[Mimedefang] preventing allowed relays from acting as relays?

[Brian Landers]

Can anyone suggest a reasonably foolproof solution to this set
of requirements, using mimedefang or even just using sendmail?

1) we have an internal SMTP relay -- smtpmail.example.com that
is used to allow certain servers (mostly unix boxes) to send
mail either to the Internet or to our Exchange environment. This
is the only internal machine that's allowed to directly send
mail either into Exchange or out through the firewall.  We 
restrict access to this server by IP address, through the
standard sendmail access.db file.

2) recently we've had issues with people setting up their own
SMTP relay on a server that is allowed to use smtpmail, i.e.
Joe Blow has a machine 'foo' that needs to send mail, but 'foo'
isn't allowed to use smtpmail.  However, machine 'bar' IS 
allowed to use smtpmail, so Joe just installs Microsoft SMTP
service on 'bar' and sets up machine 'foo' to relay through it.

I want to be able to restrict smtpmail to only accept messages
that were SENT from a host, not mail that was relayed THROUGH
that host.  The question is, how?

I've thought about simply parsing the HEADERS file and bouncing
the message if it has a Received: header for a host other than
$RelayAddr, but will that work reliably?  Or is there a simpler
way to accomplish this?

Thanks in advance,
Brian


-- 
"I don't seem to be able to get flowers in any other color," he 
said, shrugging. "I guess it's because I'm not a flowers kind of 
guy. I seem to be pretty good at growing Venus Flytraps, and I 
managed to make it hail, but flowers...not so much."