1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Whitelisting recipients on mail relay

    From Hauke Fath@21:1/5 to All on Fri Dec 30 22:10:55 2022
    Hi,

    my current application is a relay server front-end for a UUCP
    connection. While MX for the respective addresses, the MTA is not
    end-point for the mail domain, and so virtusertable entries do not work
    here. As a result, mail to invalid addresses will be pushed down the
    UUCP connection.

    Is there any other (convenient) way of whitelisting recipient addresses
    on a mail relay?

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Hauke Fath on Sat Dec 31 00:39:54 2022
    Hauke Fath wrote:

    connection. While MX for the respective addresses, the MTA is not
    end-point for the mail domain, and so virtusertable entries do not work

    Why not?
    See cf/README, esp.
    All the host names on the left hand side (foo.com, bar.com,
    and baz.org) must be in class {w} or class {VirtHost}. The
    latter can be defined by the macros VIRTUSER_DOMAIN or
    VIRTUSER_DOMAIN_FILE

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Grant Taylor@21:1/5 to All on Sat Dec 31 00:23:20 2022
    On 12/30/22 10:39 PM, Claus Aßmann wrote:
    Why not?

    I thought that classes {w} and {VirtHost} were for local mail delivery.

    Are you saying that they influence relayed email too?



    --
    Grant. . . .
    unix || die

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hauke Fath@21:1/5 to Hauke Fath on Sat Dec 31 16:28:06 2022
    Hauke Fath <[email protected]> wrote:

    Okay - let me see if I got this right...

    virtusertable appears to act in two phases - as an ACL listing valid addresses in a first step (enabled by setting VIRTUSER_DOMAIN), and as a table mapping virtual to local addresses in a second.

    And the second step (which I was worried about) is short-circuited by
    sending the message through a mailertable entry?

    Unfortunately, it isn't -- the mail, which is supposed to be relayed via
    UUCP, is delivered instead to the local account it is mapped to.

    So the original question remains open -- how to whitelist addresses to
    be relayed?

    Cheerio,
    Hauke


    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hauke Fath@21:1/5 to All on Sat Dec 31 16:17:57 2022
    Claus A�mann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
    wrote:

    Hauke Fath wrote:

    connection. While MX for the respective addresses, the MTA is not
    end-point for the mail domain, and so virtusertable entries do not work

    Why not?
    See cf/README, esp.
    All the host names on the left hand side (foo.com, bar.com,
    and baz.org) must be in class {w} or class {VirtHost}. The
    latter can be defined by the macros VIRTUSER_DOMAIN or
    VIRTUSER_DOMAIN_FILE

    Okay - let me see if I got this right...

    virtusertable appears to act in two phases - as an ACL listing valid
    addresses in a first step (enabled by setting VIRTUSER_DOMAIN), and as a
    table mapping virtual to local addresses in a second.

    And the second step (which I was worried about) is short-circuited by
    sending the message through a mailertable entry?

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Sat Dec 31 18:55:09 2022
    Am 31.12.2022 um 16:28:06 Uhr schrieb Hauke Fath:

    So the original question remains open -- how to whitelist addresses to
    be relayed?

    Use access DB, deny the domain without user part and allow addresses [email protected] to RELAY.
    That should also work for UUCP, although not tested by me.

    --
    Gruß
    Marco
    PS: aioe ist bei mir in de.* gesperrt, weil von da sehr viel Müll
    kommt und es den Betreiber nicht kümmert.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas S. Kerber@21:1/5 to Hauke Fath on Sat Dec 31 18:58:35 2022
    Hauke Fath <[email protected]> wrote:
    Is there any other (convenient) way of whitelisting recipient addresses
    on a mail relay?


    mc file:
    HACK(`smartrcptcheck', `hash /etc/mail/rcptaccept')dnl


    all valid adresses in that db:

    adress@domain ACCEPT
    adress2@domain ACCEPT



    every adress not listed returns "550 User unknown":

    $ cat ./hack/smartrcptcheck.m4
    divert(-1)

    divert(0)
    VERSIONID(`$Id: smartrcptcheck.m4,v 1.1 2002/11/14 07:26:14 Exp $')

    LOCAL_CONFIG
    KRcptaccept defn(`_ARG_')

    LOCAL_RULESETS
    SLocal_check_rcpt
    R$+ <$+> <$2>
    R<$+> $+ $: $1
    R<$+> $: $1
    R$+@$={Rcptcheckdomains} $: <CHECK> $1@$2
    R<CHECK>$+ $: <CHECK>$(Rcptaccept $1 $)
    R<CHECK>$+@$+ $#error $@ 5.1.1 $: "550 User unknown"

