From: <Saved by Microsoft Internet Explorer 5>
Subject: Sendmail: 451 relay unavailable
Date: Wed, 14 Nov 2001 08:40:32 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_005E_01C16CE8.05A55BA0";
	type="text/html"
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

This is a multi-part message in MIME format.

------=_NextPart_000_005E_01C16CE8.05A55BA0
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://ist.uwaterloo.ca/security/howto/1998-10-20.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- $Author: reggers $ --><!-- $Date: 1999/08/10 18:49:14 $ --><!-- =
$Id: 1998-10-20.html,v 1.2 1999/08/10 18:49:14 reggers Exp $ =
--><HTML><HEAD><TITLE>Sendmail: 451 relay unavailable</TITLE>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type><LINK=20
href=3D"mailto:reggers@ist.uwaterloo.ca" rev=3Dmade>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY =
background=3Dhttp://ist.uwaterloo.ca/security/howto/images/back.jpg>
<HR>

<TABLE width=3D"100%">
  <TBODY>
  <TR>
    <TD align=3Dleft>
      <H2>Sendmail: 451 relay unavailable</H2><EM>(by) <A=20
      href=3D"mailto:reggers@ist.uwaterloo.ca">Reg Quinton</A> and <A=20
      href=3D"mailto:dwhitesi@ist.uwaterloo.ca">Dawn Whiteside</A> =
<BR>Information=20
      Systems and Technology, University of Waterloo <BR>20-Oct-1998 =
</EM></TD>
    <TD align=3Dright><A href=3D"http://ist.uwaterloo.ca/"><IMG =
alt=3D[IST] border=3D0=20
      height=3D75 src=3D"http://ist.uwaterloo.ca/ISTlogo.gif" =
width=3D75></A>=20
  </TD></TR></TBODY></TABLE>
<HR>

<H3>Synopsis</H3>
<BLOCKQUOTE>Users of E-mail clients (like Eudora) at non-UW sites are =
unable=20
  to send E-mail through their UW server -- error message returned says =
"<B>451=20
  relay unavailable</B>".=20
  <P>System manager should configure <B>sendmail</B> package and set=20
  "<B>allow_pop=3Dyes</B>" to allow remote users to send E-mail after=20
  authenticating. </P></BLOCKQUOTE>
<H3>Problem</H3>Sendmail 8.8 as distributed by xhier at UW is configured =
to be=20
very aggressive in how it handles <A=20
href=3D"http://spam.abuse.net/whatisspam.html">spammers</A>. It's =
aggressive for=20
good reasons -- UW and many other sites have been exploited by the =
unscrupulous=20
who relay mail through others to implement mass-mailings. Unfortunately, =
the=20
anti-spam measures can have an adverse impact on legitimate users. This =
paper=20
documents one problem and the configuration required to resolve it. The =
problem=20
affects UW users of POP/IMAP E-mail clients (like Qualcomm Eudora, =
Netscape=20
Messenger, Microsoft Outlook Express, etc.) on non-UW service providers. =

