1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • access_db to:user@example.org RELAY does not work

    From Marco Moock@21:1/5 to All on Thu Jun 30 13:16:27 2022
    Hello,
    I am trying to create a whitelist of recipient addresses that can be
    relayed.
    I would like to allow only certain addresses, all others should be
    rejected.
    e.g. I like to allow user1@example.org, user2@example.org and reject
    all other addresses like anything @example.org.

    This is a test system, but on a productive system I want to avoid accepting mails for non-existing users and sending out bounce emails.

    In the /etc/mail/access is
    To:ok@example.org RELAY
    To:example.org REJECT

    It is being used (I tried other entries and converted the DB with sendmailconfig), but it does not work as I thought it will work.

    Although, I was able to create a blacklist:
    To:ok@example.org REJECT
    To:example.org RELAY
    does work, ok is being rejected, anything else is being relayed.


    250 xxx Hello xxxx
    [IPv6:2001:xxx] (may be forged), pleased to meet you
    mail from:<test@example.com> 250 2.1.0 <test@example.com>... Sender ok
    rcpt to:<asddf@example.org>
    550 5.2.1 <asddf@example.org>... Mailbox disabled for this recipient
    rcpt to:<ok@example.org>
    550 5.7.1 <ok@example.org>... Relaying denied. IP name possibly forged [IPv6:xxx]
    I am aware that no PTR record is set, but this shouldn't be the problem
    here, because the "blacklist" works.

    blacklist recipients is enabled. I also did run sendmailconfig to create the database and convert mc to cf.

    divert(0)dnl
    define(`_USE_ETC_MAIL_')dnl
    include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
    VERSIONID(`$Id: sendmail.mc, v 8.15.2-22ubuntu3 2021-12-09 00:18:01 cowboy Exp $')
    OSTYPE(`debian')dnl
    DOMAIN(`debian-mta')dnl
    undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= FEATURE(`no_default_msa')dnl
    DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=::1')dnl DAEMON_OPTIONS(`Family=inet6, Name=MTA-v6, Port=smtp, Addr=20xxxx')dnl DAEMON_OPTIONS(`Family=inet, Name=MTA-v4, Port=smtp, Addr=127.0.0.1')dnl define(`confPRIVACY_FLAGS', `needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
    define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
    FEATURE(`use_cw_file')dnl
    FEATURE(`access_db', , `skip')dnl
    FEATURE(`blacklist_recipients')dnl
    FEATURE(`greet_pause', `100')dnl 1 seconds
    FEATURE(`delay_checks', `friend', `n')dnl define(`confBAD_RCPT_THROTTLE',`3')dnl
    FEATURE(`conncontrol', `nodelay', `terminate')dnl
    FEATURE(`ratecontrol', `nodelay', `terminate')dnl include(`/etc/mail/m4/dialup.m4')dnl
    include(`/etc/mail/m4/provider.m4')dnl
    MAILER_DEFINITIONS
    MAILER(`local')dnl
    MAILER(`smtp')dnl


    What did I do wrong here?
    --
    kind regards
    Marco

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Marco Moock on Thu Jun 30 12:49:50 2022
    Marco Moock wrote:

    To:ok@example.org RELAY

    rcpt to:<ok@example.org>
    550 5.7.1 <ok@example.org>... Relaying denied. IP name possibly forged

    FEATURE(`access_db', , `skip')dnl

    You forgot to enable an option, see cf/README:

    Notice: If a second argument is specified it must contain the option
    `-T<TMPF>' as shown above. The optional parameters may be

    `skip' enables SKIP as value part (see below).
    `lookupdotdomain' another way to enable the feature of the
    same name (see above).
    `relaytofulladdress' enable entries of the form
    To:user@example.com RELAY
    to allow relaying to just a specific
    e-mail address instead of an entire domain.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Fri Jul 1 12:11:36 2022
    Am Thu, 30 Jun 2022 12:49:50 -0400 (EDT)
    schrieb Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>:

    You forgot to enable an option, see cf/README:

    Thanks Claus for your answer.
    It did work after I changed it.

    The line looks like
    FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access', `relaytofulladdress')dnl if anybody else is interested.

    I think that should be documented in https://www.sendmail.org/~ca/email/doc8.12/cf/m4/anti_spam.html
    e.g. with an example of the access DB that relays to a full address and that the special option in the sendmail.mc access db FEATURE is necessary.
    --
    kind regards
    Marco

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Marco Moock on Fri Jul 1 06:58:45 2022
    Marco Moock wrote:

    https://www.sendmail.org/~ca/email/doc8.12/cf/m4/anti_spam.html

    That's 8.12...

    The documentation which is relevant comes with the sendmail
    distribution.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)