1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • auth relay limitting

    From none@21:1/5 to All on Wed Jan 22 14:03:23 2025
    Currently when a user is authenticated it can send messages with any
    From (and envelope ?). I would like to limit this to only addresses
    that the user is configured to receive on.

    How would I go about implementing such a thing?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to none on Wed Jan 22 12:18:53 2025
    none wrote:

    Currently when a user is authenticated it can send messages with any
    From (and envelope ?). I would like to limit this to only addresses
    that the user is configured to receive on.

    How would I go about implementing such a thing?

    A custom ruleset.

    You might find some examples on "the 'net".

    Otherwise look at doc/op/op.* about rulesets and macros, esp.
    5.1.4.2. check_mail (and cf/README about Local_*)
    ${auth_authen}
    The client's authentication credentials as deter-
    mined by authentication (only set if successful).

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From none@21:1/5 to All on Fri Jan 24 12:57:42 2025
    Currently when a user is authenticated it can send messages with any
    From (and envelope ?). I would like to limit this to only addresses
    that the user is configured to receive on.

    How would I go about implementing such a thing?

    A custom ruleset.

    You might find some examples on "the 'net".

    Otherwise look at doc/op/op.* about rulesets and macros, esp.
    5.1.4.2. check_mail (and cf/README about Local_*)
    ${auth_authen}
    The client's authentication credentials as deter-
    mined by authentication (only set if successful).


    I found this
    https://www.sendmail.org/~ca/email/doc8.12/cf/m4/anti_spam.html

    The features described above make use of the check_relay, check_mail,
    and check_rcpt rulesets. If you wish to include your own checks, you can
    put your checks in the rulesets Local_check_relay, Local_check_mail, and Local_check_rcpt. For example if you wanted to block senders with all
    numeric usernames (i.e. 2312343@bigisp.com), you would use
    Local_check_mail and the regex map:

    LOCAL_CONFIG
    Kallnumbers regex -a@MATCH ^[0-9]+$

    LOCAL_RULESETS
    SLocal_check_mail
    # check address against various regex checks
    R$* $: $>Parse0 $>3 $1
    R$+ < @ bigisp.com. > $* $: $(allnumbers $1 $)
    R@MATCH $#error $: 553 Header Error

    But how do I go about changing this in looking up all the auth's email addresses? I think I even use different cluster name because the
    incomming is different from the outgoing so that is a separate issue to
    solve.

    dn: sendmailMTAKey=example@example.com..........
    sendmailMTAMapValue: usertest
    objectClass: sendmailMTA
    objectClass: sendmailMTAMap
    objectClass: sendmailMTAMapObject
    objectClass: ritAdditionalInfo
    sendmailMTAMapName: virtuser
    sendmailMTACluster: mail
    structuralObjectClass: sendmailMTAMapObject



    I only have README.cf that mentions these, and all related to rcpt not
    sender.

    [sendmail]# egrep 'auth_authen|check_mail' * -r
    README.cf:delay_checks The rulesets check_mail and check_relay will not
    be called
    README.cf:The features described above make use of the check_relay,
    check_mail,
    README.cf:Local_check_relay, Local_check_mail, and Local_check_rcpt. For README.cf:(i.e. 2312343@bigisp.com), you would use Local_check_mail and the README.cf: SLocal_check_mail
    README.cf:By using FEATURE(`delay_checks') the rulesets check_mail and check_relay
    README.cf:If check_mail returns an error then the RCPT TO command will
    be rejected
    README.cf:friend the exception. The rulesets check_mail and check_relay
    will be
    README.cf:check_mail and check_relay and make a SPAM hater the
    exception. The
    README.cf:has been issued, and from check_mail. The parameter is the
    value of
    README.cf:The macros ${auth_authen}, ${auth_author}, and ${auth_type} can be README.cf:R$* $: $&{auth_type} $| $&{auth_authen}
    README.cf: [i, {auth_type},
    {auth_authen},
    README.cf: R$* $: $&{auth_authen}

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From none@21:1/5 to All on Mon Jan 27 12:14:10 2025
    On 22/01/2025 18:18, Claus Aßmann wrote:
    none wrote:

    Currently when a user is authenticated it can send messages with any
    From (and envelope ?). I would like to limit this to only addresses
    that the user is configured to receive on.

    How would I go about implementing such a thing?

    A custom ruleset.

    You might find some examples on "the 'net".

    You have maybe a link to a practical example? I have the impression
    there is not even a check_sender

    https://www.sendmail.org/~ca/email/rcpt_old.html

    How should this be rewritten so it looks up the from address in the
    virtual user table so it compares sendmailMTAMapValue with the auth?

    R$+ $: $>3 $1
    R$+ $: $(dequote $1 $)
    R$- $@ ok to here
    R$* % $* $: relay attempt
    R$* @ $* < @ $* . > $: relay attempt
    R$+ < @ $=w . > $@ ok to here
    R$+ < @ $={RelayTo} . > $@ ok allow relay to there
    R$+ $: $(dequote "" $&{client_addr} $)
    R0 $@ ok client_addr is 0 for sendmail -bs R$={LocalIP}.$* $@ ok from here
    R$* $#error $@ 5.7.1 $: "571 we do not support relaying"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)