But I would like to accept emails destined to a subdomain, say
sub.domain.tld but IFF the connections are only done from a particular
IP address or network.
This is a revisit of a very 4+ year old question I had, redirect based
on incoming IP. I figured a combination of access_db and
mailertables.
So messages addressed to 'us...@domain.tld' are accepted as usual. But
messages addressed to 'us...@sub.domain.tld' are only accepted if the
connection comes in from a specific IP address.
Otherwise, I guess the only other solution is to set up a 2nd instance
of sendmail on a different IP address, and firewall it...
TIA and please followups only.
I should have clarified what I asked long ago... Based on what the IP
address you are connecting from (available via accessDB), could I
select a particular mailer (available from mailertable) ? IE, for all
emails, select mailerA, but for IP xx.xx.xx.xx select mailerB.
If I could somehow restrict emails that are destined to
'us...@sub.domain.tld' to be accepted if they come from a particular
IP, then I can simply do the following on mailertable:
domain.tld esmtp:[zz.zz.zz.zz]
sub.domain.tld esmtp[yy.yy.yy.yy]
Otherwise, what I had originally asked long ago would be something
like:
domain.tld esmtp:[zz.zz.zz.zz]
Connect:xx.xx.xx.xx esmtp[yy.yy.yy.yy]
TIA...
If you can bear using the sender domain instead of the sender IP
I suppose you'd like to use smarttable.m4, one of the nice goodies
that Andrzej Adam Filip brings to us, nowadays in:
http://sourceforge.net/projects/open-sendmail/
> Otherwise, what I had originally asked long ago would be something
> like:
>
> domain.tld esmtp:[zz.zz.zz.zz]
> Connect:xx.xx.xx.xx esmtp[yy.yy.yy.yy]
After
SParse1
add
R$+<@sub.domain.tld.> $: <$&{client_addr}> $|
$1<@sub.domain.tld.>
R<xx.xx.xx.xx> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
R<$+> $| $+ $#error $@ 5.7.1 $: "550 Access for IP
" $1 " denied"
R$+<@domain.tld.> $#esmtp $@ [zz.zz.zz.zz] $:
$1<@domain.tld.>
I have tested it.
But I am not sendmail guru so please be careful.
And may be experts correct me.
R$+<@sub.domain.tld.> $: <$&f><$&{client_addr}> $|
$1<@sub.domain.tld.>
R<><$+> $| $+ $: $2
R<$+><$+> $| $+ $: <$2> $| $3
R<xx.xx.xx.xx> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
R<$+> $| $+ $#error $@ 5.7.1 $: "550 Access for IP
" $1 " denied: " $2
Would this also work if it's for a specific network specified in CIDR
format ? If it's for ONE specific IP, how would I add multiple ones ?
Just extra consecutive lines of R<xx.xx.xx.xx> ?
TIA
By 'sender domain' do you mean envelope information or domain
originating? Otherwise, wouldn't the env. sender be easily faked ?
For example, if you want to match 1.2.3.0 & 10.20.30.0 nets you can
write
R<1.2.3.$+> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
R<10.20.30.$+> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
If you need to exclude some IPs from these nets you must add
R<1.2.3.1> $| $+ $#error $@ 5.7.1 $: "550 Access for IP " $1 "
denied: " $2
R<1.2.3.2> $| $+ $#error $@ 5.7.1 $: "550 Access for IP " $1 "
denied: " $2
R<1.2.3.$+> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
I don't know whether it is possible to user regex here. I can not
check this now.
But if it is possibles then there are more simple rules for IP check.
Do I understand you correctly that you want to block mail from other
(not xx.xx.xx.xx) IPs?
Or should this mail go to esmtp:[zz.zz.zz.zz] instead of being
blocked?
If the answer to 1st question is "yes" there is another decision.
> By 'sender domain' do you mean envelope information or domain
> originating? Otherwise, wouldn't the env. sender be easily faked ?
I mean envelope sender address ($&f).
Yes, sender may be faked, but we are interested in checking mail
going _to_ sub.domain.tld.
If I don't use $&f in this check then mail _from_
som...@sub.domain.tld (faked or not) will be blocked if it is not
from xx.xx.xx.xx.
Ruleset Parse1 is called for sender and for recipient. I noticed that
$&f is empty (looks like <>) in the 1st case.
So macros $&f was added in order to do not check sender domain.
I should say again that I am not sendmail expert.
But I checked my rules yesterday and it seems to me that they work.
Hmm. Not working for me... (not sure how to debug it directly using
sendmail debug mode) but by just testing it, it's not. I get:
DSN: us...@sub.domain.tld... Access for IP sen...@domain.tld>< denied:
user<@sub.domain.tld.>
The message is accepted but then bounced. I thought ideally I could
reject it directly on connection... Might not be what I'm after and
would probably have to have a 2nd instance running on a separate
interface and firewalled...
Should the code go right after the SParse1 line, or at the end of the
SParse1 section (ie before Ruleset 5) ?
Yes, I can see the same thing if I send mail directly from the mail
server.
But if I send mail from the workstation then my server rejects mail
straight away:
Mar 18 15:34:27 apache sendmail[9208]: m2IAYQC9009208:
<r...@mail.xxx.ru>... Access for IP 1.2.3.4
denied:rin<@mail.xxx.ru.>
Mar 18 15:34:27 apache sendmail[9208]: m2IAYQC9009208:
from=<postm...@zzz.ru>, size=470, class=0, nrcpts=0,
proto=ESMTP, daemon=MTA, relay=yyy.zzz.ru [1.2.3.4]
And it's all.
How do you send the mail to us...@sub.domain.tld?