[Mimedefang] Gods, how I love MD
Ole Craig
olc at cs.umass.edu
Mon Jul 26 10:07:26 EDT 2004
On 07/24/04 at 13:30, 'twas brillig and Lucas Albers scrobe:
>
> Ole Craig said:
> > We've been setting up a prototype MD+SA+Clamav "smtp firewall"
> > with the idea that it'll handle all inbound mail for machines on our
> > network before sending it on to the appropriate mailhub. As part of
> > this effort I sat down to write a generic sendmail.mc that we could
> > apply on hosts "behind" it, such that they wouldn't accept mail unless
> > it was relayed from the firewall or came from a user authenticated by
> > POP/IMAP or STARTTLS/PLAIN.
>
> Could you perhaps post the configuration steps you made on your secondary
> mail servers for this setup?
> I'm in the process of doing the same sort of thing.
Lucas -
Following are the additions I made to sendmail.mc for a host
that was already configured to do both SMTP AUTH under TLS and
POP/IMAP auth using access.db. Watch out for linewraps and whitespace.
-8<-cut-here--------
LOCAL_CONFIG
C{MXRelays} 0 127.0.0.1
# add "bastion" or "smtp gateway" host IPs to /etc/mail/MXRelays
F{MXRelays} /etc/mail/MXRelays
LOCAL_RULESETS
Sremovelocal
# remove RelayTo part (maybe repeatedly)
# R$*<@$*$={RelayTo}.>$* $>3 $1 $4
R$*<@$=w.>$* $: $>removelocal $>3 $1 $3
R$*<@$*>$* $@ $1<@$2>$3
# dequote local part
R$+ $: $>3 $(dequote $1 $)
R$*<@$*>$* $: $>removelocal $1<@$2>$3
SLocal_check_rcpt
# check to see if smtp-auth has been invoked, accept if yes
R$* $: $1 __authcheck__ $&{auth_type}
R$* __authcheck__ $+ $@ OK
# else return to previous workspace
R$* __authcheck__ $: $1
# check to see if relayed from a site-local machine
# get client addr
R$+ $: $(dequote "" $&{client_addr} $) $| $1
R0 $| $* $@ OK no client addr: directly invoked
R$={MXRelays}$* $| $* $@ OK allowed client
R$+ $| $* $: $(access $1 $) $| $2 check IP in access.db
RRELAY $| $* $@ OK Relay in access.db
# otherwise, return to original workspace and kick it back in their
# face, with either a "relay denied" or "please use proper MX"
# depending on whether the address was local or not
R$* $| $* $: $2
# remove local part, maybe repeatedly
R$+ $: $>removelocal $1
# still something left?
R$+ @ $+ $#error $@ 5.4.0 $: 550 Relay denied.\ Legitimate $j users may relay after successful POP/IMAP login or TLS/SSL SMTP authentication.
R$* $#error $@ 5.7.0 $: 552 Please use proper MX!
-8<-cut-here--------
Cheers,
Ole
--
Ole Craig * UNIX, linux, SMTP-fu; news, web; SGI martyr * CS Computing
Facility, UMass * <www.cs.umass.edu/~olc/pgppubkey.txt> for public key
Need a seasoned *NIX admin in the Denver/Boulder area? Hire me!
More information about the MIMEDefang
mailing list