Notice: I changed the ruleset name down below. However, there's no guarantee it will work...
From: juan@physics.mcgill.ca (Juan Gallego) Newsgroups: comp.mail.sendmail Subject: Re: Internal aliases only Date: 28 Oct 1997 14:26:43 GMT Message-ID: <634sn3$856@sifon.cc.mcgill.ca> [ posted and mailed ] In article <6332ah$9sq$1@power42t.hkbu.edu.hk> posted to comp.mail.sendmail on 27 Oct 1997 21:50:08 GMT, Mr. Chow Wing Siu (wschow@Comp.HKBU.Edu.HK) wrote: : In sendmail, how to prevent external (outside domain users) persons : to access the aliases? I have included many mailing lists in terms : of /etc/aliases but those mailing lists may have the potential to : be spammed by outsiders. How to do in cf level to reject those : mails from OUTSIDE domains but to accept from the organizations : or selected sites? I implemented the following hack exactly for that purpose when our internal distribution lists got hit by spam. I'm sure it could be easily adapted to meet your needs. Add the following to your m4 master configuration file: # LOCAL_CONFIG Kprivate hash -o /etc/private Kprivateok hash -o /etc/privateok # LOCAL_RULE_0 # SLocal_check_rcpt # check recipient. Let it through unless it's a private address # (possibly with host or local domain attached to it) R$* $: $>3 $1 R$- $: $(private $1 $: OK $) ROK $@ OK non-private @ local R$* < @ $* $=m . > $* $: $(private $1 $: OK $) R$* < @ $* > $* $@ OK someone @ somewhere ROK $@ OK non-private @ here # if private, check the sender (f macro). If the sender is local, let it # through. The <@> and << >> hack is ugly, but I couldn't come up with a # better way to treat user.something as a single token (any suggestions?) RPRIVATE $: $>3 $(dequote "" $&f $) R$* $: $1 <@> R$* < @ $+ > $* < @ > $: $1 << @ $2 >> $3 R$+ < @ > $@ OK sender @ here R$* << @ $* >> $* $: $1 < @ $2 > $3 R$* < @ $* $=m . > $* $@ OK address @ domain # not a local sender. Get the relay (client_name)... R$* < @ $+ . > $* $: $1@$2 $| $>3 @ $(dequote "" $&{client_name} $) # a particular sender through a valid relay is ok R$+ $| $* < @ $+ . > $* $: $(privateok $3:$1 $: $1 $) $| $3 ROK $| $* $@ OK relay: user@host # anyone from a given host/domain from a valid relay is also ok R$-@$+ $| $+ $: $2 $| $3 R$+ $| $+ $: $(privateok $2:@$1 $: notOK $) ROK $* $@ OK relay: @host # the rest can go to hell R$* $#error $@ 5.7.1 $: "571 private address." The private map's keys are the list of private addresses with value PRIVATE: list1 PRIVATE list2 PRIVATE The privateok keys are of the form relay:sender or relay:@host with values OK: relay.at.some.where:someone@some.where.else OK relay.at.some.where:@its.ok.too OK You can test the rules by invoking the test mode and predefining the client_name and f macros with different combinations and then calling the check_rcpt rule with the recipient's address. Hope this helps, -- Juan Gallego Little ({sys,net}-{admin,hacker}) Boss