LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 07-31-2003, 12:01 PM   #1
gljoe
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Rep: Reputation: 0
Help with Sendmail filters for outgoing mail by sender/recipient


First post for me here, please forgive any shortcomings

My environment:
P3 500 128mb
RH9 kernel 2.4.20-6
Sendmail 8.12.8-5
Squirrelmail 1.2.11-1

I am trying to configure sendmail to filter mail in AND out.
I have this sendmail server servicing mail for DomainA. I have another mail server (DomainB).

I want:
Any mail traffic between A and B allowed
Any mail destined from A to anywhere other than B denied
EXCEPT for a single user (notify@domainA) to be allowed to send anywhere.

I have already restricted inbound port 25 connections from hitting the mail server with iptables, which works well.

I have read all the chapters in O'Reilly's most recent sendmail book about rulesets (very confusing language) and filters with access.db and the only thing that seems to come close is the "FEATURE (`check_compat'). As far as I can tell, though it only regulates user/user or domain/domain, but not user/domain.

All helpful suggestions are appreciated!

Last edited by gljoe; 07-31-2003 at 12:03 PM.
 
Old 08-01-2003, 02:06 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 47
/etc/mail/access is the key to all your sendmail issues
 
Old 08-02-2003, 04:11 AM   #3
sashhoney
Member
 
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85

Rep: Reputation: 15
check the foll file for extensive help
/usr/share/sendmail{version}/README
anyway ur problem is not very diff to solve
infact u can control user/domain pair also using /etc/mail/access
but dont forget to run foll command after modifying access file-
makemap hash /etc/mail/access < /etc/mail/access
 
Old 08-04-2003, 12:38 PM   #4
gljoe
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
I appreciate the pointers. I have perused the README, and many sites on the internet and have not found any specific help doing what I want to do.

I'd like to get some sample syntax and a detailed a, b, c, etc. I'm sure it must be very simple, I just can't find any examples of exactly what I'm trying to do anywhere.

Thanks in advance....
 
Old 08-04-2003, 03:50 PM   #5
Corin
Member
 
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446

Rep: Reputation: 30
The site you must bookmark is

<http://www.sendmail.ORG>

and that is the place to look for detailed instructions on how to achieve what seem like arcane tasks with sendmail.

You can even do a site search there, using the Google engine, with which you are no doubt already comfortable and familiar.

And that reveals

<http://www.sendmail.org/tips/relaying.html>

where you will find details help on which features to turn on and off in your sendmail.mc file, which once edited must be run through m4, using

#> make clean
#> make

to generate a new sendmail.cf, and details of how to configure /etc/mail/access (which also must be processed to create a db file).

Last edited by Corin; 08-04-2003 at 03:51 PM.
 
Old 08-05-2003, 05:17 PM   #6
gljoe
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks for the pointer...I actually had read that page, but it does not help as I am not trying to control relaying per se. Relaying on the server is off and is not an issue.

Please read my original post carefully

I am mainly trying to control OUTBOUND mail originating by/from users on the mail server.

I believe the access.db to be key but can not find any exacting, detailed examples of how to achieve user/domain and domain/domain limitations.

If my sendmail server is A and my other mail server is B, then I want:
A accepts inbound mail only from B
A always and only allows outbound mail to B (no mail allowed to rest of world)
EXCEPT for a specified user@A that can send mail anywhere in the world.

Thanks for any help!
 
Old 08-05-2003, 09:46 PM   #7
Corin
Member
 
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446

Rep: Reputation: 30
Quote:
1)A accepts inbound mail only from B
2) A always and only allows outbound mail to B (no mail allowed to rest of world)
EXCEPT for a specified user@A that can send mail anywhere in the world.
When you say inbound mail from B, do you mean mail relayed
from B, or only originating from B, because there is a difference.


So are these the rules -

if sender is user@A then deliver (to any given address)

elif sender is *@B then deliver on A if TO: is *@A, otherwise bounce

elif destination is *@B then send to B

I think you need to think through your rules carefully, considering
what to do in all cases, and see if you can actually achieve your results with just the access feature.

How are you going to prevent people on A forging messages?

Will not anybody on A be able to telnet to port 25 on A and send a message using a FROM field with specifieduser and thus circumvent the check?
 
Old 08-06-2003, 02:18 AM   #8
sashhoney
Member
 
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85

Rep: Reputation: 15
well just modify ur sendmail.mc file as follows:
1.Disable relay_entire_domains and accept_unresolvable_domains FEATURE,if already enabled.
2.Enable relay_mail_from and if necessary relay_hosts_only FEATURE.
3.Put access_db definition if not there
now your /etc/mail/access should look like this:
(cosidering your n/w add is 192.168.1.x and your mail server A is not a gateway)
192.168.1 REJECT
From:B OK
To:B OK
From:user@A OK
To:user@A OK

then run command
makemap hash /etc/mail/access < /etc/mail/access

and start sendmail
i hope this will solve ur problem
-Sidd
 
Old 08-06-2003, 05:23 PM   #9
gljoe
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Thanks for the reply, Corin, I'll try to be more specific here:

Both of these mail servers are mine:

DomainA is sendmail mta with squirrelmail hosted outside our firewall. We want to email sensitive data to customers securely, so we are hosting a webmail server where they will have accounts and we can send sensitive data there for them to view via secure web access.

DomainB is our exchange server inside our firewall, hosting our company mail, which is where the mail to our customers will originate from.

