Thu, 09 Sep 2004

Restricting Incoming Mail to MX Hosts using Sendmail

When using an external server or servers to filter your mail, you want to make sure that spammers and worms cannot bypass the filtering servers and deliver unsanitized messages directly to the destination mail server. In order to do this, the destination MTA must check the IP address of the server trying to deliver a message and verify that it is one of the allowed hosts.

If you only have one domain on your sendmail server, or all domains use the same filtering hosts, this is fairly easy to accomplish using either a firewall, TCP wrappers, or a number of not-so-elegant entries in your access table. If you host a number of domains, these methods may not be acceptable.

I have written some sendmail rules to restrict delivery on a per-domain basis. Groups of scanning hosts, known as a scangroup, can be setup and each domain can belong to one scangroup. If a domain does not belong to a scangroup, messages to that domain are accepted as usual.

Two new maps need to be created, scandomain and scanhost. The scandomain map lists each domain that uses a scangroup and scanhost lists the IP addresses of each host in a scan group. The left hand side is the domain and IP address, respectively, and the right hand side is the scangroup name for both maps.

The rules which reject unauthorized delivery are added to the Local_check_rcpt ruleset so the rejection occurs after each RCPT TO: command. Because the mail server may also be used for message submission by MUAs, it accepts messages from authenticated users and IPs explicitly allowed to relay in either the relay-domains file or access map.

To enable scangroups, add the contents of to the bottom of your and regenerate your Don't forget to run makemap after setting up your scandomain and scanhost files.

If you're looking for a service to filter spam and viruses from your mail before they get to your mail server, please check out Postica, which I developed.

Updated - 5/2/2005: I updated the ruleset to reject messages with a temporary failure so that mail doesn't accidentally get rejected if DNS is being changed, and still points directly at the destination server.

tech » mail | Permanent Link

The state is that great fiction by which everyone tries to live at the expense of everyone else. - Frederic Bastiat