This one time, at band camp, Kris Deugau said: > Stephen Gran wrote: > > I think I'm being dense, but I can't figure out how to do something > > like the following in /etc/mail/access: > > > > xxx.xxx.xxx.xxx: OK # front-end machine 1 > > xxx.xxx.xxx.xxy: OK # front-end machine 2 > > OK. You'll want to add localhost and 127.0.0.1: > > localhost.localdomain RELAY > localhost RELAY > 127.0.0.1 RELAY That is quite helpful, thanks. > otherwise locally-generated mail will fail. Unless you've got a good > reason NOT to trust localhost, any sendmail access map should include > these or similar lines- the last one is probably all that's required. > > > AUTH: OK > > *: REJECT > > But these aren't really valid. I understand - they were rough logic for what I want, not actual lines - I said I couldn't figure it out :) > By default (at least with recent versions of sendmail), relaying is > denied UNLESS you have told sendmail otherwise. Ah, I see the problem - it's not _relaying_ alone I want to reject (we've got the auth part straightened out already, and we're not an open relay). What I want to do is not accept mail unless it comes from one of a few IP's, or is authenticated. Say the domain is foo.com, and this servers hostname is mail.foo.com. It is not listed as an MX record, so no legitimate emails should ever arrive there, only spams and viruses and whatnot. However, any mail that arrives for user@mail.foo.com is accepted, since sendmail knows that it _is_ mail.foo.com. I want to reject these, and only accept mail that is authed, or coming in through one of the frontend machines. I can't just do it with iptables, because of the roaming users. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : sgran@debian.org | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
Attachment:
pgp6DFMZWwZGD.pgp
Description: PGP signature