Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to restrict users to send emails to internal users only

8 views
Skip to first unread message

Asim

unread,
Apr 16, 2007, 12:50:58 AM4/16/07
to
Hi,
I have sendmail running as client on some of my unix sytems. They all
use one UNIX machine as smtp gateway ( MAILHUB) which then pass on
the email messages to my company's mail relay server. Now users at my
unix client machines can send messages to anyuser@anydomain. I want to
restrict users to send messages to internal/my company's domain only.
I have tried using following:

LOCAL_CONFIG
F{Internal}/etc/mail/intern.only

Then the rules work like this:
LOCAL_RULESETS
SLocal_check_rcpt
# get sender address and canonify it
R$* $: $1 $| $>3 $&f
R$* $| <> $@ OK <> is always ok
R$* $| $={Internal} <@$=w.> $: $1 lu...@local.host?
R$* $| $={Internal} $: $1 luser?
R$* $| $* $@ OK someone else
R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your boss does not
like you"

Is there a way, I can restrict users to send mails only to the address
listed in }/etc/mail/intern.only and not to whole world. I am quite
new to sendmail, please please help me to setup this configuation.

Thanks and regards,
Asim

jma...@ttec.com

unread,
Apr 16, 2007, 4:46:03 AM4/16/07
to
On Apr 16, 12:50 am, "Asim" <asim.a...@gmail.com> wrote:
> Hi,
> I have sendmail running as client on some of my unix sytems. They all
> use one UNIX machine as smtp gateway ( MAILHUB) which then pass on
> the email messages to my company's mail relay server. Now users at my
> unix client machines can send messages to anyuser@anydomain. I want to
> restrict users to send messages to internal/my company's domain only.
> I have tried using following:
>
> LOCAL_CONFIG
> F{Internal}/etc/mail/intern.only
>
> Then the rules work like this:
> LOCAL_RULESETS
> SLocal_check_rcpt
> # get sender address and canonify it
> R$* $: $1 $| $>3 $&f
> R$* $| <> $@ OK <> is always ok
> R$* $| $={Internal} <@$=w.> $: $1 l...@local.host?

> R$* $| $={Internal} $: $1 luser?
> R$* $| $* $@ OK someone else
> R$* $: $>3 $1 check recipient
> R$+<@$=w.> $@ OK local? ok
> R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your boss does not
> like you"
>
> Is there a way, I can restrict users to send mails only to the address
> listed in }/etc/mail/intern.only and not to whole world. I am quite
> new to sendmail, please please help me to setup this configuation.
>

The ruleset you are using is designed to only allow senders with email
addresses listed in /etc/mail/intern.only access to send email to
addresses in domains that are considered local, members of class w,
which is likely as not listed in /etc/mail/local-host-names

You can also do

echo "$=w" | sendmail -bt

To see a list of domain names that sendmail considers local.

Is this working for you or not?

Asim

unread,
Apr 16, 2007, 7:06:49 AM4/16/07
to

Yes this one is working perfectly fine. Next things is, i don't want
user to send email to any other domain that is not listed in /etc/mail/
local-host-names. How can that be achieved ?
thanks in advance.
Asim

jma...@ttec.com

unread,
Apr 16, 2007, 7:11:26 AM4/16/07
to


List the users in /etc/mail/intern.only

Kees Theunissen

unread,
Apr 16, 2007, 8:19:03 PM4/16/07
to
Asim wrote:
> Hi,
> I have sendmail running as client on some of my unix sytems. They all
> use one UNIX machine as smtp gateway ( MAILHUB) which then pass on
> the email messages to my company's mail relay server. Now users at my
> unix client machines can send messages to anyuser@anydomain. I want to
> restrict users to send messages to internal/my company's domain only.
> I have tried using following:
>
> LOCAL_CONFIG
> F{Internal}/etc/mail/intern.only
>
> Then the rules work like this:
> LOCAL_RULESETS
> SLocal_check_rcpt
> # get sender address and canonify it
> R$* $: $1 $| $>3 $&f
> R$* $| <> $@ OK <> is always ok
> R$* $| $={Internal} <@$=w.> $: $1 lu...@local.host?
> R$* $| $={Internal} $: $1 luser?
> R$* $| $* $@ OK someone else
> R$* $: $>3 $1 check recipient
> R$+<@$=w.> $@ OK local? ok
> R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your boss does not
> like you"

If your user's MUA is using SMTP to submit messages "$&f" will
be a user supplied string and can contain any value. Probably this
string contains "us...@domain.tld", while you are testing against
"$=w" which contains by default "host.domain.tld" but not
"domain.tld".
Adding "domain.tld" to /etc/mail/local-host-names could solve
the most common cases but is not full proof ("$&f" still is a user
supplied string and can contain any value) and is likely to break
forwarding of messages (addressed to users at your domain) to the
MAILHUB.
I recommend the use of "$&{client_addr}" to determine if a client
is local. Chance your test to something like this (untested):

