In order to block mail relaying activities, the MTA must first be able to differentiate between internal mail originated at your site and external mail originated out on the Internet and passing through your system back out to the Internet. The former class of mail you want to permit; the latter class you want to block. This differentiation is achieved using the switchchannel keyword on your inbound SMTP channel, usually the tcp_local channel, and is set by default.
The switchchannel keyword works by causing the SMTP server to look at the actual IP address associated with the incoming SMTP connection. Messaging Server uses that IP address, in conjunction with your rewrite rules, to differentiate between an SMTP connection originated within your domain and a connection from outside of your domain. This information can then be used to segregate the message traffic between internal and external traffic.
The MTA configuration described below is setup by default so that the server can differentiate between your internal and external message traffic.
In the configuration file, immediately before the local channel, is a defaults channel with the noswitchchannel keyword:
! final rewrite rules defaults noswitchchannel ! Local store ims-ms ...
The incoming TCP/IP channel specifies the switchchannel and remotehost keywords; for example:
tcp_local smtp single_sys mx switchchannel remotehost TCP-DAEMON
After the incoming TCP/IP channel definition, is a similar channel with a different name; for example:
tcp_intranet smtp single_sys mx allowswitchchannel routelocal tcp_intranet-daemon
The routelocal channel keyword causes the MTA, when rewriting an address to the channel, to attempt to “short circuit” any explicit routing in the address through this channel, thereby blocking possible attempts to relay by means of looping through internal SMTP hosts via explicitly source routed addresses.
With the above configuration settings, SMTP mail generated within your domain will come in via the tcp_intranet channel. All other SMTP mail will come in via the tcp_local channel. Mail is distinguished between internal and external based upon which channel it comes in on.
How does this work? The key is the switchchannel keyword. The keyword is applied to the tcp_local channel. When a message comes in your SMTP server, that keyword causes the server to look at the source IP address associated with the incoming connection. The server attempts a reverse-pointing envelope rewrite of the literal IP address of the incoming connection, looking for an associated channel. If the source IP address matches an IP address or subnet in your INTERNAL_IP mapping table, the rewrite rule which calls out to that mapping table causes the address to rewrite to the tcp_intranet channel.
Since the tcp_intranet channel is marked with the allowswitchchannel keyword, the message is switched to the tcp_intranet channel and comes in on that channel. If the message comes in from a system whose IP address is not in the INTERNAL_IP mapping table, the reverse-pointing envelope rewrite will either rewrite to the tcp_local or, perhaps to some other channel. However, it will not rewrite to the tcp_intranet channel and since all other channels are marked noswitchchannel by default, the message will not switch to another channel and will remain with the tcp_local channel.
Note that any mapping table or conversion file entries which use the string “tcp_local” may need to be changed to either “tcp_*” or “tcp_intranet” depending upon the usage.