    SLocal_check_mail
    R$+ <$+> <$2>
    R<$+> $+ $: $1
    R<$+> $: $1
    R$+@$={Rcptcheckdomains} $: <CHECK> $1@$2
    R<CHECK>$+ $: <CHECK>$(Rcptaccept $1 $)
    R<CHECK>$+@$+ $#error $@ 5.1.8 $: "550 User unknown"

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas S. Kerber@21:1/5 to Andreas S. Kerber on Sat Dec 31 19:04:10 2022
    Andreas S. Kerber <[email protected]> wrote:
    LOCAL_CONFIG
    KRcptaccept defn(`_ARG_')

    Forgot this one. Contains all domain names these rules shall apply to:

    F{Rcptcheckdomains}MAIL_SETTINGS_DIR`rcptcheckdomains'

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Hauke Fath on Sat Dec 31 15:05:24 2022
    Hauke Fath wrote:

    Is there any other (convenient) way of whitelisting recipient addresses
    on a mail relay?

    Hmm, I don't see any of the followups to my reply (yet?).

    How do you allow relaying?
    If you use access_db (which you should...) then you can try this
    option: (Again, see cf/README)

    `relaytofulladdress' enable entries of the form
    To:[email protected] RELAY
    to allow relaying to just a specific
    e-mail address instead of an entire domain.

    So list all valid rcpt addresses at the domain and it should do
    what you want.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Grant Taylor on Sun Jan 1 00:29:31 2023
    Grant Taylor wrote:

    I thought that classes {w} and {VirtHost} were for local mail delivery.

    Please read cf/README about {VirtHost}.

    Are you saying that they influence relayed email too?

    Again, see the fine documentation:

    VIRTUSER_DOMAIN_FILE is used, then the entries of class
    {VirtHost} are added to class {R}, i.e., relaying is allowed

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Hauke Fath on Sun Jan 1 00:32:42 2023
    Hauke Fath wrote:

    Unfortunately, it isn't -- the mail, which is supposed to be relayed via UUCP, is delivered instead to the local account it is mapped to.

    Why do you map to a local account?
    Have you tried mapping to the UUCP address?

    Please provide the relevant parts of your setup (how you allow
    relaying, how you select delivery via UUCP, which virtusertable
    entries apply),
    and an example (sendmail -bt ?) of what is going wrong.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrzej Adam Filip@21:1/5 to Hauke Fath on Sun Jan 1 16:02:03 2023
    [email protected] (Hauke Fath) wrote:
    Hi,

    my current application is a relay server front-end for a UUCP
    connection. While MX for the respective addresses, the MTA is not
    end-point for the mail domain, and so virtusertable entries do not work
    here. As a result, mail to invalid addresses will be pushed down the
    UUCP connection.

    Is there any other (convenient) way of whitelisting recipient addresses
    on a mail relay?

    Take a look at the comp.mail.sendmail thread below:

    https://groups.google.com/g/comp.mail.sendmail/c/owHMoZIAkDg
    Maintaining valid user list on relay
    May 11, 2006, 7:57:35 PM

    --
    [Andrew] Andrzej A. Filip

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Hauke Fath@21:1/5 to Hauke Fath on Thu Jan 5 21:45:50 2023
    Hauke Fath <[email protected]> wrote:

    Is there any other (convenient) way of whitelisting recipient addresses
    on a mail relay?

    Thanks for all the contributions!

    It took me a few days to get on top of this; I am riding the tail of a
    Covid infection, and some days are better than others.

    I have tried out two approaches, and both worked fine.

    The first one uses "virtusertable" entries (listing the domains in "virtuserdomains") of the shape

    [email protected] [email protected]
    [...]
    @example.com error:nouser User unknown

    which lead to a configuration error, unless you limit recursion with

    define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_')

    (thanks, Andrzej).

    The second approach uses "access" entries like

    To:[email protected] RELAY
    [...]
    To:example.com ERROR:550:"User unknown"

    and requires invoking FEATURE(access_db) with "relaytofulladdress"
    (thanks, Claus) as well as setting

    FEATURE(`blocklist_recipients')

    for the default block.

    I ended up going with the second approach, since I had a stub
    "access_db" configuration in place already to control relaying, and
    didn't like the recursive mapping of "virtusertable".

    The main relay had originally been set up to deliver mail locally
    through "aliases" entries, but I decided to relay even local (root)
    mail, which required an extra

    define(`LOCAL_RELAY', `uucp-dom:uucphost')

    matching (and in addition to) the mailertable entry for the domain to
    get it right, even though I had emptied class {w} and set

    define(`confDONT_PROBE_INTERFACES')
    .

    The destination machine on the far end of the uucp link then maps all
    the addresses to local accounts with "virtusertable" entries.

    Cheerio,
    Hauke

    --
    Now without signature.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)