0

we have mail server which relays mails which has only internal domains( lets say @osp.com, @asp.com) to external world via following configuraiton in my mailertable configuration of sendmail . Any email to other domain is rejected . The current requirement is to relay email if specific custom header for ex: "X-Test" exists in the email headers and if sent from any other email domain ( which are currently denied ) .

I have considered using rulesets , the closest one I have got is the below link but it is not useful , I am not asking for a solution but seeking directions . I have understood so far how the rules/rulesets are written ( bit complex one though in sendmail ). 

osp.net           smtp:ms.osp.net
asp.net           smtp:ms.osp.net
.                 procmail:/etc/mail/reject-mail.proc

Related link: http://bradthemad.org/tech/notes/sendmail_header_filter.php

Improve this question

2 Answers 2

Reset to default
0

"allow only if set" is much more complicated then the linked "deny if set" example; the "deny if set" simply rejects the message when the header has a particular value. The "allow only if set" must instead mark appropriate messages as allowed, but then also somewhere else deny all other messages. Another complication for the "allow only if set" is the possibility of system messages (e.g. those from cron) that may also need to be allowed, in which case a blanket deny will not suffice. Yet another concern is whether your systems allow remote relay; if so and if the ruleset is crafted incorrectly you could turn your servers into open relays for anyone who sets the header field in question. That could be bad, and unless you strip out the test header somewhere, it will be visible to anyone who can read messages from your system.

One method would be to check at the end of headers whether X-Test has been seen; if not, reject the message. This will fail system messages that do not have the header set, but should not turn the system into an open relay as various other rulesets should still apply to detemine relaying rights. Thus in sendmail.mc add something like:

LOCAL_RULESETS
Kstorage macro
HX-Test: $>CheckTestHeader

SCheckTestHeader
R$*                     $: $(storage {xtestsetp} $@ OK $) $1

Scheck_eoh
R$*                     $: < $&{xtestsetp} >
R$*                     $: $(storage {xtestsetp} $) $1
R< $+ >                 $@ OK
R$*                     $#error $: 553 Missing Header

and rebuild sendmail.cf, restart sendmail, send test messages with and without the test header.

Those runs of "lots of spaces" must be replaced one or more tab characters, as Sendmail is one of those unfortunate softwares that mandates the use of significant whitespace (crazy, I know, but here we are).

For more information on this example see section 5.1.4.6 in the Sendmail op.pdf manual, from which the above is more or less cribbed.

Note also that the above should only be used on outgoing mail server configurations, as it will reject incoming mail that does not have the required header.

Improve this answer
2
  • Thank you very much for your valuable inputs , I will try to configure and check. Cheers Commented Nov 30, 2018 at 17:50
  • I have a query how does the precdence of rules takes place , i.e even though we implement this rule how to ensure that rule based on "/etc/mail/mailertable" wont hinder the current X-test header ruleset . *Kmailertable hash -o /etc/mail/mailertable.db R< $+ > $ $: < $(mailertable $1 $) > $2 lookup ** Commented Dec 10, 2018 at 14:12
0

@thrig thanks once again for your suggestions. I have to understand how the rules are being written and hence took this time. I have modified the ruleset given ( as I need to allow the header rather than stop) , so the following lines are added to sendmail.mc and I get the desired result . I am yet to test this in our pre-prod farm though but this have given me some insight on how to go foward .

I have created a small python script which help me in creating the headers that I need and send them . The below ruleset Allows "X-Test" header which is my requirement as my mailertable rejects any other emails based on the domains listed earlier . Appreicate if you feedback with any flaws .

LOCAL_RULESETS Kstorage macro HX-Test: $>CheckTestHeader

SCheckTestHeader R$* $: $(storage {xtestsetp} $@ OK $) $1 R< $+ > $@ OK

R$* $#error $: 553 Missing Header --> [ This is for testing ]

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.