Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-31-2003, 11:01 AM
|
#1
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Rep:
|
Help with Sendmail filters for outgoing mail by sender/recipient
First post for me here, please forgive any shortcomings
My environment:
P3 500 128mb
RH9 kernel 2.4.20-6
Sendmail 8.12.8-5
Squirrelmail 1.2.11-1
I am trying to configure sendmail to filter mail in AND out.
I have this sendmail server servicing mail for DomainA. I have another mail server (DomainB).
I want:
Any mail traffic between A and B allowed
Any mail destined from A to anywhere other than B denied
EXCEPT for a single user (notify@domainA) to be allowed to send anywhere.
I have already restricted inbound port 25 connections from hitting the mail server with iptables, which works well.
I have read all the chapters in O'Reilly's most recent sendmail book about rulesets (very confusing language) and filters with access.db and the only thing that seems to come close is the "FEATURE (`check_compat'). As far as I can tell, though it only regulates user/user or domain/domain, but not user/domain.
All helpful suggestions are appreciated!
Last edited by gljoe; 07-31-2003 at 11:03 AM.
|
|
|
08-01-2003, 01:06 AM
|
#2
|
Senior Member
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791
Rep:
|
/etc/mail/access is the key to all your sendmail issues
|
|
|
08-02-2003, 03:11 AM
|
#3
|
Member
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85
Rep:
|
check the foll file for extensive help
/usr/share/sendmail{version}/README
anyway ur problem is not very diff to solve
infact u can control user/domain pair also using /etc/mail/access
but dont forget to run foll command after modifying access file-
makemap hash /etc/mail/access < /etc/mail/access
|
|
|
08-04-2003, 11:38 AM
|
#4
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
I appreciate the pointers. I have perused the README, and many sites on the internet and have not found any specific help doing what I want to do.
I'd like to get some sample syntax and a detailed a, b, c, etc. I'm sure it must be very simple, I just can't find any examples of exactly what I'm trying to do anywhere.
Thanks in advance....
|
|
|
08-04-2003, 02:50 PM
|
#5
|
Member
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446
Rep:
|
The site you must bookmark is
< http://www.sendmail.ORG>
and that is the place to look for detailed instructions on how to achieve what seem like arcane tasks with sendmail.
You can even do a site search there, using the Google engine, with which you are no doubt already comfortable and familiar.
And that reveals
< http://www.sendmail.org/tips/relaying.html>
where you will find details help on which features to turn on and off in your sendmail.mc file, which once edited must be run through m4, using
#> make clean
#> make
to generate a new sendmail.cf, and details of how to configure /etc/mail/access (which also must be processed to create a db file).
Last edited by Corin; 08-04-2003 at 02:51 PM.
|
|
|
08-05-2003, 04:17 PM
|
#6
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
Thanks for the pointer...I actually had read that page, but it does not help as I am not trying to control relaying per se. Relaying on the server is off and is not an issue.
Please read my original post carefully
I am mainly trying to control OUTBOUND mail originating by/from users on the mail server.
I believe the access.db to be key but can not find any exacting, detailed examples of how to achieve user/domain and domain/domain limitations.
If my sendmail server is A and my other mail server is B, then I want:
A accepts inbound mail only from B
A always and only allows outbound mail to B (no mail allowed to rest of world)
EXCEPT for a specified user@A that can send mail anywhere in the world.
Thanks for any help!
|
|
|
08-05-2003, 08:46 PM
|
#7
|
Member
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446
Rep:
|
Quote:
1)A accepts inbound mail only from B
2) A always and only allows outbound mail to B (no mail allowed to rest of world)
EXCEPT for a specified user@A that can send mail anywhere in the world.
|
When you say inbound mail from B, do you mean mail relayed
from B, or only originating from B, because there is a difference.
So are these the rules -
if sender is user@A then deliver (to any given address)
elif sender is *@B then deliver on A if TO: is *@A, otherwise bounce
elif destination is *@B then send to B
I think you need to think through your rules carefully, considering
what to do in all cases, and see if you can actually achieve your results with just the access feature.
How are you going to prevent people on A forging messages?
Will not anybody on A be able to telnet to port 25 on A and send a message using a FROM field with specifieduser and thus circumvent the check?
|
|
|
08-06-2003, 01:18 AM
|
#8
|
Member
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85
Rep:
|
well just modify ur sendmail.mc file as follows:
1.Disable relay_entire_domains and accept_unresolvable_domains FEATURE,if already enabled.
2.Enable relay_mail_from and if necessary relay_hosts_only FEATURE.
3.Put access_db definition if not there
now your /etc/mail/access should look like this:
(cosidering your n/w add is 192.168.1.x and your mail server A is not a gateway)
192.168.1 REJECT
From:B OK
To:B OK
From:user@A OK
To:user@A OK
then run command
makemap hash /etc/mail/access < /etc/mail/access
and start sendmail
i hope this will solve ur problem
-Sidd
|
|
|
08-06-2003, 04:23 PM
|
#9
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
Thanks for the reply, Corin, I'll try to be more specific here:
Both of these mail servers are mine:
DomainA is sendmail mta with squirrelmail hosted outside our firewall. We want to email sensitive data to customers securely, so we are hosting a webmail server where they will have accounts and we can send sensitive data there for them to view via secure web access.