<BLOCKQUOTE>The default configuration as distributed by xhier refuses to =
relay=20
  mail. If the site sending mail to the server is not at UW then the =
recipient=20
  must be a local user; otherwise it is rejected as an unauthorized =
attempt to=20
  relay mail (with the implication that it's likely to be spam). =
</BLOCKQUOTE>This=20
problem affects UW users of 3rd party ISP's -- eg. Rogers@Home -- who =
use E-mail=20
client programs like Eudora and Netscape Messenger. It affects users at=20
conferences where attendees use popular PC based clients in a mail room =
to=20
access their mail at UW. It affects all users of the popular PC based =
E-mail=20
clients on non-UW service providers -- their legitimate mail is rejected =
by the=20
mail server.=20
<P>This problem does <B>not</B> affect users of the UW dial-in service =
-- they=20
are using the UW service provider. Nor does it affect those who login to =
the UW=20
mail server as interactive users and run programs like <B>pine</B> -- =
the mail=20
they send comes from a UW site; the mail server they've logged in to. =
These=20
days, many users prefer the PC client programs mentioned here and they =
never=20
login as an interactive users. Those programs send mail directly to the =
server=20
and are affected by the anti-spam configuration.=20
<H3>Solution</H3>Sendmail 8.8 at UW is a configurable xhier package -- =
it gets=20
configured at install time and automatically reinstalled typically on a =
weekly=20
basis. Configuration options are documented in a corresponding Unix =
manual page=20
-- try the command:=20
<BLOCKQUOTE><B>man sendmail-config</B> </BLOCKQUOTE>See especially the =
section:=20
<BLOCKQUOTE><B>allow_pop=3D(yes/no)</B> Controls whether non-local =
POP/IMAP=20
  clients are allowed to use the mail server to relay mail when =
reduce_spam is=20
  set to yes. Requires the mail-servers package (POP authentication) =
and/or the=20
  imap package (IMAP authentication). Default is no.=20
  <P><B>pop_auth_timeout=3D</B> Time in hours after the most recent =
authenticated=20
  POP/IMAP activity to allow POP/IMAP clients to continue to relay mail =
through=20
  this system. Default is 0.5 (half an hour). </P></BLOCKQUOTE>Here's =
what you=20
have to do (as the root user):=20
<OL>
  <LI>Edit the file <B>/software/sendmail/config/local/options</B> to =
include=20
  "<B>allow_pop=3Dyes</B>". Optionally, set a "<B>pop_auth_timeout</B>" =
value --=20
  longer times are a bigger potential for unauthenticated users from =
remote=20
  sites to relay mail.=20
  <P>Beware the file is a link to a local file outside the xhier tree. =
Don't=20
  break the link.=20
  <P></P>
  <LI>Reconfigure sendmail with the xhier command "<B>xh-install =
sendmail</B>".=20
  If you can't find the <B>xh-install</B> command set your search PATH =
to=20
  include xhier maintenance commands:=20
  <BLOCKQUOTE><B>setenv PATH `showpath u=3Dm standard xhier`</B>=20
</BLOCKQUOTE></LI></OL>
<P>That's all you need to do to resolve the problem.=20
<H3>New Configuration</H3>This section is for those interested in what =
happens=20
when you've applied the solution given above. If all goes well (and it =
should)=20
you'll see these subtle changes to your system:=20
<P>
<UL>
  <LI>The sendmail configuration file, <B>sendmail.cf</B>, will have =
been=20
  rebuilt by the install process. The new configuration will allow sites =
listed=20
  in a "<B>popauth</B>" data base to relay mail through the server.=20
  <P></P>
  <LI>The sendmail daemon will have been restarted -- a new daemon that =
uses the=20
  new <B>sendmail.cf</B> file.=20
  <P></P>
  <LI>A couple of new daemons will be running on your system; you will =
see them=20
  in a "<B>ps</B>" listing of your system.=20
  <P>
  <UL>
    <LI><B>pop-auth</B> is a Perl script which follows the <B>syslog</B> =
audit=20
    trail looking for user authentication records. When a user =
authenticates the=20
    IP number of the host is recorded.=20
    <LI><B>pop-add</B> is a Bourne shell script that periodically builds =
the=20
    "<B>popauth</B>" data base using the IP numbers found by the =
<B>pop-auth</B>=20
    process. The data base is used by sendmail -- all users at those IP=20
    addresses can relay mail. </LI></UL>
  <P>You'll find those daemons in "<B>/software/sendmail/servers</B>". A =
related=20
  process you'll find there is the <B>pop-expire</B> process which is =
run=20
  periodically by <B>cron(8)</B>. These three processes keep the=20
  "<B>popauth</B>" data base current.=20
  <P></P>
  <LI>There will be some new files and a directory in=20
  <B>/software/sendmail/data/local/</B>=20
  <P>
  <UL>
    <LI><B>pop-add.pid, pop-auth.pid</B> -- process id of the =
<B>pop-add</B> and=20
    <B>pop-auth</B> processes=20
    <LI><B>popdata/</B> -- a directory maintained by the <B>pop-auth</B> =
process=20
    containing one file for each address that authenticates with your =
IMAP/POP=20
    servers. Host entries are expired by a <B>pop-expire</B> process.=20
    <LI><B>popauth, popauth.dir, popauth.pag</B> -- data base of clients =
who=20
    have authenticated. The <B>pop-add</B> process regularly scans the=20
    <B>popdata/</B> directory to build this data base. </LI></UL>
  <P>The sendmail daemon will allow sites listed in the <B>popauth</B> =
data base=20
  to relay mail. Users who have connected to and authenticated with a =
POP/IMAP=20
  server will be allowed to relay mail from the same site. =
</P></LI></UL>
<P>The processes described above are in production on the IST mail =
server (a=20
Solaris 2.6 system) and works well enough. The current solution is =
functional=20
but not ideal; it may be improved later to better integrate with =
POP/IMAP=20
servers.=20
<H3>Beware</H3>Most of these assumptions are met at UW. But you should =
be aware=20
in case you have configured things differently at your site.=20
<P>
<UL>
  <LI>The strategy assumes that if a user at a remote location =
authenticates=20
  then it's probably the same user that's sending mail. That can be a =
very hasty=20
  assumption for ISP dialup lines where the IP numbers are reused. Also =
a very=20
  hasty assumption if the client is on a mulit-user system. The =
assumption may=20
  mean this solution is not acceptable for some sites.=20
  <P></P>
  <LI>The package requires that users login to the IMAP/POP mail server =
before=20
  sending mail. That's usually how users and most mail clients behave =
but don't=20
  be surprised if users occasionally behave differently (eg. a user =
might be=20
  browsing the web and click on a <B>mailto:</B> URL before reading =
their mail).=20

