_o_________ ___ _______ A blog that hasn't yet lived up to it's title.

Thu, 09 Sep 2004

Restricting Incoming Mail to MX Hosts using Sendmail

When using an external server or servers to filter your mail, you want to make sure that spammers and worms cannot bypass the filtering servers and deliver unsanitized messages directly to the destination mail server. In order to do this, the destination MTA must check the IP address of the server trying to deliver a message and verify that it is one of the allowed hosts.

If you only have one domain on your sendmail server, or all domains use the same filtering hosts, this is fairly easy to accomplish using either a firewall, TCP wrappers, or a number of not-so-elegant entries in your access table. If you host a number of domains, these methods may not be acceptable.

I have written some sendmail rules to restrict delivery on a per-domain basis. Groups of scanning hosts, known as a scangroup, can be setup and each domain can belong to one scangroup. If a domain does not belong to a scangroup, messages to that domain are accepted as usual.

Two new maps need to be created, scandomain and scanhost. The scandomain map lists each domain that uses a scangroup and scanhost lists the IP addresses of each host in a scan group. The left hand side is the domain and IP address, respectively, and the right hand side is the scangroup name for both maps.

The rules which reject unauthorized delivery are added to the Local_check_rcpt ruleset so the rejection occurs after each RCPT TO: command. Because the mail server may also be used for message submission by MUAs, it accepts messages from authenticated users and IPs explicitly allowed to relay in either the relay-domains file or access map.

To enable scangroups, add the contents of scangroups.mc to the bottom of your sendmail.mc and regenerate your sendmail.cf. Don't forget to run makemap after setting up your scandomain and scanhost files.

If you're looking for a service to filter spam and viruses from your mail before they get to your mail server, please check out Postica, which I developed.

Updated - 5/2/2005: I updated the ruleset to reject messages with a temporary failure so that mail doesn't accidentally get rejected if DNS is being changed, and still points directly at the destination server.

tech » mail | Permanent Link

By:
Christian G. Warden

Subscribe

Something Else

Something Old

• February 2024 (1)
• March 2022 (1)
• January 2022 (1)
• September 2017 (1)
• July 2017 (1)
• January 2016 (2)
• September 2015 (1)
• November 2014 (1)
• October 2014 (1)
• September 2014 (5)
• September 2013 (2)
• August 2013 (1)
• August 2012 (2)
• June 2012 (1)
• May 2012 (2)
• December 2011 (1)
• August 2011 (1)
• May 2011 (1)
• February 2011 (1)
• November 2010 (2)
• November 2008 (3)
• February 2008 (1)
• September 2007 (1)
• August 2007 (2)
• May 2007 (3)
• March 2007 (6)
• February 2007 (3)
• January 2007 (1)
• December 2006 (2)
• November 2006 (3)
• October 2006 (2)
• September 2006 (1)
• July 2006 (1)
• June 2006 (4)
• May 2006 (6)
• April 2006 (4)
• March 2006 (5)
• February 2006 (4)
• January 2006 (5)
• November 2005 (9)
• October 2005 (7)
• September 2005 (2)
• August 2005 (6)
• July 2005 (6)
• June 2005 (14)
• May 2005 (9)
• April 2005 (15)
• March 2005 (17)
• February 2005 (9)
• January 2005 (5)
• December 2004 (5)
• November 2004 (7)
• October 2004 (12)
• September 2004 (9)

Somewhere Else

• Github
• LinkedIn