Configure sendmail to reject all incoming email except specific whitelistings

mfoley · 04-29-2016, 10:42 PM

I'd like to configure sendmail to permit outgoing emails to any address, but reject ALL incoming email except to a few specific addresses. Can I do this?

bathory · 04-30-2016, 08:48 AM

Hi

Quote:

Originally Posted by mfoley

I'd like to configure sendmail to permit outgoing emails to any address, but reject ALL incoming email except to a few specific addresses. Can I do this?

One way to achieve this, is to use a virtusertable file:

Code:

user1@domain.com user1
user2@domain.com user2
@domain.com 550 "User Unknown"

And of course rebuild the virtuser database:

Code:

makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable

Another way is by reading this post

Regards

mfoley · 05-02-2016, 02:26 PM

bathory: I had already seen that link you referenced but, even though I've done extensive sendmail.mc stuff, that looked a bit complicated.

Your virtusertable thing seemed like the way to go, but when I tried it I got

>>> user1@domain.com (after RCPT TO): 550 5.7.1 <user1@domain.com>... Relaying denied

It appears that the final "550" rejection takes precedence

Other ideas short of the sendmail.cf changes?

With respect to the sendmail.cf change, here's what that weblink suggests at the end of the .mc file:

Code:

LOCAL_CONFIG
Kwhitelist hash -T<TMPF> -aOK /etc/mail/whitelist
LOCAL_RULESETS
SLocal_check_mail
R$*     $: $(whitelist From:$1 $: ? $)
R?      $: $(whitelist Connect:$&{client_addr} $)
ROK     $@ OK
R$*     $#error $: 550 Access denied

I did try that and got a maillog error:

Code:

May  2 15:30:06 sanford sm-mta[6501]: NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 1747: invalid rewrite line "R\001*     \001#error \001: 550 Access denied" (tab expected)

I'll try playing around, but where is it expecting a TAB?

mfoley · 05-02-2016, 03:43 PM

I guess this isn't going to be a simple answer after all. I did fix the TAB thing and added the local rule. My /etc/mail/whitelist has:

Code:

From:mfoley@novatec-inc.com
From:mfoley@server.novatec-inc.com
Connect:127.0.0.1
Connect:

When I send a message from mfoley@novatec-inc.com to mfoley@horeb-wright3.org, I get:

Code:

May  2 16:37:38 sanford sm-mta[6695]: u42Kbcsw006695: ruleset=check_rcpt, arg1=<mfoley@horeb-wright3.org>, relay=cdptpa-outbound-snat.email.rr.com [107.14.166.232], reject=550 5.0.0 <mfoley@horeb-wright3.org>... Access denied
May  2 16:37:43 sanford sm-mta[6695]: u42Kbcsw006695: from=<mfoley@server.novatec-inc.com>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=cdptpa-outbound-snat.email.rr.com [107.14.166.232]

Without the new rule messages from mfoley@novatec-inc.com to mfoley@horeb-wright3.org are delivered without problem.

Any idea?

bathory · 05-03-2016, 03:13 AM

Quote:

but when I tried it I got

>>> user1@domain.com (after RCPT TO): 550 5.7.1 <user1@domain.com>... Relaying denied

It appears that the final "550" rejection takes precedence

Are you using a "Relaying denied" rejection message?
Also note that you have to put first the email addresses and the corresponding local usernames and at the end the wildcard rejection

Quote:

My /etc/mail/whitelist has:

From:mfoley@novatec-inc.com
From:mfoley@server.novatec-inc.com
Connect:127.0.0.1
Connect:

From your OP, I thought that you want to block all the incoming email, except to a couple of recipients. If that's the case, then you need to use the code in the 2nd snippet of the above link and also use To: instead of From: in the whitelist file:

Code:

To:mfoley@novatec-inc.com
...

mfoley · 05-03-2016, 11:40 PM

My bad, yes, my OP is badly worded. Let's start over. I want to permit specific From:'s coming into this server. I don't really care on the local recipient side -- if the user doesn't exist it won't get delivered, NBD. Furthermore, I don't want any restrictions on local users sending to anyone, anywhere.

So, does that alter your suggestion for the virtusertable? (which I did configure exactly as you showed)

Possible complication: the domain horeb-wright3.org will be one of several domains hosted on this computer. I do have that domain in /etc/mail/local-host-names. This server's real FDQN is sanford.local.

bathory · 05-04-2016, 02:55 AM

Quote:

So, does that alter your suggestion for the virtusertable? (which I did configure exactly as you showed)

Yes, virtusertable is of no use in this scenario.

Quote:

I want to permit specific From:'s coming into this server. I don't really care on the local recipient side -- if the user doesn't exist it won't get delivered, NBD. Furthermore, I don't want any restrictions on local users sending to anyone, anywhere.

So you have to follow the 1st example in the link posted. Restart sendmail after using sendmail.mc to create the new sendmail.cf.
Also make sure that you whitelist the sender addresses you want and rebuild the whitelist database afterwards.