  <P></P>
  <LI>The package requires that users configure their IMAP/POP client to =
use the=20
  same server for reading and for sending mail. The strategy to detect=20
  legitimate users cannot work if those aren't the same servers.=20
  <P></P>
  <LI>It's possible for a user to authenticate with a mail server and =
send a=20
  message before the <B>pop-add</B> process can record the site -- that =
process=20
  wakes within 30 seconds.=20
  <P></P>
  <LI>The periodic rolling of <B>syslog</B> audit files requires that =
the the=20
  <B>pop-auth</B> daemon be restarted. If these aren't well synchronized =
the=20
  daemon will be watching the wrong audit trail.=20
  <BLOCKQUOTE>That can happen if log file rolling is delayed or =
performed by=20
    utilities outside the xhier packages provided for that purpose.=20
    <P>This will happen in a 15 minute window between scheduled log file =
rolling=20
    and the restart of the <B>pop-auth</B> daemon. </P></BLOCKQUOTE>
  <P></P>
  <LI>The package requires that <B>syslogd(8)</B> be configured to log =
messages=20
  for the "<B>mail</B>" facility at the "<B>debug</B>" level in a =
standard area=20
  dependent on the system architecture. On Solaris you should find those =

  messages in "<B>/var/log/syslog</B>".=20
  <P></P>
  <LI>The package requires that your IMAP/POP servers audit user =
authentication=20
  with appropriate <B>syslog(3)</B> messages. Current xhier distributed =
versions=20
  of the Qualcomm <B>popper</B> server in the "mail-servers" package =
(and the=20
  University of Washington <B>imapd</B> and the soon to be distributed=20
  <B>ipop3d</B> servers) leave an appropriate audit trail. </LI></UL>
<H3>See Also</H3>
<UL>
  <LI><A href=3D"http://www.sendmail.org/">Sendmail Home Page</A> (by) =
the=20
  Sendmail Consortium=20
  <UL>
    <LI><A href=3D"http://www.sendmail.org/faq/">Sendmail Frequently =
Asked=20
    Questions</A>=20
    <LI><A href=3D"http://www.sendmail.org/antispam.html">Anti-Spam =
Provisions in=20
    Sendmail 8.8</A> </LI></UL>
  <LI><A href=3D"http://spam.abuse.net/tools">Tools and Techniques for =
Limiting=20
  Spam</A>=20
  <UL>
    <LI><A href=3D"http://spam.abuse.net/tools/smPbS.html">POP before =
SMTP for=20
    Sendmail</A> </LI></UL></LI></UL>
<H3>Acknowledgements</H3>The strategy we've implemented is published as =
"<A=20
href=3D"http://spam.abuse.net/tools/smPbS.html">POP before SMTP for =
Sendmail</A>"=20
by Neil Harkins. His solution has been modified for UW use and extended =
to=20
include IMAP authentication.=20
<P>
<HR>