DomainB is our exchange server inside our firewall, hosting our company mail, which is where the mail to our customers will originate from.
I'm setting up the webmail server so that our company can securely send mail somewhere our customers can view it (securely). I don't want any of the sensitive data forwarded out to other email accounts (even the customers'), but I have a script that will send out delivery notification to the customer to come and check their mail.
So my wishes are:
all mail between exchange and sendmail is ok. (domainA/domainB OK)
no mail delivery allowed to/from sendmail server from anywhere else (domainA/* REJECT)
user notify@domainA can send anywhere (notify@domainA/* OK)
I hope that helps everyone understand more clearly.
I have iptables running not to allow inbound port 25 connections from anywhere other than the IP of my exchange server, so that part is a non issue.
Sashhoney, I will try your suggestions but I have a question...what does the "192.168.1 REJECT" do in access file? Is that what disables delivery to everywhere except the hosts and users below?
I will try these things and post back shortly.
Last edited by gljoe; 08-06-2003 at 04:33 PM.
|
|
|
08-06-2003, 04:53 PM
|
#10
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
Ok, exactly as you suggested, substituting my actual network for 192.168.1
Sendmail is still delivering messages to outside domains for all users on the mail server.
Any other ideas?
|
|
|
08-06-2003, 06:53 PM
|
#11
|
Member
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446
Rep:
|
Well as I said, after you explained in your post about the relaying (detailed at sendmail.ORG) not being the actual control you wanted to do, I have a feeling that you are going to have to roll up your sleeves and very carefully sit down and right the rules out which I tried to make an attempt at doing.
Then you are going to have to become a sendmail guru and actually handcraft these rules into your sendmail.cf, and forget about sendmail.mc since the features it provides are not fine enough for the control you want to do.
Since sendmail.cf configuration is a black art, you must proceeed very cautiously, adding/changing one one rule at a time and thoroughly testing it.
The obvious way to proceed because of the security aspect is to lock off everything first, all messages regardless of origin/destination get bounced and gradually let things through according to your criteria of matching originating user and host, and destination user and host.
If you feel that you do not wish to become an expert in the black arts of sendmail configuration, then install exim which is a much more easily configurable mailer, has security authentication with keys, and ACLs.
< http://www.exim.ORG>
Linux gives you the power to choose, but with that power comes responsibility.
|
|
|
08-07-2003, 01:53 AM
|
#12
|
Member
Registered: Jul 2003
Distribution: Red Hat, Fedora, Debian
Posts: 85
Rep:
|
well can u post ur relevant lines of senmdmail.mc file, so that we 'll be able to identify what exactly is missing.
anyway about ur first query, well if OK is used then it will override all the previously defined rules. so idea is to Reject all the relaying queries from ur n/w and allow only from ur required domain or user.
now just try to put From: and To: before ur n/w address. i dont know whether it 'll make any diff or not.
|
|
|
08-07-2003, 03:41 PM
|
#13
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
I almost have this working using only FEATURES and access file.
Here are the relevant lines of sendmail.mc:
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`relay_mail_from',`domain')
FEATURE(relay_hosts_only)
RELAY_DOMAIN(`domainB')
And the Access File:
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
domainB RELAY
From:user1@domainA RELAY
To:domaindB OK
From:domainA REJECT
This does several things right and is almost complete:
1. Allows inbound mail from domainB only
2. Does not allow users@domainA to send to outside world.
3. Allows only the user1@domainA to send to outside world (mail delivery notification)
The only thing lacking is it does not allow users@domainA to send to domainB. Incidentally, "To:domainB OK" doesn't make a difference, whether in or out, no mail goes to domainB except from user1
Almost home on this one...please help!
|
|
|
08-07-2003, 11:06 PM
|
#14
|
Member
Registered: Jul 2003
Location: Jette, Brussels Hoofstedelijk Gewest
Distribution: Debian sid, RedHat 9, Suse 8.2
Posts: 446
Rep:
|
From:domainA REJECT
means that everything from domainA is REJECTED
even if TO domainB is OK.
user1@domainA RELAY means that this specific user
overides the domainA REJECT rule
The problem is you do not have (and cannot?)
From domainA and not TO domainB REJECT
which is what you want.
In fact your rule
To:domainB OK
allows anybody not prevented by the other rules
to send mail to domainB.
|
|
|
08-08-2003, 09:28 AM
|
#15
|
LQ Newbie
Registered: Jul 2003
Posts: 10
Original Poster
Rep:
|
I'd like to understand the order things get processed better. What order do the features run, what overrides what else, etc.
It's strange that with the default behavior of sendmail is to reject mail unless there is an allow found in access_db, that the To:domainB OKdoesn't override the From:domainA REJECT.
Also,
The O'Reilly "Sendmail" 3rd edition that I am using say at the bottom of p 318 "If the host is listed with the RELAY_DOMAIN mc macro...it is relayed without checking the access database."
So, I added "RELAY_DOMAIN(`domainB')" to my sendmail.mc, but apparently the access_db is still checked for mail that originates locally.
I'm still hopefule there is a way to do this, that I am missing something easy here.
I very much want to avoid becoming a disciple of the dark art of sendmail rulesets!
|
|
|
All times are GMT -5. The time now is 05:16 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|