LOCAL_RULESETS
SLocal_check_rcpt
# get sender address and see if it is local
R$* $: $1 $| $&{client_addr}
R$* $| <> $: $1 originated locally
R$* $| < 0 > $: $1 originated locally
R$* $| < 127.0.0.1 > $: $1 originated locally
R$* $| < IPv6:::1 > $: $1 originated locally
R$* $| < $* > $: $1 $|<[$2]> put brackets around it...
R$* $| < $=w > $: $1 ... and see if it is local
R$* $| $* $@ OK non local IP number

R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> \
$#error $@ 5.1.8 $: "551 sorry luser your boss does not like you"


The line "R$+<@$=w.> $@ OK local? ok"
was copied from your rules. I'm still wondering if this has to be
changed to "R$+< @$* domain.tld.> $@ OK local? ok".
This depends on the contents of your "$=w".


Regards,

Kees

--
Kees Theunissen

Kees Theunissen

unread,
Apr 16, 2007, 8:38:28 PM4/16/07
to

Something got wrong! I copied the following rules from a
configuration where I used "< >" around "$&{client_addr}".
(I _did_ mention it was untested. :-)
Change the previous rule to:

jma...@ttec.com

unread,
Apr 16, 2007, 9:29:07 PM4/16/07
to
On Apr 16, 8:19 pm, Kees Theunissen <theun...@rijnh.nl> wrote:
> Asim wrote:
> > Hi,
> > I have sendmail running as client on some of my unix sytems. They all
> > use one UNIX machine as smtp gateway ( MAILHUB) which then pass on
> > the email messages to my company's mail relay server. Now users at my
> > unix client machines can send messages to anyuser@anydomain. I want to
> > restrict users to send messages to internal/my company's domain only.
> > I have tried using following:
>
> > LOCAL_CONFIG
> > F{Internal}/etc/mail/intern.only
>
> > Then the rules work like this:
> > LOCAL_RULESETS
> > SLocal_check_rcpt
> > # get sender address and canonify it
> > R$* $: $1 $| $>3 $&f
> > R$* $| <> $@ OK <> is always ok
> > R$* $| $={Internal} <@$=w.> $: $1 l...@local.host?

> > R$* $| $={Internal} $: $1 luser?
> > R$* $| $* $@ OK someone else
> > R$* $: $>3 $1 check recipient
> > R$+<@$=w.> $@ OK local? ok
> > R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your boss does not
> > like you"
>

The above ruleset is one of Claus's.

It works like this:

Retrieve senders claimed address and put in focused canonified form.

<> is ok, return and allow it

entries from the Internal class at any local domain are to be
controlled below,

entries from the Internal class are to be controlled below

All others are not controlled, return OK and allow it.

If we are still here canonify the attempted recipient in focused form

If its to a local domain, return OK and allow it.

If its not to a local domain, abort with error, causing the attempt to
fail.

> If your user's MUA is using SMTP to submit messages "$&f" will
> be a user supplied string and can contain any value.

This is controllable by requiring internal clients to SMTP AUTH and by
utilizing rulesets like these

http://jmaimon.com/sendmail/patches/rewrite_sender.tar.gz
http://jmaimon.com/sendmail/#rewritesender

> Probably this
> string contains "u...@domain.tld", while you are testing against


> "$=w" which contains by default "host.domain.tld" but not
> "domain.tld".
> Adding "domain.tld" to /etc/mail/local-host-names could solve
> the most common cases but is not full proof ("$&f" still is a user
> supplied string and can contain any value) and is likely to break
> forwarding of messages (addressed to users at your domain) to the
> MAILHUB.

The easiest thing for him to do in this case is to create yet another
class that matches the internal domain names he wants controlled and
replace occurence in above ruleset of $=w with the new class.

> I recommend the use of "$&{client_addr}" to determine if a client
> is local. Chance your test to something like this (untested):

Good approach, if your population can fit that model.

You can consider this kind of IP address control with some
hybridization of controlling recipient authentication such as

http://jmaimon.com/sendmail/#rcptauthreq
http://jmaimon.com/sendmail/patches/rcptauthsender.txt

>
> LOCAL_RULESETS
> SLocal_check_rcpt
> # get sender address and see if it is local
> R$* $: $1 $| $&{client_addr}
> R$* $| <> $: $1 originated locally
> R$* $| < 0 > $: $1 originated locally
> R$* $| < 127.0.0.1 > $: $1 originated locally
> R$* $| < IPv6:::1 > $: $1 originated locally
> R$* $| < $* > $: $1 $|<[$2]> put brackets around it...
> R$* $| < $=w > $: $1 ... and see if it is local
> R$* $| $* $@ OK non local IP number
>
> R$* $: $>3 $1 check recipient
> R$+<@$=w.> $@ OK local? ok
> R$+<@$+> \
> $#error $@ 5.1.8 $: "551 sorry luser your boss does not like you"
>
> The line "R$+<@$=w.> $@ OK local? ok"
> was copied from your rules. I'm still wondering if this has to be
> changed to "R$+< @$* domain.tld.> $@ OK local? ok".
> This depends on the contents of your "$=w".

As above, make a new class.

>

Asim

unread,
Apr 16, 2007, 11:12:46 PM4/16/07
to
> http://jmaimon.com/sendmail/patches/rewrite_sender.tar.gzhttp://jmaimon.com/sendmail/#rewritesender

>
> > Probably this
> > string contains "u...@domain.tld", while you are testing against
> > "$=w" which contains by default "host.domain.tld" but not
> > "domain.tld".
> > Adding "domain.tld" to /etc/mail/local-host-names could solve
> > the most common cases but is not full proof ("$&f" still is a user
> > supplied string and can contain any value) and is likely to break
> > forwarding of messages (addressed to users at your domain) to the
> > MAILHUB.
>
> The easiest thing for him to do in this case is to create yet another
> class that matches the internal domain names he wants controlled and
> replace occurence in above ruleset of $=w with the new class.
>
> > I recommend the use of "$&{client_addr}" to determine if a client
> > is local. Chance your test to something like this (untested):
>
> Good approach, if your population can fit that model.
>
> You can consider this kind of IP address control with some
> hybridization of controlling recipient authentication such as
>
> http://jmaimon.com/sendmail/#rcptauthreqhttp://jmaimon.com/sendmail/patches/rcptauthsender.txt

>
>
>
>
>
>
>
> > LOCAL_RULESETS
> > SLocal_check_rcpt
> > # get sender address and see if it is local
> > R$* $: $1 $| $&{client_addr}
> > R$* $| <> $: $1 originated locally
> > R$* $| < 0 > $: $1 originated locally
> > R$* $| < 127.0.0.1 > $: $1 originated locally
> > R$* $| < IPv6:::1 > $: $1 originated locally
> > R$* $| < $* > $: $1 $|<[$2]> put brackets around it...
> > R$* $| < $=w > $: $1 ... and see if it is local
> > R$* $| $* $@ OK non local IP number
>
> > R$* $: $>3 $1 check recipient
> > R$+<@$=w.> $@ OK local? ok
> > R$+<@$+> \
> > $#error $@ 5.1.8 $: "551 sorry luser your boss does not like you"
>
> > The line "R$+<@$=w.> $@ OK local? ok"
> > was copied from your rules. I'm still wondering if this has to be
> > changed to "R$+< @$* domain.tld.> $@ OK local? ok".
> > This depends on the contents of your "$=w".
>
> As above, make a new class.
>
>
>
> - Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -- Hide quoted text -
>
> - Show quoted text -

Is there a way that I can use this or this kind of rule without SMTP
AUTH . As I already have many smtp client configured. The MAILHUB is
meant to serve as internal smtp gateway only.
regards,
Asim

jma...@ttec.com

unread,
Apr 16, 2007, 11:46:07 PM4/16/07
to
> >http://jmaimon.com/sendmail/patches/rewrite_sender.tar.gzhttp://jmaim...

>
> > > Probably this
> > > string contains "u...@domain.tld", while you are testing against
> > > "$=w" which contains by default "host.domain.tld" but not
> > > "domain.tld".
> > > Adding "domain.tld" to /etc/mail/local-host-names could solve
> > > the most common cases but is not full proof ("$&f" still is a user
> > > supplied string and can contain any value) and is likely to break
> > > forwarding of messages (addressed to users at your domain) to the
> > > MAILHUB.
>
> > The easiest thing for him to do in this case is to create yet another
> > class that matches the internal domain names he wants controlled and
> > replace occurence in above ruleset of $=w with the new class.
>
> > > I recommend the use of "$&{client_addr}" to determine if a client
> > > is local. Chance your test to something like this (untested):
>
> > Good approach, if your population can fit that model.
>
> > You can consider this kind of IP address control with some
> > hybridization of controlling recipient authentication such as
>
> >http://jmaimon.com/sendmail/#rcptauthreqhttp://jmaimon.com/sendmail/p...

Define "this"


Asim

unread,
Apr 17, 2007, 12:41:51 AM4/17/07
to
> Define "this"- Hide quoted text -

>
> - Show quoted text -

This:

LOCAL_CONFIG
F{Internal}/etc/mail/intern.only


Then the rules work like this:
LOCAL_RULESETS
SLocal_check_rcpt
# get sender address and canonify it
R$* $: $1 $| $>3 $&f
R$* $| <> $@ OK <> is always ok
R$* $| $={Internal} <@$=w.> $: $1 l...@local.host?
R$* $| $={Internal} $: $1 luser?
R$* $| $* $@ OK someone else
R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your
boss does not
like you"

Thanks :)

jma...@ttec.com

unread,
Apr 17, 2007, 7:59:04 AM4/17/07
to

Yes, I thought I outlined some ways you can use that exact ruleset,
namely by creating another class to contain your internal domain names
and by listing your internal users in the Internal class.

I had been expecting you to read and refer to that.


0 new messages