<DIV align=3Dright><SMALL><I>20-Oct-1998; (ed) <A=20
href=3D"mailto:reggers@ist.uwaterloo.ca">Reg Quinton</A></I>=20
</SMALL></DIV></BODY></HTML>

------=_NextPart_000_005E_01C16CE8.05A55BA0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif

R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq
PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww
MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I
CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO
C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL
KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH
oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC
BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W
MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21
AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by
WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ
BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF
u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5
peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI
qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh
tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a
pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi
gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb
R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx
Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy
TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S
9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs=

------=_NextPart_000_005E_01C16CE8.05A55BA0
Content-Type: image/jpeg
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/security/howto/images/back.jpg

/9j/4AAQSkZJRgABAgEASABIAAD/7QG4UGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA
SAAAAAAC2gIo/+H/4gL5AkYDRwUoA/wAAgAAAEgASAAAAAAC2gIoAAEAAABkAAAAAQABAQEAAAAB
Jw8AAQABAAAAAAAAAAAAAAAAAAIAGQGQAAAAAABAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAA4
QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNJxAAAAAA
AAoAAQAAAAAAAAACOEJJTQP1AAAAAABIAC9mZgABAGxmZgAGAAAAAAABAC9mZgABAKGZmgAGAAAA
AAABADIAAAABAFoAAAAGAAAAAAABADUAAAABAC0AAAAGAAAAAAABOEJJTQP4AAAAAABwAAD/////
////////////////////////A+gAAAAA/////////////////////////////wPoAAAAAP//////
//////////////////////8D6AAAAAD/////////////////////////////A+gAADhCSU0EBgAA
AAAAAgAC/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEM
DAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQR
DAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAYABgAwEiAAIR
AQMRAf/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAAAQAC
AwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVSwWIz
NHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSltcXV
5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEi
EwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N1
4/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//dAAQABv/aAAwDAQACEQMR
AD8A9GHtHKbcToFKQmn5BFSwlS8p1TaKQLQElLFgTe3hJz5UNZSUkcdICZo8U0kJCSkpnP7o+aGT
rqiF2kKOwclJSzXaqTgCowJTgT3SU//Q9FAcE+3u5Rc4ypAyNSipQMmAE5b4mEwIHCkAOTqUlMDH
ASACRBJ0TQQUlMnN00TNHjwn3GIT699ElK3DwTF274JbR3PyShJSgB2GiRmNE4BPJ0UiQElP/9H0
QCU5GibcVMERqipgCZRI8SogDnukZnQJKZEho05UdeSmg904geZSUrhNukqYb4qLi1qSlvhqniOT
qnDhGiiG6yUlMtY0US091MEnRo+ag+Qkp//S9GO3gJASkPIJ4J0CKlSBwmk/BLYZklOGg8lJSwPh
qnBhMSQYCcDTXRJSxeeygZKmSANAo6JKUAQlOvKm0AhRLDKSmQPYapbZ1KW6BCYvJ0SU/wD/0/Rw
AdJUpa1QGvCRb4mEVLPdPCZpSjXRSASUtu8FJuupUHAgqTYiSUlLu93CiWQFOWhR55OiSlhITgHu
lpymJKSlyG90vhoEhPhqlEauPySU/wD/1PRwY0ak4QOZKZvkJKltJ5RUj1TsKk4gaBRhJS5IJ4SM
p5ACaZSUrb4n5JAeSbvpqpapKXAJ1KTiAmc48BQM90lLh5lORPKiG90jokp//9k=

------=_NextPart_000_005E_01C16CE8.05A55BA0--