[Mimedefang] Gods, how I love MD

Mon Jul 26 10:07:26 EDT 2004

On 07/24/04 at 13:30, 'twas brillig and Lucas Albers scrobe:
> 
> Ole Craig said:
> > 	We've been setting up a prototype MD+SA+Clamav "smtp firewall"
> > with the idea that it'll handle all inbound mail for machines on our
> > network before sending it on to the appropriate mailhub. As part of
> > this effort I sat down to write a generic sendmail.mc that we could
> > apply on hosts "behind" it, such that they wouldn't accept mail unless
> > it was relayed from the firewall or came from a user authenticated by
> > POP/IMAP or STARTTLS/PLAIN.
> 
> Could you perhaps post the configuration steps you made on your secondary
> mail servers for this setup?
> I'm in the process of doing the same sort of thing.

Lucas -
	Following are the additions I made to sendmail.mc for a host
that was already configured to do both SMTP AUTH under TLS and
POP/IMAP auth using access.db. Watch out for linewraps and whitespace.

-8<-cut-here--------
LOCAL_CONFIG

C{MXRelays} 0 127.0.0.1
# add "bastion" or "smtp gateway" host IPs to /etc/mail/MXRelays
F{MXRelays} /etc/mail/MXRelays

LOCAL_RULESETS
Sremovelocal
# remove RelayTo part (maybe repeatedly)
# R$*<@$*$={RelayTo}.>$*	$>3 $1 $4
R$*<@$=w.>$*		$: $>removelocal $>3 $1 $3
R$*<@$*>$*		$@ $1<@$2>$3
# dequote local part
R$+			$: $>3 $(dequote $1 $)
R$*<@$*>$*		$: $>removelocal $1<@$2>$3

SLocal_check_rcpt
# check to see if smtp-auth has been invoked, accept if yes
R$*			$: $1 __authcheck__ $&{auth_type}
R$* __authcheck__ $+	$@ OK
# else return to previous workspace
R$* __authcheck__	$: $1

# check to see if relayed from a site-local machine

# get client addr
R$+			$: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*		$@ OK		no client addr: directly invoked
R$={MXRelays}$* $| $*	$@ OK		allowed client
R$+ $| $*		$: $(access $1 $) $| $2		check IP in access.db
RRELAY $| $*		$@ OK				Relay in access.db

# otherwise, return to original workspace and kick it back in their
# face, with either a "relay denied" or "please use proper MX"
# depending on whether the address was local or not

R$* $| $*		$: $2

# remove local part, maybe repeatedly
R$+			$: $>removelocal $1
# still something left?
R$+ @ $+		$#error $@ 5.4.0 $: 550 Relay denied.\ Legitimate $j users may relay after successful POP/IMAP login or TLS/SSL SMTP authentication.

R$*			$#error $@ 5.7.0 $: 552 Please use proper MX!

-8<-cut-here--------

	Cheers,
		Ole
-- 
Ole Craig * UNIX, linux, SMTP-fu; news, web; SGI martyr * CS Computing
Facility, UMass * <www.cs.umass.edu/~olc/pgppubkey.txt> for public key

   Need a seasoned *NIX admin in the Denver/Boulder area? Hire me!