With sendmail 8.13 on FC4, I currently have this behavior:
- any host can connect to the smtp port;
- relaying and local delivery are allowed if STARTTLS+AUTH are used;
- relaying and local delivery are allowed if the connecting host is one of the ones listed in /etc/mail/access;
- else local delivery is allowed.
What I want is to replace item #4 with "else mail is not accepted for delivery". I only want to accept "jwz.org" delivery if it's from my ISP's mail hosts, or AUTH. I don't want direct-connect spammers and viruses to be able to deliver to me.
Someone suggested FEATURE(relay_hosts_only) but that doesn't seem to do anything.
(As always, feel free to answer my sendmail question with "don't use sendmail" if you'd like me to ban you.)
i don't see what the problem is?
just don't accept the relay?
The question appears to be "how".
I can't give you a definitive one-line answer as I don't know the specifics of your mc file. However, you should look at STARTTLS docs, specifically the section where you can put into your access file whether or not an e-mail must be encrypted.
My assumption is that this line in your access file will work:
TLS_Srv:jwz.org ENCR:112
"How do I demand that all mail be encrypted" is not what I was asking. The messages in #2 are not.
The .mc file is pretty much stock FC4, except for the confCACERT stuff, and TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
AUTH should always skip any relay checks in the stock mc file. You can try:
TLS_Clt:jwz.org OK
...to allow TLS messages without AUTH (if you assume that hosts using TLS are likely not spammers), but I'm unaware of an access wildcard to just stop local delivery by default. It's possible that FEATURE(`blacklist_recipients') would work in conjunction with your rules, or it's possible that it would wind up rejecting every message to you.
have you had a look at having qpsmtpd as a frontend to sendmail?
No, and why would I? Have you looked at my Ban Stick?
because only for its check_early_talkers feature it's worth the 5 minutes it takes to set up.
You don't want to know where he puts it.
Because hacking perl scripts is a more satisfying waste of time than fiddling with m4 macros?
Oh crusty, tentacled god! That package is joining ed and intercal on my list of necessary software.
"How did you spend your friday night?"
"I wielded the mighty sword of perl on inbound email!"
"So. You were alone. Again."
Disclaimer: I don't use sendmail.
That said, I wonder if there's some kludge you can put at the bottom of an access db to reject everything not specified earlier. If it takes CIDR notation, well, maybe "0/0 REJECT"?
(untested, but I believe this is the right command.)
Add this line to the mail server's sendmail.cf:
Kaccess hash -o /etc/mail/access
That is equivalent to
FEATURE(`access_db', `hash -T /etc/mail/access_map')
in a sendmail.mc file.I think the question is more specific than that. JWZ has the relaying figured out. What he wants to do is reject attempts at local delivery. Let's rephrase the question.
How can sendmail be configured to to have a default deny stance on all activity from the MAIL verb forward in an smtp session?
What about undefining confLOCAL_MAILER and using an empty localtable (with FEATURE(localtable))? Sendmail should then reject any messages that are to be delivered locally, and if you ever have an exception you can add it to the localtable file, or alias around it, or use .forward.
Not sure this would work, but it's worth a try, I suppose.
It shouldn't work, and if it does it's a bug. Sendmail always uses the local mailer when performing final delivery for an address on that box (see virtusertable for how this works). If you turn off the local mailer, it simply won't accept e-mails for users on that machine, period, no matter how you try to trick it.
Oh, so that's what you wanted to do. Sorry for suggesting that, as
relay_hosts_only
doesn't cover deliver, just who can send mail through your server.You could try using Milter to set up a list of trusted users or networks. It looks like milter-greylist does what you want, but I've never tried it.
I don't think sendmail has the ability to selectively allow inbound hosts, out of the box. If you are willing to run sendmail under xinetd, it's a relatively simple matter to add an 'only_from = [your ISP's SMTP servers]' to the sendmail config entry.
If I wanted to do that, I'd just use a firewall rule, not xinetd. That doesn't do what I'm asking for.