Good morning (or evening, as the case may be) all.
One department in our company wants to limit inbound and outbound mail
for a couple of its employees to our domain only (e.g. internal mail
only). I've been told I should do that at the MTA level. Would
anyone be so kind as to tell me how to do this?
Many thanks.
Diggy
On 01/31/08 06:45, Diggy wrote:
> One department in our company wants to limit inbound and outbound mail
> for a couple of its employees to our domain only (e.g. internal mail
> only). I've been told I should do that at the MTA level. Would
> anyone be so kind as to tell me how to do this?
Search the archives for "Protected Recipients". Basically this defines
a group of users that can or can not (you decide) receive from and / or
send to people out side of your domain(s). I think this will do what
you are wanting to do.
Grant. . . .
On Jan 31, 10:58 am, Grant Taylor
> On 01/31/08 06:45, Diggy wrote:
>
> > One department in our company wants to limit inbound and outbound mail
> > for a couple of its employees to our domain only (e.g. internal mail
> > only). I've been told I should do that at the MTA level. Would
> > anyone be so kind as to tell me how to do this?
>
> Search the archives for "Protected Recipients". Basically this defines
> a group of users that can or can not (you decide) receive from and / or
> send to people out side of your domain(s). I think this will do what
> you are wanting to do.
>
> Grant. . . .
Grant,
We'll start with "I'm no sendmail expert". That being said, I need
fairly good documentation in order to tweak sendmail. I previously
found the following in a post regarding restricting local users from
sending external mail (www.sendmail.org/~ca/email/restrict.html):
List those aliases (which are local) in a file:
LOCAL_CONFIG
F{Internal}/etc/mail/intern.only
Then the rules work like this:
LOCAL_RULESETS
SLocal_check_rcpt
# get sender address and canonify it
R$* $: $1 $| $>3 $&f
R$* $| <> $@ OK <> is always ok
R$* $| $={Internal} <@$=w.> $: $1 luser@local.host?
R$* $| $={Internal} $: $1 luser?
R$* $| $* $@ OK someone else
R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your boss does not
like you"
So, I added the above to sendmail.cf. I created the file /etc/mail/
intern.only, and tired adding "user" and "user@mydomain". I restarted
sendmail. Above didn't work. Waht did I do wrong?
And, it says that this is to restrict users from sending mail, not
receiving it. How would I restrict inbound mail for the users to only
domain mail?
Thanks.
Diggy
Diggy wrote:
> On Jan 31, 10:58 am, Grant Taylor
> > On 01/31/08 06:45, Diggy wrote:
> >
> > > One department in our company wants to limit inbound and outbound mail
> > > for a couple of its employees to our domain only (e.g. internal mail
> > > only). I've been told I should do that at the MTA level. Would
> > > anyone be so kind as to tell me how to do this?
> >
> > Search the archives for "Protected Recipients". Basically this defines
> > a group of users that can or can not (you decide) receive from and / or
> > send to people out side of your domain(s). I think this will do what
> > you are wanting to do.
> >
> > Grant. . . .
>
> Grant,
>
> We'll start with "I'm no sendmail expert". That being said, I need
> fairly good documentation in order to tweak sendmail. I previously
> found the following in a post regarding restricting local users from
> sending external mail (www.sendmail.org/~ca/email/restrict.html):
>
> List those aliases (which are local) in a file:
>
> LOCAL_CONFIG
> F{Internal}/etc/mail/intern.only
>
> Then the rules work like this:
>
> LOCAL_RULESETS
> SLocal_check_rcpt
> # get sender address and canonify it
> R$* $: $1 $| $>3 $&f
> R$* $| <> $@ OK <> is always ok
> R$* $| $={Internal} <@$=w.> $: $1 luser@local.host?
> R$* $| $={Internal} $: $1 luser?
> R$* $| $* $@ OK someone else
> R$* $: $>3 $1 check recipient
> R$+<@$=w.> $@ OK local? ok
> R$+<@$+> $#error $@ 5.1.8 $: "551 sorry luser your boss does not
> like you"
>
> So, I added the above to sendmail.cf. I created the file /etc/mail/
> intern.only, and tired adding "user" and "user@mydomain". I restarted
> sendmail. Above didn't work. Waht did I do wrong?
>
> And, it says that this is to restrict users from sending mail, not
> receiving it. How would I restrict inbound mail for the users to only
> domain mail?
>
> Thanks.
>
> Diggy
did you rebuild the sendmail.mc from the sendmail.cf?
i find webmin to be very usefull when dealing with sendmail.
www.webmin.com
On 01/31/08 10:12, Diggy wrote:
> We'll start with "I'm no sendmail expert". That being said, I need
> fairly good documentation in order to tweak sendmail. I previously
> found the following in a post regarding restricting local users from
> sending external mail (www.sendmail.org/~ca/email/restrict.html):
> So, I added the above to sendmail.cf. I created the file /etc/mail/
> intern.only, and tired adding "user" and "user@mydomain". I restarted
> sendmail. Above didn't work. Waht did I do wrong?
