How to accept mail for domain only from particular ip?

[bal...@msmu.ru]

Good day.

Sorry if this question is mentioned in some sendmail FAQ, but I've
been searching Internet for several days and I can't find the
solution. I'm a sendmail newbie, I was working with Qmail till recent
time.

However, now I have a sendmail server and I cannot figure how to
achieve this:
I have DNS MX entry pointing to an external smtp server (let's name it
mx.example.com, it's IP is 11.11.11.11) This server accepts messages
for @example.com and forwards them to sendmail server
sendmail.example.com. But about 50% of spam messages arrive directly
to sendmail server, I guess that is because DNS A record points to it
(web-site example.com resides on the same server where sendmail is
installed)

How can I configure sendmail in such a way, that it accepts mails for
@example.com from 11.11.11.11 only?
Btw, sendmail is providing service for other mail domains, which
should not be affected by this filter, so I cannot simply close smtp
connections not from 11.11.11.11 in firewall.

I tried to add this lines to /etc/access :
To:example.com 441 Please use our MX server
11.11.11.11 RELAY

But mail from 11.11.11.11 is always blocked by check_rcpt rule.

Thanks in advance.

[Sciurus]

> I have DNS MX entry pointing to an external smtp server (let's name it
> mx.example.com, it's IP is 11.11.11.11) This server accepts messages
> for @example.com and forwards them to sendmail server
> sendmail.example.com.

> But about 50% of spam messages arrive directly
> to sendmail server, I guess that is because DNS A record points to it
> (web-site example.com resides on the same server where sendmail is
> installed)

Is sendmail.example.com MX for example.com or not?

What domain part have recipients of these spam messages?
sendmail.example.com or example.com?

[jma...@ttec.com]

Here is the simplistic way to do this in the access file. There are
more complex ways,

Connect:11.11.11.11 OK
Connect:1 550 Please use the MX server or contact
support
Connect:2 550 Please use the MX server or contact
support
..
..
Connect:256 550 Please use the MX server or contact
support

[su...@poseidon.rider.edu]

> support- Hide quoted text -
>
> - Show quoted text -

But if you are also handling mail for other domains (ie domain2.tld)
the above would block all of it, right ?

I think OP wants this:

OriginatingIP=11.11.11.11 AND destination_email=us...@example.com
THEN relay ELSE "550 Please use MX"
destination_email=us...@example2.com -->relay

I'm after the same thing, exept I need:
OriginatingIP=11.11.11.11 AND destination_email=us...@sub.example.com
THEN relay ELSE "550 Please use MX"
destination_email=us...@example.com -->relay

So far the only option I can think of is to run separate instances,
each bound to their own interfaces, and blocking via firewall...

Someone was helping with this via modifying the cf file, but it seems
that the test was done after the msg was accepted.

TIA

[Andrzej Adam Filip]

su...@poseidon.rider.edu wrote:
> [...]

> But if you are also handling mail for other domains (ie domain2.tld)
> the above would block all of it, right ?
>
> I think OP wants this:
>
> OriginatingIP=11.11.11.11 AND destination_email=us...@example.com
> THEN relay ELSE "550 Please use MX"
> destination_email=us...@example2.com -->relay
>
> I'm after the same thing, exept I need:
> OriginatingIP=11.11.11.11 AND destination_email=us...@sub.example.com
> THEN relay ELSE "550 Please use MX"
> destination_email=us...@example.com -->relay
>
> So far the only option I can think of is to run separate instances,
> each bound to their own interfaces, and blocking via firewall...
>
> Someone was helping with this via modifying the cf file, but it seems
> that the test was done after the msg was accepted.

1) Do you use mailertable for routing messages to the domain?
2) Are you ready to patch cf/m4/proto.m4 file?
[ 3 lines patch (mrs-relay.patch) - it is *much more* "universal" ]

YES & YES => I can create simple implementation of what you want based
on the above (I hope tomorrow).

