Notice: I changed the ruleset name down below. However, there's no guarantee it will work...
From: juan@physics.mcgill.ca (Juan Gallego)
Newsgroups: comp.mail.sendmail
Subject: Re: Internal aliases only
Date: 28 Oct 1997 14:26:43 GMT
Message-ID: <634sn3$856@sifon.cc.mcgill.ca>
[ posted and mailed ]
In article <6332ah$9sq$1@power42t.hkbu.edu.hk>
posted to comp.mail.sendmail on 27 Oct 1997 21:50:08 GMT,
Mr. Chow Wing Siu (wschow@Comp.HKBU.Edu.HK) wrote:
: In sendmail, how to prevent external (outside domain users) persons
: to access the aliases? I have included many mailing lists in terms
: of /etc/aliases but those mailing lists may have the potential to
: be spammed by outsiders. How to do in cf level to reject those
: mails from OUTSIDE domains but to accept from the organizations
: or selected sites?
I implemented the following hack exactly for that purpose when our
internal distribution lists got hit by spam. I'm sure it could be
easily adapted to meet your needs.
Add the following to your m4 master configuration file:
#
LOCAL_CONFIG
Kprivate hash -o /etc/private
Kprivateok hash -o /etc/privateok
#
LOCAL_RULE_0
#
SLocal_check_rcpt
# check recipient. Let it through unless it's a private address
# (possibly with host or local domain attached to it)
R$* $: $>3 $1
R$- $: $(private $1 $: OK $)
ROK $@ OK non-private @ local
R$* < @ $* $=m . > $* $: $(private $1 $: OK $)
R$* < @ $* > $* $@ OK someone @ somewhere
ROK $@ OK non-private @ here
# if private, check the sender (f macro). If the sender is local, let it
# through. The <@> and << >> hack is ugly, but I couldn't come up with a
# better way to treat user.something as a single token (any suggestions?)
RPRIVATE $: $>3 $(dequote "" $&f $)
R$* $: $1 <@>
R$* < @ $+ > $* < @ > $: $1 << @ $2 >> $3
R$+ < @ > $@ OK sender @ here
R$* << @ $* >> $* $: $1 < @ $2 > $3
R$* < @ $* $=m . > $* $@ OK address @ domain
# not a local sender. Get the relay (client_name)...
R$* < @ $+ . > $* $: $1@$2 $| $>3 @ $(dequote "" $&{client_name} $)
# a particular sender through a valid relay is ok
R$+ $| $* < @ $+ . > $* $: $(privateok $3:$1 $: $1 $) $| $3
ROK $| $* $@ OK relay: user@host
# anyone from a given host/domain from a valid relay is also ok
R$-@$+ $| $+ $: $2 $| $3
R$+ $| $+ $: $(privateok $2:@$1 $: notOK $)
ROK $* $@ OK relay: @host
# the rest can go to hell
R$* $#error $@ 5.7.1 $: "571 private address."
The private map's keys are the list of private addresses with value PRIVATE:
list1 PRIVATE
list2 PRIVATE
The privateok keys are of the form relay:sender or relay:@host with values
OK:
relay.at.some.where:someone@some.where.else OK
relay.at.some.where:@its.ok.too OK
You can test the rules by invoking the test mode and predefining the
client_name and f macros with different combinations and then calling
the check_rcpt rule with the recipient's address.
Hope this helps,
--
Juan Gallego
Little ({sys,net}-{admin,hacker}) Boss