>
> And, it says that this is to restrict users from sending mail, not
> receiving it. How would I restrict inbound mail for the users to only
> domain mail?
I've not done this my self so I can not say for sure. Sorry. I just
remember this being what others and my self (based on others and my
reading) have said to do to fulfill this request.
Grant. . . .
On Jan 31, 11:45 am, Grant Taylor
> On 01/31/08 10:12, Diggy wrote:
>
> > We'll start with "I'm no sendmail expert". That being said, I need
> > fairly good documentation in order to tweak sendmail. I previously
> > found the following in a post regarding restricting local users from
> > sending external mail (www.sendmail.org/~ca/email/restrict.html):
>
>
>
> > So, I added the above to sendmail.cf. I created the file /etc/mail/
> > intern.only, and tired adding "user" and "user@mydomain". I restarted
> > sendmail. Above didn't work. Waht did I do wrong?
>
> > And, it says that this is to restrict users from sending mail, not
> > receiving it. How would I restrict inbound mail for the users to only
> > domain mail?
>
> I've not done this my self so I can not say for sure. Sorry. I just
> remember this being what others and my self (based on others and my
> reading) have said to do to fulfill this request.
>
> Grant. . . .
OK, I got this to work for restricting outbound mail.
I changed "F{Internal}/etc/mail/internal.only" to "F{internal}/etc/
mail/internal.only". Note the "internal" after F must match
"internal" in the file name. I think I also could have used "only".
I changed "R$* $| $={Internal}" to "R$* $| $={internal}".
The user gets a sendmail error notification with "551 sorry, mail is
restricted to internal recipients only" in it.
That done, can anyone help me with an inbound rule?
Diggy
In article
<6b1f9b9f-ca6a-4d8f-a2c2-515bcfc71abe@i3g2000hsf.googlegroups.com> Diggy
>
>OK, I got this to work for restricting outbound mail.
>
>I changed "F{Internal}/etc/mail/internal.only" to "F{internal}/etc/
>mail/internal.only". Note the "internal" after F must match
>"internal" in the file name. I think I also could have used "only".
No, they're quite unrelated - in non-sendmail terminology, the
"{Internal}" is a variable name and the contents of the file is the
value that the variable is set to. "F{Foo}/etc/mail/internal.only" will
work fine too, and the convention is that you should start the "variable
name" with an uppercase character to avoid conflicts with "variables"
defined internally by sendmail.
>I changed "R$* $| $={Internal}" to "R$* $| $={internal}".
Yes, this is a reference to the "variable" so of course it has to match
the "definition".
You must have done some other mistake that you happened to rectify at
the same time that you changed the name.
>The user gets a sendmail error notification with "551 sorry, mail is
>restricted to internal recipients only" in it.
>
>That done, can anyone help me with an inbound rule?
Try http://www.sendmail.org/~ca/email/protected.html .
--Per Hedeland
per@hedeland.org
On Jan 31, 8:10 pm, p...@hedeland.org (Per Hedeland) wrote:
> In article
> <6b1f9b9f-ca6a-4d8f-a2c2-515bcfc71...@i3g2000hsf.googlegroups.com> Diggy
>
>
>
> >OK, I got this to work for restricting outbound mail.
>
> >I changed "F{Internal}/etc/mail/internal.only" to "F{internal}/etc/
> >mail/internal.only". Note the "internal" after F must match
> >"internal" in the file name. I think I also could have used "only".
>
> No, they're quite unrelated - in non-sendmail terminology, the
> "{Internal}" is a variable name and the contents of the file is the
> value that the variable is set to. "F{Foo}/etc/mail/internal.only" will
> work fine too, and the convention is that you should start the "variable
> name" with an uppercase character to avoid conflicts with "variables"
> defined internally by sendmail.
>
> >I changed "R$* $| $={Internal}" to "R$* $| $={internal}".
>
> Yes, this is a reference to the "variable" so of course it has to match
> the "definition".
>
> You must have done some other mistake that you happened to rectify at
> the same time that you changed the name.
>
> >The user gets a sendmail error notification with "551 sorry, mail is
> >restricted to internal recipients only" in it.
>
> >That done, can anyone help me with an inbound rule?
>
> Tryhttp://www.sendmail.org/~ca/email/protected.html.
>
> --Per Hedeland
> p...@hedeland.org
Thanks, Per. I used the rule listed on that page. And, no, I don't
recall having changed anything but the variable name. Anyway, ...
I'd like to try the rule for limiting inbound mail. The rule for that
purpose reads as follows:
LOCAL_RULESETS
SLocal_check_rcpt
....