It will not be be the best way, but it should work and It is what I am
ready to spent my time on :-)

--
[pl>en: Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/
The prayer of serenity applies here. To both of us. :-)
-- Larry Wall in <1997101418...@wall.org>

[jma...@ttec.com]

> OriginatingIP=11.11.11.11 AND destination_email=u...@example.com

> THEN relay ELSE "550 Please use MX"

> destination_email=u...@example2.com -->relay

>
> I'm after the same thing, exept I need:

> OriginatingIP=11.11.11.11 AND destination_email=u...@sub.example.com

> THEN relay ELSE "550 Please use MX"

> destination_email=u...@example.com -->relay

>
> So far the only option I can think of is to run separate instances,
> each bound to their own interfaces, and blocking via firewall...
>
> Someone was helping with this via modifying the cf file, but it seems
> that the test was done after the msg was accepted.
>
> TIA

Well thats fairly simple then, but you need to write cf rules into
your sendmail.mc

use feature delay_checks

create a class with domains that you { do | dont } allow direct
submission to the server on.

Once you are doing local cf rules into sendmail.mc, you might as well
copy the access file lookup rule from sendmail.cf into LOCAL_RULES and
modify it so that it takes a default lookup, for example it will match
Connect:<BLANK><TAB>550

That will save you a couple hundred lines in your access file.

Call this lookup whenever the recipient domain { is | isnt } in the
class you created from Local_check_rcpt

I use this approach on mailhubs. I do everything in Local_check_rcpt
and perform the Connect: lookup there as well. So if you are not a
client or auth user or similar allowed submitter, you get the "Use the
MX" error message.

[Andrzej Adam Filip]

su...@poseidon.rider.edu wrote:
> [...]

> But if you are also handling mail for other domains (ie domain2.tld)
> the above would block all of it, right ?
>
> I think OP wants this:
>
> OriginatingIP=11.11.11.11 AND destination_email=us...@example.com
> THEN relay ELSE "550 Please use MX"
> destination_email=us...@example2.com -->relay
>
> I'm after the same thing, exept I need:
> OriginatingIP=11.11.11.11 AND destination_email=us...@sub.example.com
> THEN relay ELSE "550 Please use MX"
> destination_email=us...@example.com -->relay
>
> So far the only option I can think of is to run separate instances,
> each bound to their own interfaces, and blocking via firewall...
>
> Someone was helping with this via modifying the cf file, but it seems
> that the test was done after the msg was accepted.

Try patch of cf/m4/proto.m4 given below.
It requires additionally:
1) in *.mc file
#v+
FEATURE(`blacklist_recipients')
define(`_FFR_ACCESS_IP')
#v-
2) in access table
#v+
# map to ips (ip set) named "example.com"
# with ERROR:"550 Please use MX" as result for addresses not
# in the ip set
to:us...@example.com ips:example.com:ERROR:"550 Please use MX"
# list ip addresses of ip set named "example.com"
ips:example.com:11.11.11.11 RELAY
ips:example.com:127.0.0.1 RELAY
ips:example.com: RELAY
#v-

*** proto.m4 2008/03/19 19:08:37 1.1
--- proto.m4 2008/03/19 19:34:49
***************
*** 2083,2086 ****
--- 2083,2088 ----
R<@> <$*> $| <$*> $: <$2> <$1> reverse result
R<?> <$*> $: @ $1 mark address as no match
+ ifdef(`_FFR_ACCESS_IPS', `dnl
+ R<ips:$+:$+> <$*> $: <$ (access ips:$1:&${client_addr} $: $2 $) > <$3>', `dnl')
dnl we may have to filter here because otherwise some RHSs
dnl would be interpreted as generic error messages...

Below please find binary version of the patch

--
[pl>en: Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

We are each entitled to our own opinion,
but no one is entitled to his own facts.
-- Patrick Moynihan