new.crt')dnl
define(`confSERVER_CERT',`/etc/CertAuth/new.crt')dnl
define(`confSERVER_KEY',`/etc/CertAuth/myca.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl

MAILER(local)
MAILER(smtp)
```


----------



## throAU (Jul 1, 2013)

Is this machine purely a relay, or does it host mailboxes as well?


----------



## fullauto (Jul 1, 2013)

*I*t hosts mailboxes too.


----------



## igorino (Jul 6, 2013)

My guess is: if you have pop-before-smtp or smtp-auth configured, you can remove the relay entries in your /etc/mail/access

```
# localhost.localdomain           RELAY
# localhost                       RELAY
# 127.0.0.1                       RELAY
# 192.168.1                       RELAY
```
if you have _a_ /etc/mail/relay-domains file, remove his relay domains entries too.


----------

