ip restrictions for a subdomain
su...@poseidon.rider.edu
I have a box that accepts mail for say domain.tld. I use mailertables
to redirect emails for the domain or even sub domains to different
places.
But I would like to accept emails destined to a subdomain, say
sub.domain.tld but IFF the connections are only done from a particular
IP address or network.
This is a revisit of a very 4+ year old question I had, redirect based
on incoming IP. I figured a combination of access_db and
mailertables.
So messages addressed to 'us...@domain.tld' are accepted as usual. But
messages addressed to 'us...@sub.domain.tld' are only accepted if the
connection comes in from a specific IP address.
Otherwise, I guess the only other solution is to set up a 2nd instance
of sendmail on a different IP address, and firewall it...
TIA and please followups only.
su...@poseidon.rider.edu
> I have a box that accepts mail for say domain.tld. I use mailertables
> to redirect emails for the domain or even sub domains to different
> places.
>
> But I would like to accept emails destined to a subdomain, say
> sub.domain.tld but IFF the connections are only done from a particular
> IP address or network.
>
> This is a revisit of a very 4+ year old question I had, redirect based
> on incoming IP. I figured a combination of access_db and
> mailertables.
>
> messages addressed to 'u...@sub.domain.tld' are only accepted if the
> connection comes in from a specific IP address.
>
> Otherwise, I guess the only other solution is to set up a 2nd instance
> of sendmail on a different IP address, and firewall it...
>
> TIA and please followups only.
I should have clarified what I asked long ago... Based on what the IP
address you are connecting from (available via accessDB), could I
select a particular mailer (available from mailertable) ? IE, for all
emails, select mailerA, but for IP xx.xx.xx.xx select mailerB.
If I could somehow restrict emails that are destined to
'us...@sub.domain.tld' to be accepted if they come from a particular
IP, then I can simply do the following on mailertable:
domain.tld esmtp:[zz.zz.zz.zz]
sub.domain.tld esmtp[yy.yy.yy.yy]
Otherwise, what I had originally asked long ago would be something
like:
domain.tld esmtp:[zz.zz.zz.zz]
Connect:xx.xx.xx.xx esmtp[yy.yy.yy.yy]
TIA...
loki harfagr
If you can bear using the sender domain instead of the sender IP
I suppose you'd like to use smarttable.m4, one of the nice goodies
that Andrzej Adam Filip brings to us, nowadays in:
http://sourceforge.net/projects/open-sendmail/
Sciurus
> > sub.domain.tld but IFF the connections are only done from a particular
> > IP address or network.
> Otherwise, what I had originally asked long ago would be something
> like:
>
> domain.tld esmtp:[zz.zz.zz.zz]
> Connect:xx.xx.xx.xx esmtp[yy.yy.yy.yy]
After
SParse1
add
R$+<@sub.domain.tld.> $: <$&{client_addr}> $|
$1<@sub.domain.tld.>
R<xx.xx.xx.xx> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
R<$+> $| $+ $#error $@ 5.7.1 $: "550 Access for IP
" $1 " denied"
R$+<@domain.tld.> $#esmtp $@ [zz.zz.zz.zz] $:
$1<@domain.tld.>
I have tested it.
But I am not sendmail guru so please be careful.
And may be experts correct me.
Sciurus
som...@sub.domain.tld.
IP does not matter in this case.
R$+<@sub.domain.tld.> $: <$&f><$&{client_addr}> $|
$1<@sub.domain.tld.>
R<><$+> $| $+ $: $2
R<$+><$+> $| $+ $: <$2> $| $3
R<xx.xx.xx.xx> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
R<$+> $| $+ $#error $@ 5.7.1 $: "550 Access for IP
" $1 " denied: " $2
su...@poseidon.rider.edu
> Some corrections are made to avoid blocking mail if sender address is
> IP does not matter in this case.
>
> R$+<@sub.domain.tld.> $: <$&f><$&{client_addr}> $|
> $1<@sub.domain.tld.>
>
> R<><$+> $| $+ $: $2
>
> R<$+><$+> $| $+ $: <$2> $| $3
>
> R<xx.xx.xx.xx> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
>
> R<$+> $| $+ $#error $@ 5.7.1 $: "550 Access for IP
> " $1 " denied: " $2
>
> R$+<@domain.tld.> $#esmtp $@ [zz.zz.zz.zz] $:
> $1<@domain.tld.>
Would this also work if it's for a specific network specified in CIDR
format ? If it's for ONE specific IP, how would I add multiple ones ?
Just extra consecutive lines of R<xx.xx.xx.xx> ?
TIA
su...@poseidon.rider.edu
> On Wed, 05 Mar 2008 20:33:23 -0800, suave wrote:
> > On Mar 5, 11:23 pm, su...@poseidon.rider.edu wrote:
> >> I have a box that accepts mail for say domain.tld. I use mailertables
> >> to redirect emails for the domain or even sub domains to different
> >> places.
>
> >> But I would like to accept emails destined to a subdomain, say
> >> sub.domain.tld but IFF the connections are only done from a particular
> >> IP address or network.
>
> >> This is a revisit of a very 4+ year old question I had, redirect based
> >> on incoming IP. I figured a combination of access_db and mailertables.
>
> >> So messages addressed to 'u...@domain.tld' are accepted as usual. But
> >> messages addressed to 'u...@sub.domain.tld' are only accepted if the
> >> connection comes in from a specific IP address.
