port 25 - authenticated delivery only except for specified ip block

We are trying out Postini for spam/virus filtering. Although it would be
ideal to firewall off all connections to port 25 not orginating from Postini, we have a few servers where many users are sending mail ( authenticated ) through port 25 instead of the desired submission/587.

Would it be possible, through access.db or some other means, to allow
only authenticated delivery on port 25 EXCEPT for Postini's IP block?

If so, would someone mind providing an example or at least give me an
idea of what to read into so I can figure it out? Sendmail version is
8.13.1.

Thanks!

Mike A.

Re: port 25 - authenticated delivery only except for specified ip block

Mike Andrus wrote:

> Would it be possible, through access.db or some other means, to allow
> only authenticated delivery on port 25 EXCEPT for Postini's IP block?

You could use (for example) the MIMEDefang milter:

sub filter_sender
{
my($sender, $ip, $hostname, $helo) = @_;
read_commands_file();
# Replace 10.2.3. with something that matches Postini IP
if ($ip =~ /^10\.2\.3\./) {
return ('CONTINUE', 'OK');
}
if ($SendmailMacros{auth_authen}) {
return ('CONTINUE', 'OK');
}
return('REJECT', 'You must authenticate');
}


Of course... once you start using MIMEDefang, you may as well
look at our CanIt products (based on MIMEDefang) and avoid paying Postini. :-)

Regards,

David.

Re: port 25 - authenticated delivery only except for specified ip block

In article <6AJRi.161$c9.30@bignews8.bellsouth.net> mike@centyx.net
(Mike Andrus) writes:
>We are trying out Postini for spam/virus filtering. Although it would be
>ideal to firewall off all connections to port 25 not orginating from
>Postini, we have a few servers where many users are sending mail (
>authenticated ) through port 25 instead of the desired submission/587.
>
>Would it be possible, through access.db or some other means, to allow
>only authenticated delivery on port 25 EXCEPT for Postini's IP block?

David's already posted solution is probably the best (in particular the
last part:-), but as alternatives:

1) It's pretty trivial to do with some custom rules in a
Local_check_mail ruleset, where you would examine the $&{client_addr}
and (e.g.) $&{auth_type} macros (if $&{auth_type} is set or
$&{client_addr} is in the Postini block, the mail is accepted, otherwise
not).

2) If the Postini thing can be told to send to another port than 25, or
otherwise to a different IP address (obviously it can do the latter, but
it requires that you *have* another IP address and the ability to
configure it on your sendmail server), you can use two DAEMON_OPTIONS()
directives in the .mc file, require auth on one of them, and firewall
off connections to the other from Non-Postine src addresses. You also
need DAEMON_OPTIONS() for 127.0.0.1 since sendmail wouldn't listen to
the wildcard address in this case.

--Per Hedeland
per@hedeland.org

Re: port 25 - authenticated delivery only except for specified ip block

Per Hedeland wrote:
>
> 1) It's pretty trivial to do with some custom rules in a
> Local_check_mail ruleset, where you would examine the $&{client_addr}
> and (e.g.) $&{auth_type} macros (if $&{auth_type} is set or
> $&{client_addr} is in the Postini block, the mail is accepted, otherwise
> not).
>

Thank you for your suggestions. I have been trudging through the
documentation included with the operating system's Sendmail distribution
and think that I may be getting an idea of how to form such a ruleset (
this is my first try at crafting sendmail rules ).

No doubt, I will likely post again for help concerning the matter.

- Mike A.

Re: port 25 - authenticated delivery only except for specified ip block

On Oct 29, 4:00 pm, m...@centyx.net (Mike Andrus) wrote:
> Per Hedeland wrote:
>
> > 1) It's pretty trivial to do with some custom rules in a
> > Local_check_mail ruleset, where you would examine the $&{client_addr}
> > and (e.g.) $&{auth_type} macros (if $&{auth_type} is set or
> > $&{client_addr} is in thePostiniblock, the mail is accepted, otherwise
> > not).
>
> Thank you for your suggestions. I have been trudging through the
> documentation included with the operating system's Sendmail distribution
> and think that I may be getting an idea of how to form such a ruleset (
> this is my first try at crafting sendmail rules ).
>
> No doubt, I will likely post again for help concerning the matter.
>
> - Mike A.

I have been trying to figure out the same problem with my Barracuda
with Sendmail server too. I can see blocking access by IP, but what
about when a user is sending mail (relaying) through that same server
after authenticating (SMTPAUTH TLS)? You would have to dynamically
allow relaying for that domain. If you have SMTP Auth already
configured, that process is already taking place. We would just need
to tie that into the rule for limiting the relay IP for a list of
specific domains protected by the spam filter device. How do we put
all that together is the question?

The rules would need to apply to incoming mail, specificially for a
domain or list of domains, and allow that message to flow through if
it's from an authenticated host OR from the SPAM filter IP(s) but not
from any other relay host.

Port 25, 26, or whatever, just any incoming mail.

Wouldn't the Sendmail ruleset be the only place you can use the "if
authenticated" question for a rule like this?

Thanks,
Chuck

Re: port 25 - authenticated delivery only except for specified ip block

In article <1194029785.532554.323210@22g2000hsm.googlegroups.com>
carock@epconline.com writes:
>
>The rules would need to apply to incoming mail, specificially for a
>domain or list of domains, and allow that message to flow through if
>it's from an authenticated host OR from the SPAM filter IP(s) but not
>from any other relay host.
>
>Port 25, 26, or whatever, just any incoming mail.
>
>Wouldn't the Sendmail ruleset be the only place you can use the "if
>authenticated" question for a rule like this?

Not quite - i.e. sendmail (or another MTA) is the only one that can
answer the "if authenticated" question, but it doesn't have to be
implemented as a ruleset: You can e.g. within one sendmail.cf and one
sendmail daemon configure (e.g.) port 25 to always require auth, and
(e.g.) port 26 to never require auth (this is significantly simpler than
writing a ruleset if you've never done that before, also significantly
simpler to understand for the next admin that comes along). Then you
just set up your firewall such that only connections from the spam
filter src IP address are allowed to reach port 26 - all done.

But if you really want a ruleset, here's what I sent the OP off-group -
totally untested:

LOCAL_CONFIG
C{PostiniAddr} 10.11.12.13 10.11.12.14 10.11.22
LOCAL_RULESETS
SLocal_check_mail
R$* $: $&{client_addr}
R$={PostiniAddr}$* $@ OKSOFAR Postini src addr
R$* $: $&{auth_authen}
R$+ $@ OKSOFAR Successful auth
R$* $#error $@ 5.7.1 $: "550 not authenticated"

--Per Hedeland
per@hedeland.org