OT: Reject non local users with sendmail, help

Jim Holland mailscanner at mango.zw
Fri Oct 20 11:41:25 IST 2006 

On Fri, 20 Oct 2006, Derek Catanzaro wrote:

> Does anyone out there have a working Reject non local users setup using
> sendmail?  I have pulled all the recipient names via LDAP and cannot
> find what I need to do next.  Basically, I want to only allow mail to
> the users I have listed in my relay_recipients file.  There are plenty
> of posts on this for postfix and other MTA's but I need this to work
> with sendmail.  I really need to limit the load my servers are seeing
> right now because it has been causing a small backup for the past week
> from time to time.  If I have to go through another day switching back
> and forth from my primary and secondary mailscanner servers issuing a
> "service MailScanner stop" then startout, then check_MailScanner (did
> this for several hours today) I'm gonna go nuts.
> 
> If anyone can provide any help on this I would greatly appreciate it.  
> An example of what you did in the /etc/mail/access file or an example of
> what you had to put in your /etc/mail/sendmail.mc would be great.  Also
> if the relay_recipients file should contain anything other than
> "jdoe at domain.com OK" that would be good to know as well.  Thanks for the
> help.
 
> MailScanner 4.49.7
> sendmail 8.13.5

Assuming that you are talking of a gateway machine that is feeding mail to
an internal server, then that is exactly what I have here.  My approach is
to use smf-sav for recipient address verification - a kind of poor man's
LDAP.  All I need in principle for our main domain are the following
entries on the gateway (mail.mango.zw) that is feeding mail to the
internal server fido.mango.zw on a private IP address:

access:

# fido.mango.zw
Connect:192.168.10.1            RELAY
To:mango.zw                     RELAY

mailertable:

mango.zw                        esmtp:[fido.mango.zw]

hosts:

192.168.10.1                    fido.mango.zw

In addition I run smf-sav:

	http://smfs.sourceforge.net/smf-sav.html

sendmail.mc:

dnl smf-sav support
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl
INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, T=S:30s;R:4m')dnl

You must have milter support compiled into your sendmail - I would 
recommend upgrading to 8.13.8 anyway.

When an incoming connection with mail for user at mango.zw is received, it is
intercepted by the smf-sav milter which then queries fido.mango.zw and
accepts or rejects the message accordingly.  If the link is down or the
milter crashes (which hasn't happened to me) then a message is accepted by
default, so it is failsafe.

I found it rather difficult to get to the above because I had to undo what
was previously a rather complex system using files mailed from one server
to the other and scripts to auto-generate a virtusertable file, and
because I had a number of other domains all being handled in different
ways and had to make sure that nothing broke in the changeover.  But if 
you were to start from scratch it could hardly be simpler.

I presume that this arrangement would work just as well if the internal 
server was an Exchange server - as long as it rejected mail to invalid 
recipients.

Is this what you are looking for?

Regards

Jim Holland
--
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

More information about the MailScanner mailing list