sendmail: restrict access between users

maradnus · 03-16-2011, 05:15 AM

Dear Friends,

How to prevent a user sending a mail to a particular user in an intranet mail server?

I tried with /etc/mail/access file but could not....

Looking forward....

agentbuzz · 03-16-2011, 07:32 AM

maradnus,
You need the compat_check feature as well as the access_db feature. You have to put "FEATURE(`compat_check')" BELOW the access_db FEATURE line in sendmail.mc, or the Build script will not create the sendmail.cf correctly. Here is how that portion of your sendmail.mc should look:

Code:

FEATURE(`access_db')
FEATURE(`mailertable',`hash -T<TMPF> /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -T<TMPF> /etc/mail/virtusertable.db')dnl
FEATURE(`access_db',`hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`compat_check')

Don't forget to install the new cf file with "./Build install-cf". Re-start sendmail with "/etc/init.d/sendmail restart". You should see no error messages.

Put a line like this in your /etc/mail/access:

Code:

Compat:fred@domain.com<@>joe@domain.com DISCARD

Rebuild access.db:

Code:

$ sudo makemap hash /etc/mail/access.db < /etc/mail/access

Spoof an SMTP session like this:

Code:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to mail.domain.org.
Escape character is '^]'.
220 mail.domain.org ESMTP Sendmail 8.14.4/8.14.4; Wed, 16 Mar 2011 07:19:24 -0500
ehlo x
250-mail.domain.org Hello mail.domain.org [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
mail from:<fred@domain.com>
250 2.1.0 <fred@domain.com>... Sender ok
rcpt to:<joe@domain.com>
250 2.1.5 <joe@domain.com>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Subject: boom!

here
.
250 2.0.0 p2GCJOZG005022 Message accepted for delivery
quit

Sendmail apparently accepted the message for delivery! But look at your mail log and you will see that the message was discarded. You can also REJECT messages this way.

Code:

Mar 16 07:20:25 mail sendmail[5022]: p2GCJOZG005022: from=<fred@domain.com>, size=21, class=0, nrcpts=1, msgid=<201103161220.p2GCJOZG005022@mail.domain.org>, proto=ESMTP, daemon=MTA, relay=mail.domain.org [127.0.0.1]
Mar 16 07:20:25 mail sendmail[5545]: p2GCJOZG005022: ruleset=check_compat, arg1=<fred@domain.com>, arg2=<joe@domain.com>, relay=mail.domain.org [127.0.0.1], discard

agentbuzz · 03-16-2011, 08:13 AM

I forgot to mention that you should check for the presence of the following ruleset in your production sendmail.cf:

Code:

Scheck_compat
# look up the pair of addresses
# (we use <@> as the separator.  Note this in the map too!)
R< $+ > $| $+           $: $1 $| $2
R$+ $| < $+ >           $: $1 $| $2
R$+ $| $+               $: <$(access Compat:$1<@>$2 $:OK $)>
R$* $| $*               $@ ok
# act on the result,
# it must be one of the following... anything else will be allowed..
R< DISCARD:$* > $#discard $: $1 " - discarded by check_compat"
R< DISCARD $* > $#discard $: $1 " - discarded by check_compat"
R< TEMP:$* >    $#error $@ TEMPFAIL $: $1 " error from check_compat. Try again later"
R< ERROR:$* >   $#error $@ UNAVAILABLE $: $1 " error from check_compat"

maradnus · 03-16-2011, 11:54 AM

Thank you friend.
It works....!

Now, Can I do the same thing for the group of users. That is, I have restrict mailing between two groups.

Can I make use of /etc/aliases file for that?

maradnus · 03-19-2011, 11:09 PM

Thank you friend.
It works....!

Now, Can I do the same thing for the group of users. That is, I have restrict mailing between two groups.

Can I make use of /etc/aliases file for that?