[Mimedefang] Rejecting mail only for non-authenticated users?

[Andy Lyttle]

Hi all,

I've got some great custom rules developed to reject messages based  
on the sender's IP address (or reverse DNS hostname).  I put these in  
filter_relay, and they're working great.  But then I realized...  I  
use the same server to handle incoming e-mail from other servers on  
port 25, and authenticated e-mail from my users on port 587 (sent  
with encryption and authentication).  If one of my users happens to  
be connecting from an IP address I don't want to accept spam from,  
how can I determine whether I'm dealing with an authenticated user or  
not?

I'm assuming this can't be done from filter_relay, but I'd be happy  
to move the code to filter_recipient if I can do it from there.  The  
important thing is that I want to reject the connection before  
receiving the DATA.

I could simply test the envelope sender's domain, but I want my users  
to be able to send mail from any e-mail address they like as long as  
they're authenticated, so that's not good enough.  If I could simply  
distinguish between connections to port 587 vs. connections to port  
25, that would be an acceptable alternative to distinguishing between  
authenticated users and anonymous connections, but I'd prefer to  
actually test for authentication.  Connections from IPs on my local  
subnet should count as authenticated even if they aren't really, but  
I can test for that myself.  Basically, any connection that Sendmail  
would accept relaying from, I want to trust too.

Any insight would be most appreciated.

~ Andy