Linux – Block user from sending Email to the outside in SENDMAIL

centosemail-serverlinuxsendmail

I have a CentOS server with Sendmail installed and use Fetchmail for mail retrieval. My email server is working perfectly, but I now need to prohibit a user from sending emails to the outside.

How do I allow this user to send email in the local network (within the same domain's email address) but block them from sending email the outside world?

Best Answer

Because what you want is more generic than what FEATURE(compat_check) does, first make sure that you do not have it enabled in your /etc/mail/sendmail.mc file. Then you can write your own version of check_compat (note the reversing of the words here). The sendmail book (4e) has a solution to your question in pages 259 and 260.

Here is a second one: At the bottom of your sendmail.mc file add the following lines

LOCAL_CONFIG
Kput macro
D{put1}empty1
D{put2}empty2

LOCAL_RULESETS
STranslate
R$* $$| $*    $: $1 $| $2

Scheck_compat
R$* $| $*               $: $1 $| $>canonify $2
R$* $| $*               $: $(put {put2} $@ $2 $) $1
R$*             $: $>canonify $1
R$*             $: $(put {put1} $@ $1 $)
R$*             $: $&{put1} $| $&{put2}
# Now we can filter on sender and recipient
Ruser < @ $=w . > $| $* < $=w . >        $#OK
Ruser < @ $=w . > $| $*                  $#discard $: $2

Here is what happens: The Kput macro line defines a map that is to be used when we store certain values in macros. The macros that we are going to use are defined in the next lines and they are put1 and put2 with some generic default values (empty1 and empty2) to be used in debugging.

When check_compat is called it was a single argument in the form of sender@address $| recipient@address. We need to canonify these addresses which in our case means bring them to the form of user < @ address . >. You almost always canonify addresses with sendmail before doing anything else. The first two lines of check_compat deal with canonifying the address of the recipient and putting it into the {put2} macro.

Now our workspace (meaning the string on which the rest of the rule set operates on) has only the sender address and we canonify that too. This means that if check_compat stops at the fifth line, its output would be like:

sender < @ address . > $| recipient < @ address . >

Therefore now we are ready to check any combination we want. Local users in your system are of the form user < @ $=w .>. The $=w macro contains the value of your domain name, localhost, hostname, anything that is to be considered local, including values in /etc/mail/local-host-names. So this line instructs sendmail that if user (where "user" should be replaced by the username of the user in question) sends email to any local user (this is the meaning of $* < @ $=w . >) accept this mail and continue with all other filtering activities. But if said user is trying to send mail elsewhere, silently discard this.

After you are done editing sendmail.mc you need to run /etc/mail/make to build sendmail.cf and the run service sendmail restart to restart sendmail with the new changes. Keep in mind that the left hand side of the rules is separated from the right hand side with tabs and not spaces. So do not copy-paste the code. Type it by hand.

There is one more rule set above and this is Translate. When in test mode, you cannot use $| directly. So if you want to test your rules before going to production you have to use it:

root@machine # sendmail -bt
> Translate,check_compat sender@address $| recipient@address

and see what happens.

Related Topic