I'm setting up the webmail server so that our company can securely send mail somewhere our customers can view it (securely). I don't want any of the sensitive data forwarded out to other email accounts (even the customers'), but I have a script that will send out delivery notification to the customer to come and check their mail.

So my wishes are:
all mail between exchange and sendmail is ok. (domainA/domainB OK)
no mail delivery allowed to/from sendmail server from anywhere else (domainA/* REJECT)
user notify@domainA can send anywhere (notify@domainA/* OK)

I hope that helps everyone understand more clearly.

I have iptables running not to allow inbound port 25 connections from anywhere other than the IP of my exchange server, so that part is a non issue.

Sashhoney, I will try your suggestions but I have a question...what does the "192.168.1 REJECT" do in access file? Is that what disables delivery to everywhere except the hosts and users below?

I will try these things and post back shortly.

Last edited by gljoe; 08-06-2003 at 05:33 PM.
 
Old 08-06-2003, 05:53 PM   #10
gljoe
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Ok, exactly as you suggested, substituting my actual network for 192.168.1

Sendmail is still delivering messages to outside domains for all users on the mail server.

Any other ideas?
 
Old 08-06-2003, 07:53 PM   #11
Corin
Member
 
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446

Rep: Reputation: 30
Well as I said, after you explained in your post about the relaying (detailed at sendmail.ORG) not being the actual control you wanted to do, I have a feeling that you are going to have to roll up your sleeves and very carefully sit down and right the rules out which I tried to make an attempt at doing.

Then you are going to have to become a sendmail guru and actually handcraft these rules into your sendmail.cf, and forget about sendmail.mc since the features it provides are not fine enough for the control you want to do.

Since sendmail.cf configuration is a black art, you must proceeed very cautiously, adding/changing one one rule at a time and thoroughly testing it.

The obvious way to proceed because of the security aspect is to lock off everything first, all messages regardless of origin/destination get bounced and gradually let things through according to your criteria of matching originating user and host, and destination user and host.

If you feel that you do not wish to become an expert in the black arts of sendmail configuration, then install exim which is a much more easily configurable mailer, has security authentication with keys, and ACLs.

<http://www.exim.ORG>

Linux gives you the power to choose, but with that power comes responsibility.
 
Old 08-07-2003, 02:53 AM   #12
sashhoney
Member
 
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85

Rep: Reputation: 15
well can u post ur relevant lines of senmdmail.mc file, so that we 'll be able to identify what exactly is missing.
anyway about ur first query, well if OK is used then it will override all the previously defined rules. so idea is to Reject all the relaying queries from ur n/w and allow only from ur required domain or user.
now just try to put From: and To: before ur n/w address. i dont know whether it 'll make any diff or not.
 
Old 08-07-2003, 04:41 PM   #13
gljoe
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
I almost have this working using only FEATURES and access file.

Here are the relevant lines of sendmail.mc:

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`relay_mail_from',`domain')
FEATURE(relay_hosts_only)
RELAY_DOMAIN(`domainB')

And the Access File:

localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
domainB RELAY
From:user1@domainA RELAY
To:domaindB OK
From:domainA REJECT

This does several things right and is almost complete:
1. Allows inbound mail from domainB only
2. Does not allow users@domainA to send to outside world.
3. Allows only the user1@domainA to send to outside world (mail delivery notification)

The only thing lacking is it does not allow users@domainA to send to domainB. Incidentally, "To:domainB OK" doesn't make a difference, whether in or out, no mail goes to domainB except from user1

Almost home on this one...please help!
 
Old 08-08-2003, 12:06 AM   #14
Corin
Member
 
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446

Rep: Reputation: 30
From:domainA REJECT

means that everything from domainA is REJECTED
even if TO domainB is OK.

user1@domainA RELAY means that this specific user
overides the domainA REJECT rule

The problem is you do not have (and cannot?)

From domainA and not TO domainB REJECT

which is what you want.

In fact your rule

To:domainB OK

allows anybody not prevented by the other rules
to send mail to domainB.
 
Old 08-08-2003, 10:28 AM   #15
gljoe
LQ Newbie
 
Registered: Jul 2003
Posts: 10

Original Poster
Rep: Reputation: 0
I'd like to understand the order things get processed better. What order do the features run, what overrides what else, etc.

It's strange that with the default behavior of sendmail is to reject mail unless there is an allow found in access_db, that the To:domainB OKdoesn't override the From:domainA REJECT.

Also,
The O'Reilly "Sendmail" 3rd edition that I am using say at the bottom of p 318 "If the host is listed with the RELAY_DOMAIN mc macro...it is relayed without checking the access database."

So, I added "RELAY_DOMAIN(`domainB')" to my sendmail.mc, but apparently the access_db is still checked for mail that originates locally.

I'm still hopefule there is a way to do this, that I am missing something easy here.

I very much want to avoid becoming a disciple of the dark art of sendmail rulesets!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sendmail and outgoing mail shafey Linux - Networking 1 11-16-2005 05:57 AM
sendmail getting e-mail through others spam filters grizzly Linux - Software 1 08-20-2005 06:18 PM
Sendmail - wrong mail sender domain display jika Linux - Newbie 1 05-27-2005 03:29 AM
How to separate Incoming Mail and Outgoing Mail on SENDMAIL LiloAma Linux - Networking 1 03-22-2004 03:24 AM
sendmail outgoing mail karunesh Linux - General 0 11-17-2003 03:19 PM


All times are GMT -5. The time now is 03:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration