[Mimedefang] Verifying sendmail aliases securely

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 8 Dec 2006, Kenneth Porter wrote:

> I don't want to expose the verification and expansion SMTP commands to the 
> outside world but it's useful to expose them to the internal local interface 
> for debugging. Should I do that from sendmail with some kind of sendmail.mc

LOCAL_RULESETS

# Hide EXPN command for non-locals
Scheck_expn
R$*                     $: $&{client_addr}
R127.0.0.1      $@ OK
R194.95.66.3    $@ OK
R194.95.66.18   $@ OK
R$*                     $#error $@ 5.5.1 $: "502 Command not implemented"


> Or am I better off doing this somehow from the sendmail command line?

sendmail -O ForwardPath= -bv Otto.Mustermann at mail

ForwardPath= suppresses a possibly heavy expansion, not interesting, if 
you just verify the existance of an address.

The command line handles any address sendmail can handle, the EXPN command 
works for local recipients only.

Unless there is no bug in sendmail, I don't see no reason to disable EXPN. 
Of course, you have to trust any user/process of the IPs you whitelist as 
well.

I use EXPN internally on a host that warns users of their over-quota 
status, for local delivery it makes no sense to sent via SMTP as the user 
is overquota and the mail wouldn't delivered, instead the mail is spooled 
manually in their mailboxes and sent via SMTP to external addresses only, 
be it user forwards or users without local mailbox.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEVAwUBRX0ZAegJIbZtwg6XAQJmMQf+Nh0gTzNjUkkNqVXY28bxACYymZHk0f8T
3kTgqYDSlrz25NPdvdsZvDH+lDpPANhv70WRFp+yONyaU+FQC71OGfZFmKN3Lxxr
7DQpNe1d67eMthT+l3QLs/L6dz/KEQoIA3A9HVVwn9Y7+hkhzdjKCPUzga/5Ja60
1b+oy5psj/Vztat/6xu4n1pJpQ7O4pC1iWakhODqy3PzvkCxGRPuDSzGFEzDI5c3
XY58EgrqYacT14PkT1eoDfEez3FgIKFKG22eH3i+BnRIb3TYmHA4ihjRhZVQGHTt
sFZxQF5C9vtT3IdyyzrnaOqr65172slqQkm0Yl6i3W2oXERVl7J2+A==
=BrIE
-----END PGP SIGNATURE-----