Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (No Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (No Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 10th August 2005, 09:49 AM
log Offline
Registered User
 
Join Date: Aug 2005
Posts: 3
how to reject ALL internet domain except whitelist using sendmail access file

I know howto reject individual TLD domain, it is well described billion times in sendmail docs,
Code:
From:bad    REJECT
From:good   OK
but is it possible reject all domains ? Now i use somethng ugly like
Code:
from:com                        REJECT
from:ru                 REJECT
from:it                 REJECT
from:ro                 REJECT
from:hu                 REJECT
...
from:net                REJECT
from:org                REJECT
from:fr                 REJECT
from:de                 REJECT
from:good_customer1@man.ok OK
from:good_customer2@man.ok OK
...
it is not work good because evently spam messages pass in using wired first level domain name.
I tryed
Code:
From:@ REJECT
From:. REJECT
From:*. REJECT
and lot of the same patterns but it is not work.
  #2  
Old 10th August 2005, 11:35 AM
fsck Offline
Registered User
 
Join Date: May 2005
Location: London, UK
Posts: 704
I don't think you can do what you are trying to do with stock sendmail, you might want to try postfix instead?
A more elegant solution might be to provide certificates to people who want to send you mail, and reject any non-certified senders using TLS/SSL. This is something you can do with sendmail.
__________________
Want to get better answers? Learn to ask better questions!
fukka.co.uk for spamassassin rules and random garbage.
  #3  
Old 10th August 2005, 12:04 PM
log Offline
Registered User
 
Join Date: Aug 2005
Posts: 3
sorry but it is very small office FreeBSD 4.7 IMAP server (cel266) that i only can tweak, not to change a lot (personally I prefere to replace it by FC4 but our ISP do not provide support if i do change). BTW, we use Orinoco wireles adaper to internet access and i gave up to make it work stable in FC4
So if it is not possible maybe is it good idea to copy all TLD from iana http://data.iana.org/TLD/tlds-alpha-by-domain.txt ? Does it guarantee full list of first level domains ?
  #4  
Old 10th August 2005, 02:20 PM
fsck Offline
Registered User
 
Join Date: May 2005
Location: London, UK
Posts: 704
It's probably close enough, and to stop spammers from using domains that don't exist or resolve, you could also look at commenting out "FEATURE(`accept_unresolvable_domains')" from sendmail.mc.
Also, consider denying connections to the mail service by TCP/IP. 2 ways to do this:
Code:
 172.16     DENY
would deny all mail from 172.x.x.x so logically
Code:
 1   DENY
 2 DENY
...
254 DENY
will deny mail from all IP addresses, then just make sure your good relays have OK records. Note that I have never tried this, so it might not work.
If you know the remote mailserver IP addresses you can also use the BSD packet filter to block all connections to port 25 except those from known good mailservers.
__________________
Want to get better answers? Learn to ask better questions!
fukka.co.uk for spamassassin rules and random garbage.

Last edited by fsck; 10th August 2005 at 02:27 PM.
  #5  
Old 10th August 2005, 11:26 PM
log Offline
Registered User
 
Join Date: Aug 2005
Posts: 3
Quote:
Originally Posted by fsck
Code:
 1   DENY
 2 DENY
...
254 DENY
will deny mail from all IP addresses, then just make sure your good relays have OK records. Note that I have never tried this, so it might not work.
Thanks a lot, i will try it. Sure it make my boss happy ( he bored with endless spam that penetrate any filter and make this radical change to stop all except small number of selected customers to access office server)

Last edited by log; 10th August 2005 at 11:28 PM.
  #6  
Old 13th May 2012, 12:29 PM
quirks1 Offline
Registered User
 
Join Date: May 2012
Location: Nonoyabiznes
Posts: 1
windows_7firefox
Re: how to reject ALL internet domain except whitelist using sendmail access file

I know this thread is stone-age old, but I had the same problem and came up with a solution. It might be helpful for others, who come accross this post via Google like me. So mods, please don't crucify me.