>
> >> Otherwise, I guess the only other solution is to set up a 2nd instance
> >> of sendmail on a different IP address, and firewall it...
>
> >> TIA and please followups only.
>
> > I should have clarified what I asked long ago... Based on what the IP
> > address you are connecting from (available via accessDB), could I select
> > a particular mailer (available from mailertable) ? IE, for all emails,
> > select mailerA, but for IP xx.xx.xx.xx select mailerB.
>
> > If I could somehow restrict emails that are destined to
> > then I can simply do the following on mailertable:
>
> > domain.tld esmtp:[zz.zz.zz.zz]
> > sub.domain.tld esmtp[yy.yy.yy.yy]
>
> > Otherwise, what I had originally asked long ago would be something like:
>
> > domain.tld esmtp:[zz.zz.zz.zz]
> > Connect:xx.xx.xx.xx esmtp[yy.yy.yy.yy]
>
> If you can bear using the sender domain instead of the sender IP
> I suppose you'd like to use smarttable.m4, one of the nice goodies
> that Andrzej Adam Filip brings to us, nowadays in:
>
> - Show quoted text -
By 'sender domain' do you mean envelope information or domain
originating? Otherwise, wouldn't the env. sender be easily faked ?
Sciurus
>format ? If it's for ONE specific IP, how would I add multiple ones ?
>Just extra consecutive lines of R<xx.xx.xx.xx> ?
For example, if you want to match 1.2.3.0 & 10.20.30.0 nets you can
write
R<1.2.3.$+> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
R<10.20.30.$+> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
If you need to exclude some IPs from these nets you must add
R<1.2.3.1> $| $+ $#error $@ 5.7.1 $: "550 Access for IP " $1 "
denied: " $2
R<1.2.3.2> $| $+ $#error $@ 5.7.1 $: "550 Access for IP " $1 "
denied: " $2
R<1.2.3.$+> $| $+ $#esmtp $@ [yy.yy.yy.yy] $: $1
I don't know whether it is possible to user regex here. I can not
check this now.
But if it is possibles then there are more simple rules for IP check.
Do I understand you correctly that you want to block mail from other
(not xx.xx.xx.xx) IPs?
Or should this mail go to esmtp:[zz.zz.zz.zz] instead of being
blocked?
If the answer to 1st question is "yes" there is another decision.
> By 'sender domain' do you mean envelope information or domain
> originating? Otherwise, wouldn't the env. sender be easily faked ?
I mean envelope sender address ($&f).
Yes, sender may be faked, but we are interested in checking mail
going _to_ sub.domain.tld.
If I don't use $&f in this check then mail _from_
som...@sub.domain.tld (faked or not) will be blocked if it is not
from xx.xx.xx.xx.
Ruleset Parse1 is called for sender and for recipient. I noticed that
$&f is empty (looks like <>) in the 1st case.
So macros $&f was added in order to do not check sender domain.
I should say again that I am not sendmail expert.
But I checked my rules yesterday and it seems to me that they work.
su...@poseidon.rider.edu
> > > But I would like to accept emails destined to a subdomain, say
> > > sub.domain.tld but IFF the connections are only done from a particular
> > > IP address or network.
> > Otherwise, what I had originally asked long ago would be something
> > like:
>
> > domain.tld esmtp:[zz.zz.zz.zz]
> > Connect:xx.xx.xx.xx esmtp[yy.yy.yy.yy]
>
> After
> SParse1
> add
>
Hmm. Not working for me... (not sure how to debug it directly using
sendmail debug mode) but by just testing it, it's not. I get:
DSN: us...@sub.domain.tld... Access for IP sen...@domain.tld>< denied:
user<@sub.domain.tld.>
The message is accepted but then bounced. I thought ideally I could
reject it directly on connection... Might not be what I'm after and
would probably have to have a 2nd instance running on a separate
interface and firewalled...
Should the code go right after the SParse1 line, or at the end of the
SParse1 section (ie before Ruleset 5) ?
Sciurus
> On Mar 6, 8:12 am, Sciurus <sciu...@mail.ru> wrote:
>
> > > > But I would like to accept emails destined to a subdomain, say
> > > > sub.domain.tld but IFF the connections are only done from a particular
> > > > IP address or network.
> > > Otherwise, what I had originally asked long ago would be something
> > > like:
>
> > > domain.tld esmtp:[zz.zz.zz.zz]
> > > Connect:xx.xx.xx.xx esmtp[yy.yy.yy.yy]
>
> > After
> > SParse1
> > add
>
> Hmm. Not working for me... (not sure how to debug it directly using
> sendmail debug mode) but by just testing it, it's not. I get:
>
> user<@sub.domain.tld.>
>
> The message is accepted but then bounced.
Yes, I can see the same thing if I send mail directly from the mail
server.
But if I send mail from the workstation then my server rejects mail
straight away:
Mar 18 15:34:27 apache sendmail[9208]: m2IAYQC9009208:
<r...@mail.xxx.ru>... Access for IP 1.2.3.4
denied:rin<@mail.xxx.ru.>
Mar 18 15:34:27 apache sendmail[9208]: m2IAYQC9009208:
from=<postm...@zzz.ru>, size=470, class=0, nrcpts=0,
proto=ESMTP, daemon=MTA, relay=yyy.zzz.ru [1.2.3.4]
And it's all.
How do you send the mail to us...@sub.domain.tld?