[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Sendmail & access restrictions

This one time, at band camp, Kris Deugau said:
> Stephen Gran wrote:
> > I think I'm being dense, but I can't figure out how to do something
> > like the following in /etc/mail/access:
> > 
> > xxx.xxx.xxx.xxx: OK # front-end machine 1
> > xxx.xxx.xxx.xxy: OK # front-end machine 2
> OK.  You'll want to add localhost and
> localhost.localdomain	RELAY
> localhost		RELAY

That is quite helpful, thanks.

> otherwise locally-generated mail will fail.  Unless you've got a good
> reason NOT to trust localhost, any sendmail access map should include
> these or similar lines- the last one is probably all that's required.
> > AUTH: OK
> > *: REJECT
> But these aren't really valid.

I understand - they were rough logic for what I want, not actual lines -
I said I couldn't figure it out :)

> By default (at least with recent versions of sendmail), relaying is
> denied UNLESS you have told sendmail otherwise.

Ah, I see the problem - it's not _relaying_ alone I want to reject
(we've got the auth part straightened out already, and we're not an open
relay).  What I want to do is not accept mail unless it comes from one
of a few IP's, or is authenticated.  Say the domain is foo.com, and this
servers hostname is mail.foo.com.  It is not listed as an MX record, so
no legitimate emails should ever arrive there, only spams and viruses
and whatnot.  However, any mail that arrives for user@mail.foo.com is
accepted, since sendmail knows that it _is_ mail.foo.com.  I want to
reject these, and only accept mail that is authed, or coming in through
one of the frontend machines.  I can't just do it with iptables, because
of the roaming users.

|   ,''`.					     Stephen Gran |
|  : :' :					 sgran@debian.org |
|  `. `'			Debian user, admin, and developer |
|    `-					    http://www.debian.org |

Attachment: pgp6DFMZWwZGD.pgp
Description: PGP signature

Reply to: