Re: How to restrict users to send emails to internal users only

On Apr 17, 12:46 pm, "jmai...@xxxxxxxx" <jmai...@xxxxxxxx> wrote:
On Apr 16, 11:12 pm, Asim <asim.a...@xxxxxxxxx> wrote:





On Apr 17, 10:29 am, "jmai...@xxxxxxxx" <jmai...@xxxxxxxx> wrote:

On Apr 16, 8:19 pm, Kees Theunissen <theun...@xxxxxxxx> wrote:

Asim wrote:
Hi,
I have sendmail running as client on some of my unix sytems. They all
use one UNIX machine as smtp gateway ( MAILHUB) which then pass on
the email messages to my company's mail relay server. Now users at my
unix client machines can send messages to anyuser@anydomain. I want to
restrict users to send messages to internal/my company's domain only.
I have tried using following:

LOCAL_CONFIG
F{Internal}/etc/mail/intern.only

Then the rules work like this:
LOCAL_RULESETS
SLocal_check_rcpt
# get sender address and canonify it
R$* $: $1 $| $>3 $&f
R$* $| <> $@ OK <> is always ok
R$* $| $={Internal} <@$=w.> $: $1 l...@xxxxxxxxxx?
R$* $| $={Internal} $: $1 luser?
R$* $| $* $@ OK someone else
R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your boss does not
like you"

The above ruleset is one of Claus's.

It works like this:

Retrieve senders claimed address and put in focused canonified form.

<> is ok, return and allow it

entries from the Internal class at any local domain are to be
controlled below,

entries from the Internal class are to be controlled below

All others are not controlled, return OK and allow it.

If we are still here canonify the attempted recipient in focused form

If its to a local domain, return OK and allow it.

If its not to a local domain, abort with error, causing the attempt to
fail.

If your user's MUA is using SMTP to submit messages "$&f" will
be a user supplied string and can contain any value.

This is controllable by requiring internal clients to SMTP AUTH and by
utilizing rulesets like these

http://jmaimon.com/sendmail/patches/rewrite_sender.tar.gzhttp://jmaim...

Probably this
string contains "u...@xxxxxxxxxx", while you are testing against
"$=w" which contains by default "host.domain.tld" but not
"domain.tld".
Adding "domain.tld" to /etc/mail/local-host-names could solve
the most common cases but is not full proof ("$&f" still is a user
supplied string and can contain any value) and is likely to break
forwarding of messages (addressed to users at your domain) to the
MAILHUB.

The easiest thing for him to do in this case is to create yet another
class that matches the internal domain names he wants controlled and
replace occurence in above ruleset of $=w with the new class.

I recommend the use of "$&{client_addr}" to determine if a client
is local. Chance your test to something like this (untested):

Good approach, if your population can fit that model.

You can consider this kind of IP address control with some
hybridization of controlling recipient authentication such as

http://jmaimon.com/sendmail/#rcptauthreqhttp://jmaimon.com/sendmail/p...

LOCAL_RULESETS
SLocal_check_rcpt
# get sender address and see if it is local
R$* $: $1 $| $&{client_addr}
R$* $| <> $: $1 originated locally
R$* $| < 0 > $: $1 originated locally
R$* $| < 127.0.0.1 > $: $1 originated locally
R$* $| < IPv6:::1 > $: $1 originated locally
R$* $| < $* > $: $1 $|<[$2]> put brackets around it...
R$* $| < $=w > $: $1 ... and see if it is local
R$* $| $* $@ OK non local IP number

R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> \
$#error $@ 5.1.8 $: "551 sorry luser your boss does not like you"

The line "R$+<@$=w.> $@ OK local? ok"
was copied from your rules. I'm still wondering if this has to be
changed to "R$+< @$* domain.tld.> $@ OK local? ok".
This depends on the contents of your "$=w".

As above, make a new class.

- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -- Hide quoted text -

- Show quoted text -

Is there a way that I can use this or this kind of rule without SMTP
AUTH . As I already have many smtp client configured. The MAILHUB is
meant to serve as internal smtp gateway only.
regards,
Asim

Define "this"- Hide quoted text -

- Show quoted text -

This:

LOCAL_CONFIG
F{Internal}/etc/mail/intern.only


Then the rules work like this:
LOCAL_RULESETS
SLocal_check_rcpt
# get sender address and canonify it
R$* $: $1 $| $>3 $&f
R$* $| <> $@ OK <> is always ok
R$* $| $={Internal} <@$=w.> $: $1 l...@xxxxxxxxxx?
R$* $| $={Internal} $: $1 luser?
R$* $| $* $@ OK someone else
R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your
boss does not
like you"

Thanks :)

.

Relevant Pages