HPE Community
Operating System - HP-UX
1823058 Members
3137 Online
109645 Solutions
New Discussion юеВ

sendmail: make some users local only

 
SOLVED
Go to solution
Fred Martin_1
Valued Contributor

тАО05-10-2007 03:55 AM

тАО05-10-2007 03:55 AM

sendmail: make some users local only

We have one internal mail server (HPUX: sendmail).

It currently has our anti-spam gateway as the relay host. All non-local email is sent on to the anti-spam gateway via sendmail.

We have a company policy here - only certain users are permiited to use "internet" (non-local) email.

I need to find some method of preventing these users from sending email to domains other than ours.

I already have the list of users permitted to send outside email. They are in the sendmail user db:

/etc/mail/userdb.db

This was orginally set up for another reason, to give them "pretty" email addresses and to mask their ugly login ID, such as:

aem:mailname emiller@applicatorssales.com
emiller:maildrop aem

So the list of allowed users is already in there. Anyone without a userdb entry should be only be using email locally.

Anyway perhaps that's not useful but does anyone know of a good method for accomplishing this?

Thanks,

Fred
fmartin@applicatorssales.com
0 Kudos
Reply
11 REPLIES 11
Steven E. Protter
Exalted Contributor

тАО05-10-2007 04:43 AM

тАО05-10-2007 04:43 AM

Re: sendmail: make some users local only

Shalom Fred,

You are using a standard sendmail function to do the job. There is nothing wrong with it.

Other options to let users go to the gateway.

/etc/aliases

local outside@yahoo.com:

This will push the mail to an outside user which can be on your network.

virtusertables genericstables entries do the same thing, tell the system to look for a domain on outside accounts (genericstable) same basic system as aliases without the colon on the end.

However all methods are equally ugly and yours works. If its not broken why are you trying to fix it? What are we trying to prove?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО05-10-2007 04:50 AM

тАО05-10-2007 04:50 AM

Solution

Re: sendmail: make some users local only

You can try this:

http://www.sendmail.org/~ca/email/restrict.html
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Reply
Fred Martin_1
Valued Contributor

тАО05-10-2007 05:24 AM

тАО05-10-2007 05:24 AM

Re: sendmail: make some users local only

Steven, sorry I wasn't clear. The userdb works in that it does replace the user's name with the prety version (i.e. fmartin instead of xfm).

What I'm trying to do is to prevent users that are -not- in the userdb, from sending external mail at all, only local email.

Fred
fmartin@applicatorssales.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО05-10-2007 05:41 AM

тАО05-10-2007 05:41 AM

Re: sendmail: make some users local only

Shalom,

Then redirect them to local accounts with genericstables. That should be the default anyway. I like the link you bunnied thats where I learned this stuff.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО05-10-2007 09:10 AM

тАО05-10-2007 09:10 AM

Re: sendmail: make some users local only

Court,

The rule described in that link looks like it would do the trick. I can easily come up with a script to create an intern.only list based on local users that are not already in my userdb.

I'm not sure where to insert the ruleset into the cf file though.

Is the F command as shown to be taken literally or is {Internal} a parameter that I replace with something meaningful?

Thanks,
Fred
fmartin@applicatorssales.com
0 Kudos
Reply
Court Campbell
Honored Contributor

тАО05-10-2007 12:11 PM

тАО05-10-2007 12:11 PM

Re: sendmail: make some users local only

As you should already know you will want to do the following first.

cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.bak

then vi the file. Go to the section labeled

################
# local info #
################


add the line

F{Internal}/etc/mail/intern.only

around there.

Then search for

SLocal_check_rcpt

add the ruleset lines there. Save the file, restart sendmail, then test it out.
"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"
Reply
Fred Martin_1
Valued Contributor

тАО05-11-2007 01:25 AM

тАО05-11-2007 01:25 AM

Re: sendmail: make some users local only

I get no errors from sendmail when restarting but the additions don't seem to have any effect.

Wasn't sure of the format of the intern.only file, but I put a local user name (xfm) in there by itself on a line.

I also ran sendmail -bt and test things like:
> Check_local_rcpt xfm

I've attached the "check RCPT TO:" section of my sendmail.cf file, without the new rules, hoping someone can recommend where the lines should be placed.

I tried putting them in several spots in the attached section without any luck.

I think the trouble is, I've only a vague understanding of how the rules section works. I've been browsing the sendmail manual but still don't understand the general program flow.

Thanks in advance for help.

Fred
fmartin@applicatorssales.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО05-11-2007 02:58 AM

тАО05-11-2007 02:58 AM

Re: sendmail: make some users local only

I inserted the code directly below the SLocal_check_rcpt line. To verify that it was being read, I changed the occurances of "OK" in the new rules to "oK" and ran sendmail -bt.

> Local_check_rcpt xfm
Local_check_rcpt input: xfm
canonify input:
canonify returns: < @ >
Local_check_rcpt returns: oK
>

So - the new rules certainly are being read.

Still, it isn't working.
fmartin@applicatorssales.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО05-11-2007 05:07 AM

тАО05-11-2007 05:07 AM

Re: sendmail: make some users local only

I think I have some idea now but I'm not there yet.

If you look at the rules, it checks the sender first, then the recipient.

It returns an "OK" on the "someone else" line every time.

So, it thinks the sender xfm is not a local user. Therefore it quits, assuming that I am not a user that needs to be restricted.

When in -bt, I tested the contents of my intern.only file with this:

> $={Internal}
xfm

So, that works.

I'm guessing this has something to do with the "w" in the tests for $=w.

Not sure how to read that, other than $= should list the members of w.

Can someone help explain what this rule is doing exactly?

R$* $| $={Internal} <@$=w.> $: $1

fmartin@applicatorssales.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО05-13-2007 07:31 AM

тАО05-13-2007 07:31 AM

Re: sendmail: make some users local only

Well I'm not sure what to make of this. I've been testing this all weekend.

Referring to the link provided by Court:

http://www.sendmail.org/~ca/email/restrict.html

I placed the rules directly below the line:

SLocal_check_rcpt

In my sendmail.cf file, it looked like this before inserting the rules:

SLocal_check_rcpt
Scheck_rcpt
...etc...

So I placed them right between the two 'S' lines, above.

I created the file 'intern.only' and put the required 'F' line in the .cf file. In -bt mode, I tested that, it properly reads and displays the contents of the file.

I've learned quite a bit about rule writing, the operators, and LHS/RHS by reading in the O'Reilly Sendmail book, and by reading tutorials online.

It appears that this should work, yet it seems to be completely ignored.

Any advise?
fmartin@applicatorssales.com
0 Kudos
Reply
Fred Martin_1
Valued Contributor

тАО05-14-2007 12:44 AM

тАО05-14-2007 12:44 AM

Re: sendmail: make some users local only

I began to suspect that this rule is not being called at all. So I wrote this:

SLocal_check_rcpt
R$* $#error $@ 5.1.8 $: "Error"

Then using -bt I tried it:

> Local_check_rcpt xfm
> Local_check_rcpt xfm
Local_check_rcpt input: xfm
Local_check_rcpt returns: $# error $@ 5 . 1 . 8 $: "error"

So that's good. Then I did this:

$ echo hey | sendmail xfm

The mail was delivered, no errors, no bounce.

Can I assume that Local_check_rcpt is not being called at all?
fmartin@applicatorssales.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.