# check to see if the sender is local
R$* $: $&{client_name}
# or some other class instead of m
R$*$=m $@ OKSOFAR
R$* $#error $: 551 $&f not allowed to send to recipient
There really are no explanations on the listing Web site for the
rules. Where does the value for "client_name" come from? Must I
create a rule for each recipient?
I'm pretty close here and, with the list's help, I'll get this.
Diggy
On Feb 1, 7:55 am, Diggy
> On Jan 31, 8:10 pm, p...@hedeland.org (Per Hedeland) wrote:
>
>
>
> > In article
> > <6b1f9b9f-ca6a-4d8f-a2c2-515bcfc71...@i3g2000hsf.googlegroups.com> Diggy
>
> >
>
> > >OK, I got this to work for restricting outbound mail.
>
> > >I changed "F{Internal}/etc/mail/internal.only" to "F{internal}/etc/
> > >mail/internal.only". Note the "internal" after F must match
> > >"internal" in the file name. I think I also could have used "only".
>
> > No, they're quite unrelated - in non-sendmail terminology, the
> > "{Internal}" is a variable name and the contents of the file is the
> > value that the variable is set to. "F{Foo}/etc/mail/internal.only" will
> > work fine too, and the convention is that you should start the "variable
> > name" with an uppercase character to avoid conflicts with "variables"
> > defined internally by sendmail.
>
> > >I changed "R$* $| $={Internal}" to "R$* $| $={internal}".
>
> > Yes, this is a reference to the "variable" so of course it has to match
> > the "definition".
>
> > You must have done some other mistake that you happened to rectify at
> > the same time that you changed the name.
>
> > >The user gets a sendmail error notification with "551 sorry, mail is
> > >restricted to internal recipients only" in it.
>
> > >That done, can anyone help me with an inbound rule?
>
> > Tryhttp://www.sendmail.org/~ca/email/protected.html.
>
> > --Per Hedeland
> > p...@hedeland.org
>
> Thanks, Per. I used the rule listed on that page. And, no, I don't
> recall having changed anything but the variable name. Anyway, ...
>
> I'd like to try the rule for limiting inbound mail. The rule for that
> purpose reads as follows:
>
> LOCAL_RULESETS
> SLocal_check_rcpt
> ...
> # check to see if the sender is local
> R$* $: $&{client_name}
> # or some other class instead of m
> R$*$=m $@ OKSOFAR
> R$* $#error $: 551 $&f not allowed to send to recipient
>
> There really are no explanations on the listing Web site for the
> rules. Where does the value for "client_name" come from? Must I
> create a rule for each recipient?
>
> I'm pretty close here and, with the list's help, I'll get this.
>
> Diggy
I apologize for responding to my own post, but I figured our the whole
solution. Peeps may have come up with better solutions, but this does
work. For those interested, here it is (add to sendmail.cf; dont
forget to create restricted user file):
#####################################################
#RESTRICT_USER_OUTBOUND #
#####################################################
F{internal}/etc/mail/internal.only
#####################################################
#RESTRICT_OUTBOUND_RULESET #
#####################################################
SOutbound
# if the recipient isn't internal, they get the mail
R$* $: $1 $| $>3 $&f
R$* $| <> $@ OK <> is always ok
R$* $| $={internal} <@$=w.> $: $1 luser@local.host?
R$* $| $={internal} $: $1 luser?
R$* $| $* $@ OK someone else
R$* $: $>3 $1 check recipient
R$+<@$=w.> $@ OK local? ok
R$+<@$+> $#error $@ 5.1.8 $: "551 Sorry, your
mail is restricted to internal recipients only"
#####################################################
#RESTRICT_INBOUND_RULESET #
#####################################################
SInbound
# if the recipient isn't internal, they get the mail
R$+ $: <@> $>3 $1
R<@> $={internal}<@$=w.> $: <$1@$2>
R<@> $={internal} $: <$1@$j>
# no internal alias
R<@>$+ $@ OK
# check to see if the sender is local
R$* $: $&{client_name}
# or some other class instead of m
R$*$=m $@ OKSOFAR
R$* $#error $: 551 $&f not allowed to send to
recipient
#####################################################
#USE_BOTH_ABOVE_RULESETS #
#####################################################
SLocal_check_rcpt
R$* $: $1 $| $>"Outbound" $1
R$* $| $#$* $#$2
R$* $| $* $: $1 $| $>"Inbound" $1
R$* $| $#$* $#$2
Hope it's useful to someone. If anyone has a better solution, I'd
love to hear it.
Diggy
> One department in our company wants to limit inbound and outbound mail
> for a couple of its employees to our domain only (e.g. internal mail only).
This would also involve disallowing web access, and pop and imap, and
outbound smtp traffic. So maybe it should be done at the network
level.
Joseph Brennan
Columbia University IT