Discussion:
auth relay limitting
Add Reply
Claus Aßmann
2025-01-22 17:18:53 UTC
Reply
Permalink
Currently when a user is authenticated it can send messages with any
From (and envelope ?). I would like to limit this to only addresses
that the user is configured to receive on.
How would I go about implementing such a thing?
A custom ruleset.

You might find some examples on "the 'net".

Otherwise look at doc/op/op.* about rulesets and macros, esp.
5.1.4.2. check_mail (and cf/README about Local_*)
${auth_authen}
The client's authentication credentials as deter-
mined by authentication (only set if successful).
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
none
2025-01-24 11:57:42 UTC
Reply
Permalink
Post by Claus Aßmann
Currently when a user is authenticated it can send messages with any
From (and envelope ?). I would like to limit this to only addresses
that the user is configured to receive on.
How would I go about implementing such a thing?
A custom ruleset.
You might find some examples on "the 'net".
Otherwise look at doc/op/op.* about rulesets and macros, esp.
5.1.4.2. check_mail (and cf/README about Local_*)
${auth_authen}
The client's authentication credentials as deter-
mined by authentication (only set if successful).
I found this
https://www.sendmail.org/~ca/email/doc8.12/cf/m4/anti_spam.html

The features described above make use of the check_relay, check_mail,
and check_rcpt rulesets. If you wish to include your own checks, you can
put your checks in the rulesets Local_check_relay, Local_check_mail, and
Local_check_rcpt. For example if you wanted to block senders with all
numeric usernames (i.e. ***@bigisp.com), you would use
Local_check_mail and the regex map:

LOCAL_CONFIG
Kallnumbers regex -***@MATCH ^[0-9]+$

LOCAL_RULESETS
SLocal_check_mail
# check address against various regex checks
R$* $: $>Parse0 $>3 $1
R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $)
***@MATCH $#error $: 553 Header Error

But how do I go about changing this in looking up all the auth's email
addresses? I think I even use different cluster name because the
incomming is different from the outgoing so that is a separate issue to
solve.

dn: sendmailMTAKey=***@example.com..........
sendmailMTAMapValue: usertest
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
structuralObjectClass: sendmailMTAMapObject



I only have README.cf that mentions these, and all related to rcpt not
sender.

[sendmail]# egrep 'auth_authen|check_mail' * -r
README.cf:delay_checks The rulesets check_mail and check_relay will not
be called
README.cf:The features described above make use of the check_relay,
check_mail,
README.cf:Local_check_relay, Local_check_mail, and Local_check_rcpt. For
README.cf:(i.e. ***@bigisp.com), you would use Local_check_mail and the
README.cf: SLocal_check_mail
README.cf:By using FEATURE(`delay_checks') the rulesets check_mail and
check_relay
README.cf:If check_mail returns an error then the RCPT TO command will
be rejected
README.cf:friend the exception. The rulesets check_mail and check_relay
will be
README.cf:check_mail and check_relay and make a SPAM hater the
exception. The
README.cf:has been issued, and from check_mail. The parameter is the
value of
README.cf:The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be
README.cf:R$* $: $&{auth_type} $| $&{auth_authen}
README.cf: [i, {auth_type},
{auth_authen},
README.cf: R$* $: $&{auth_authen}
none
2025-01-27 11:14:10 UTC
Reply
Permalink
Post by Claus Aßmann
Currently when a user is authenticated it can send messages with any
From (and envelope ?). I would like to limit this to only addresses
that the user is configured to receive on.
How would I go about implementing such a thing?
A custom ruleset.
You might find some examples on "the 'net".
You have maybe a link to a practical example? I have the impression
there is not even a check_sender

https://www.sendmail.org/~ca/email/rcpt_old.html

How should this be rewritten so it looks up the from address in the
virtual user table so it compares sendmailMTAMapValue with the auth?

R$+ $: $>3 $1
R$+ $: $(dequote $1 $)
R$- $@ ok to here
R$* % $* $: relay attempt
R$* @ $* < @ $* . > $: relay attempt
R$+ < @ $=w . > $@ ok to here
R$+ < @ $={RelayTo} . > $@ ok allow relay to there
R$+ $: $(dequote "" $&{client_addr} $)
R0 $@ ok client_addr is 0 for sendmail -bs
R$={LocalIP}.$* $@ ok from here
R$* $#error $@ 5.7.1 $: "571 we do not support relaying"

Loading...