Hello everyone!

I would like to use accessdb to block certain recipient domains and
only allow some addresses to be locally delivered (to avoid backscatter attacks).
First, I only test to block one address.

For me, that looks fine and means the access db hash database includes
the option.

m@srv1:/etc/mail$ sudo sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>

/map access To:bla@test.dorfdsl.de

map_lookup: access (To:bla@test.dorfdsl.de) returns REJECT (0)

Although, the MTA doesn't care about it.

m@srv1:/etc/mail$ sudo /usr/lib/sendmail -bv bla@test.dorfdsl.de bla@test.dorfdsl.de... deliverable: mailer esmtp, host test.dorfdsl.de,
user bla@test.dorfdsl.de m@srv1:/etc/mail$

define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.17.1.9-2 2023-01-11 23:26:28 cowboy
Exp $') OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS= FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA, Port=smtp')dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP, Port=submission, M=Ea')dnl DAEMON_OPTIONS(`Family=inet6, Name=MSP, Port=submissions, M=sEa')dnl define(`confPRIVACY_FLAGS',dnl `needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`access_db',, `relaytofulladdress')dnl FEATURE(`blocklist_recipients')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
TRUST_AUTH_MECH(`PLAIN')dnl
define(`confAUTH_MECHANISMS', `PLAIN')dnl include(`/etc/mail/tls/starttls.m4')dnl
dnl Conf lines for certificate, removed here for simplicity FEATURE(`virtusertable')dnl
VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomains')
define(`confLOCAL_MAILER', `cyrusv2')dnl MAILER_DEFINITIONS
MAILER(`local')dnl MAILER(`cyrusv2')dnl MAILER(`smtp')dnl

access db is listed in .cf:

m@srv1:/etc/mail$ grep ^K /etc/mail/sendmail.cf
Kresolve host -a<OKR> -T<TEMP>
Karith arith
Kmacro macro
Kdequote dequote
Kaccess hash -T<TMPF> /etc/mail/access
Kvirtuser hash /etc/mail/virtusertable
m@srv1:/etc/mail$

What is the problem?

--
kind regards
Marco

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Marco Moock <mo01@posteo.de> wrote:

For me, that looks fine and means the access db hash database includes
the option.

m@srv1:/etc/mail$ sudo sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>

/map access To:bla@test.dorfdsl.de

map_lookup: access (To:bla@test.dorfdsl.de) returns REJECT (0)

Although, the MTA doesn't care about it.

m@srv1:/etc/mail$ sudo /usr/lib/sendmail -bv bla@test.dorfdsl.de bla@test.dorfdsl.de... deliverable: mailer esmtp, host test.dorfdsl.de,
user bla@test.dorfdsl.de m@srv1:/etc/mail$
[...]
What is the problem?

It's been a while since I worked with Sendmail, but I seem
to remember that this is a (mis)feature of the "-bv" option.

Just test with:

telnet localhost 587

or

telnet localhost 25

and manually create an SMTP session. I am pretty sure
that your bla@test.dorfdsl.de will be rejected during
the session, just like it should.

br,
KK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am 03.09.2023 um 12:51:24 Uhr schrieb Kalevi Kolttonen:

It's been a while since I worked with Sendmail, but I seem
to remember that this is a (mis)feature of the "-bv" option.

Thanks.

That IS exactly the issue.
Now it would be interesting why that is the case (maybe intentionally).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)