[Mimedefang] Locking down sendmail from behind a filtering gateway

[John Von Essen]

I am trying to figure out a way to lock down sendmail that sits behind a MD-SA filtering gateway.

Let me describe the setup…

I have two filtering gateways, on a public WAN, they receive the raw email, filter it, then relay it to my main mail server - which also sits on the same WAN. All three machines are publicly accessible and running no firewall. For performance reasons, I’d like to not run a software firewall on the mail server.

The mail server receives email from the filtering gateways via SMTP, and it also runs POP3 for clients to get their email. It does not perform SMTP relay for clients, thats handled by a separate server. The mail server is running sendmail.

So basically, I want to figure out a way to configure sendmail such that it accepts SMTP email from the filtering gateway machines (IP X.X.X.X) only, SMTP from the world would be denied.

Initially I thought I could do this with the access table, i.e.

Connect:1		REJECT
Connect:2		REJECT
…
…
Connect:254		REJECT
Connect:127.0.0.1	OK
Connect: X.X.X.X	OK

Where X.X.X.X is the IP of my filtering gateway. I “think” the above works, I did it once before a long time ago. But the problem is my mail server is also IPv6, so doing the above for IPv6 is not practical.

Any thoughts, the filtering gateways only have 1 NIC. Worst case, I can put a firewall on the mail server, but I didn’t want to have to do that. Is there a way to make sendmail deny everything by default?

-John