[Mimedefang] restricting senders who can post to a specific recipient

Tony Nugent tony at linuxworks.com.au
Fri Aug 23 22:11:01 EDT 2002 

  [apologies for my tendency for longish posts... please feel free
  to be ruthless in trimming any quoted replies]

I have a situation where I need to protect an email alias from
"unauthorised" use.  This alias expands to several thousand (!!)
organisational members, all kept in an external :include: file which
is regularly updated from an sql database.

  The alias exists for the sole purpose of allowing the organisation
  to send regular email postings to its members and other clients
  (as one of the services it offers).

  The situation that I need to create is that only specific senders
  from specific hosts/networks (within the organisation) can
  successfully post email to this alias.

  The alias name itself gets high exposure with these postings, and
  as a result it can (and does) attract both spam and MM viruses,
  and the unoccasional mis-directed reply message.

In the past I had set all this up by treating the alias as
restricted mailing list (a legacy of needing to do this a long time
ago with much older versions of m'defang).  It worked very well and
so I never bothered to change what wasn't broken.

The server was recently upgraded (rh73), and now uses sendmail
8.12.5 (with defang-2.16, SA-2.31, uvscan and friends).  As usual,
defang is working like a trooper :-)  (although I'm frequently
getting errors from SA, previously mentioned here and told that they
were non-fatal).

However, instead of using the mailing list trick (with either
majordomo or mailman), I would now much rather use defang itself for
doing this particular task.

It seems to me that it could be done in several ways.  My question
is: what is the best way to do it so that it will work in a failsafe
way?

The basic rules:

 - if the mail comes from an "allowed" user who is relaying from an
   internal IP address, only then should it be allowed to proceed.

 - in all other cases the email should be denied delivery (perhaps
   quarantined then dropped or rejected), a copy sent to an
   administrative address (perhaps as an attachment in a new
   message), and the incident syslog'ed.

 - if the alias is one of several recipients, then the alias
   should be removed from the recipient list (with appropriate
   syslog and admin/sender notification messages).  In reality this
   should never happen, so rejecting or dropping the message would
   probably be acceptable.

I've looked at the following functions:
	filter_recipient()	filter_sender()
	add_recipient()		delete_recipient()
	stream_by_recipient()	stream_by_sender()

All seem to be relevant to achieve the desired results, probably in
combination.  Each has slighly different semantics and outcomes.
Until now I have never needed to consider using any of them in my
filters, so once again its learning curve time :)

I'm a bit confused with how/when to use the filter_recipient() and
filter_sender() functions... at what stage of the m'defang filtering
process are they called?  Before filter_begin() ?  I assume that
filter_recipient() is called once for each recipient -- does this
mean that if the message is rejected for one recipient then it will
also occur for all other recipients?  Or will that recipient be
simply be removed from the eventual @Recipients list (something
which delete_recipient() would also do)?

Thanks for pointing me in the right direction... I'm sure it will
all become obvious once I get a handle on the mechanics of how all
these functions work.

And David, while I am here: thanks so much for creating (and
actively supporting) such a wonderfully useful utility... life would
have become an almost unmanageable nightmare for so many of us were
it not for what you are doing with mimedefang.  May your efforts
reward you with the prosperity you deserve.

Cheers
Tony

More information about the MIMEDefang mailing list