Question : Use Password to Relay through Sendmail.

Hi,
We are a Exchange 2000 Environment.  We are having the hardest time with a mail relay bug that drops out the "." in a URL.  MS says to upgrade to exchange 2003, which we do not want to do for this problem.  We are actually leaning to moving to a Linux mail solution, but that is not in the books till later next year.

Right now we have RHEL 5.0, and want to use SendMail as a SMTP Relay.  This server will not be accessible to the outside, but also need to be restricted as an Open Relay on the subnet.  I am tottaly new to the Linux world, so need a little help.  I have sucessfully sent email using SendMail, but need to secure it from SMTP Relay.

Here is what I would like:
1.  Do not make an open relay
2.  Require UserName and Pass in order to relay. This can be hardcoded, it doesn't matter.  Our inhouse app will be making the call to use the relay, not a user.

I have seen alot of documentation on configure Sendmail to integrate w/ AD, but all I want to do is allow a single username / pass to be able to use SMTP relay.

Since our app will be sending the email that is running on the user desktop, I can not restrict to a single IP.  

Any help would greatly be appreciated.

Ton

Answer : Use Password to Relay through Sendmail.

sendmail does have facilities for authenticating senders during the SMTP conversation (the SMTP AUTH command). It can authenticate against LDAP (not sure if it can deal with AD's broken LDAP implementation) as well as other sources.

I wouldn't do that. sendmail is a mail router. It's designed to move E-Mail from "here" to "there" with maximum efficiency and reliability. Authentication capabilities for sendmail are kinda like security for Windoze - an afterthought bolted on the side.

I'd suggest using an SSH tunnel. The remote sender establishes an SSH tunnel to the RHEL host, authenticating to do so, perhaps via a certificate. When they establish their session, they request port forwarding. They instruct their E-Mail client on their local machine to use the forwarded port to send E-Mail, which travels thru the tunnel to the RHEL host and the sendmail daemon.

sendmail doesn't have to worry with authentication - no one is establishing the tunnel without authenticating via SSH. You also do not have to open sendmail to connections from anywhere. Spammers will pound on it.