Help with Sendmail filters for outgoing mail by sender/recipient
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am trying to configure sendmail to filter mail in AND out.
I have this sendmail server servicing mail for DomainA. I have another mail server (DomainB).
Any mail traffic between A and B allowed
Any mail destined from A to anywhere other than B denied
EXCEPT for a single user (notify@domainA) to be allowed to send anywhere.
I have already restricted inbound port 25 connections from hitting the mail server with iptables, which works well.
I have read all the chapters in O'Reilly's most recent sendmail book about rulesets (very confusing language) and filters with access.db and the only thing that seems to come close is the "FEATURE (`check_compat'). As far as I can tell, though it only regulates user/user or domain/domain, but not user/domain.
check the foll file for extensive help
anyway ur problem is not very diff to solve
infact u can control user/domain pair also using /etc/mail/access
but dont forget to run foll command after modifying access file-
makemap hash /etc/mail/access < /etc/mail/access
Thanks for the pointer...I actually had read that page, but it does not help as I am not trying to control relaying per se. Relaying on the server is off and is not an issue.
Please read my original post carefully
I am mainly trying to control OUTBOUND mail originating by/from users on the mail server.
I believe the access.db to be key but can not find any exacting, detailed examples of how to achieve user/domain and domain/domain limitations.
If my sendmail server is A and my other mail server is B, then I want:
A accepts inbound mail only from B
A always and only allows outbound mail to B (no mail allowed to rest of world)
EXCEPT for a specified user@A that can send mail anywhere in the world.
well just modify ur sendmail.mc file as follows:
1.Disable relay_entire_domains and accept_unresolvable_domains FEATURE,if already enabled.
2.Enable relay_mail_from and if necessary relay_hosts_only FEATURE.
3.Put access_db definition if not there
now your /etc/mail/access should look like this:
(cosidering your n/w add is 192.168.1.x and your mail server A is not a gateway)
then run command
makemap hash /etc/mail/access < /etc/mail/access
and start sendmail
i hope this will solve ur problem
Thanks for the reply, Corin, I'll try to be more specific here:
Both of these mail servers are mine:
DomainA is sendmail mta with squirrelmail hosted outside our firewall. We want to email sensitive data to customers securely, so we are hosting a webmail server where they will have accounts and we can send sensitive data there for them to view via secure web access.
DomainB is our exchange server inside our firewall, hosting our company mail, which is where the mail to our customers will originate from.
I'm setting up the webmail server so that our company can securely send mail somewhere our customers can view it (securely). I don't want any of the sensitive data forwarded out to other email accounts (even the customers'), but I have a script that will send out delivery notification to the customer to come and check their mail.
So my wishes are:
all mail between exchange and sendmail is ok. (domainA/domainB OK)
no mail delivery allowed to/from sendmail server from anywhere else (domainA/* REJECT)
user notify@domainA can send anywhere (notify@domainA/* OK)
I hope that helps everyone understand more clearly.
I have iptables running not to allow inbound port 25 connections from anywhere other than the IP of my exchange server, so that part is a non issue.
Sashhoney, I will try your suggestions but I have a question...what does the "192.168.1 REJECT" do in access file? Is that what disables delivery to everywhere except the hosts and users below?
Well as I said, after you explained in your post about the relaying (detailed at sendmail.ORG) not being the actual control you wanted to do, I have a feeling that you are going to have to roll up your sleeves and very carefully sit down and right the rules out which I tried to make an attempt at doing.
Then you are going to have to become a sendmail guru and actually handcraft these rules into your sendmail.cf, and forget about sendmail.mc since the features it provides are not fine enough for the control you want to do.
Since sendmail.cf configuration is a black art, you must proceeed very cautiously, adding/changing one one rule at a time and thoroughly testing it.
The obvious way to proceed because of the security aspect is to lock off everything first, all messages regardless of origin/destination get bounced and gradually let things through according to your criteria of matching originating user and host, and destination user and host.
If you feel that you do not wish to become an expert in the black arts of sendmail configuration, then install exim which is a much more easily configurable mailer, has security authentication with keys, and ACLs.
well can u post ur relevant lines of senmdmail.mc file, so that we 'll be able to identify what exactly is missing.
anyway about ur first query, well if OK is used then it will override all the previously defined rules. so idea is to Reject all the relaying queries from ur n/w and allow only from ur required domain or user.
now just try to put From: and To: before ur n/w address. i dont know whether it 'll make any diff or not.
This does several things right and is almost complete:
1. Allows inbound mail from domainB only
2. Does not allow users@domainA to send to outside world.
3. Allows only the user1@domainA to send to outside world (mail delivery notification)
The only thing lacking is it does not allow users@domainA to send to domainB. Incidentally, "To:domainB OK" doesn't make a difference, whether in or out, no mail goes to domainB except from user1