As of 2012, sendmail still does not support white-listing (sigh). Access db is not suitable for this, because it is a black-list and trying to implement white-listing with a black-list is like trying to make a fence water-proof. If you cannot use the (in countless ways) superior postfix and are stuck with sendmail for whatever reason, then here is what you can do:

If you want to white-list based on sender addresses, put this at the end of your sendmail.mc:

Code:
LOCAL_CONFIG
Kwhitelist hash -T<TMPF> -aOK /etc/mail/whitelist
LOCAL_RULESETS
SLocal_check_mail
R$*     $: $(whitelist From:$1 $: ? $)
R?      $: $(whitelist Connect:$&{client_addr} $)
ROK     $@ OK
R$*     $#error $: 550 Access denied
If, on the other hand, you want to white-list based on recipient addresses, put this at the end of your sendmail.mc (it's practicaly the same code, the main difference being that the recipient instead of the sender is checked):

Code:
LOCAL_CONFIG
Kwhitelist hash -T<TMPF> -aOK /etc/mail/whitelist
LOCAL_RULESETS
SLocal_check_rcpt
R$*     $: $(whitelist To:$1 $: ? $)
R?      $: $(whitelist Connect:$&{client_addr} $)
ROK     $@ OK
R$*     $#error $: 550 Access denied
You can use both methods in conjuction, which would look like this:

Code:
LOCAL_CONFIG
Kwhitelist hash -T<TMPF> -aOK /etc/mail/whitelist
LOCAL_RULESETS
SLocal_check_mail
R$*     $: $(whitelist From:$1 $: ? $)
R?      $: $(whitelist Connect:$&{client_addr} $)
ROK     $@ OK
R$*     $#error $: 550 Access denied
SLocal_check_rcpt
R$*     $: $(whitelist To:$1 $: ? $)
R?      $: $(whitelist Connect:$&{client_addr} $)
ROK     $@ OK
R$*     $#error $: 550 Access denied
But please beware that then sender AND recipient addresses of a mail must have a match in the white-list. For example, if you white-listed sender@example.com and recipient@example.com, then the only accepted mails are those that have exactly this sender AND recipient. It does NOT mean that any mail from sender@example.com OR to recipient@example.com is accepted.

No matter, which method you choose, create a file /etc/mail/whitelist with the following content:

Code:
# This file contains a whitelist of e-mail and IP addresses.
# E-mail addresses listed here may send/receive mails to/from any host.
# Client IP addresses listed here are not affected by whitelisting, i.e.,
# they may send mail to/from any address.
# Any other requests will be REJECTed.
#
# Entries may have one of the following formats (the availability of
# "From" and "To" depends on whether sender or recipient checking is enabled):
#   From:<e-mail address of sender>
#   To:<e-mail address of recipient>
#   Connect:<IP address of client>
#
# It is NOT possible to specify wild-cards or to use full domains
# (e.g., "To:@example.com" in order to accept everything sent to an
# address ending on "@example.com").
# Make sure not to insert any whitespace.
#
# If you make any changes to this file, regenerate the database via
# makemap -e hash /etc/mail/whitelist.db < /etc/mail/whitelist
#
#
#
# white-listed senders
#
From:sender@example.com
#
# white-listed recipients
#
To:recipient@example.com
#
# do not restrict local connections
#
Connect:127.0.0.1
Connect:IPv6:::1
Connect:
Finally, build the white-list db and reload sendmail.

Code:
makemap -e hash /etc/mail/whitelist.db < /etc/mail/whitelist
/etc/init.d/sendmail reload

Last edited by quirks1; 13th May 2012 at 12:32 PM.
  #7  
Old 13th May 2012, 01:10 PM
glennzo Offline
Un-Retired Administrator
 
Join Date: Mar 2004
Location: Salem, Mass USA
Posts: 14,543
linuxfirefox
Re: how to reject ALL internet domain except whitelist using sendmail access file

How about if I just close the thread and leave it at that?
__________________
Glenn
The Bassinator © ®

[SIGPIC][/SIGPIC]
Laptop: Toshiba Satellite / Intel Core 2 Duo 1.73 GHz / 2GB / 160GB / Intel Mobile 945GM/GMS/GME/943/940GML Integrated Graphics
Desktop: BioStar MCP6PB M2+ / AMD Phenom 9750 Quad Core / 4GB / 1TB SATA / 500GB SATA / EVGA GeForce 8400 GS 1GB
Closed Thread

Tags
access, domain, file, internet, reject, sendmail, whitelist

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
cant access my website with WWW.domain.com instead can access with domian.com bhanu08 Servers & Networking 4 1st October 2009 08:08 AM
Whitelist my domain in MailScanner wshamroukh Servers & Networking 1 19th June 2007 06:43 AM
Configuring sendmail access file ace_wolk Using Fedora 0 30th May 2006 10:40 AM


Current GMT-time: 14:37 (Wednesday, 23-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat