{"id":502,"date":"2013-12-29T06:53:12","date_gmt":"2013-12-29T14:53:12","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=502"},"modified":"2013-12-29T06:53:35","modified_gmt":"2013-12-29T14:53:35","slug":"sendmail-filter-outbound-email","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/sendmail-filter-outbound-email\/","title":{"rendered":"Sendmail Filter Outbound Email"},"content":{"rendered":"

In some projects I need to block outbound email but still allow email to a select few domains (or even select few addresses).<\/p>\n

As Sendmail comes standard on a lot of Unix operating systems I show here how to set this up. \u00a0Sendmail handles some of these requirements pretty easy. \u00a0Additional options like filtering through procmail as well as using Sendmail milters are also good options but not very easy to configure. \u00a0 I\u00a0did not check but I suspect Linux comes with packages that would make installing python or perl Milter modules easy.<\/p>\n

Since Milter packages are not readily available on Solaris and I am focusing on Solaris for this particular project I will use Postfix to meet all the requirements instead of Sendmail + procmail \/ Milters. \u00a0I will follow up with a Postfix specific article later since it does better at filtering and relaying than Sendmail.<\/p>\n

My use case<\/span>:<\/p>\n

    \n
  1. First block ALL outbound email<\/li>\n
  2. Allow ALL outbound email to two specific domains<\/li>\n
  3. Allow email to very specific email addresses not included in above mentioned two domains<\/li>\n<\/ol>\n

    Sendmail handled #1 and #2 pretty easily but it gets overly complicated to allow #1, #2 and #3 at the same time. \u00a0Below is the configuration for #1 and #2 on Solaris 11.<\/p>\n

    \r\n# pwd\r\n\/etc\/mail\/cf\/cf\r\n\r\n# cp sendmail.mc myhost.mc\r\n\r\n# cat myhost.mc\r\ndivert(-1)\r\n... snip ...\r\ndivert(0)dnl\r\nVERSIONID(`sendmail.mc (Sun)')\r\nOSTYPE(`solaris11')dnl\r\nDOMAIN(`solaris-generic')dnl\r\ndnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl\r\nDAEMON_OPTIONS(`Port=smtp,Addr=10.1.10.52, Name=MTA')dnl\r\nMASQUERADE_AS(`mydomain.com')\r\nFEATURE(masquerade_envelope)\r\nFEATURE(`access_db')\r\nFEATURE(`mailertable')\r\nMAILER(`local')dnl\r\nMAILER(`smtp')dnl\r\n\r\n# \/usr\/ccs\/bin\/m4 ..\/m4\/cf.m4 myhost.mc > \/etc\/mail\/sendmail.cf\r\n<\/pre>\n
    ** You probably don't need the access feature and local mailer above for this specific configuration. But access might provide more granularity around permissions that might help you.<\/p>\n
    Setup mailertable. Remember use tabs between left and right columns.<\/span><\/p>\n
    \r\n# pwd\r\n\/etc\/mail\r\n\r\n# cat mailertable\r\ndomain1.com             relay:[mail.domain1.com]\r\ndomain2.com             esmtp:%0\r\n.                       local:nobody\r\n\r\n# makemap hash mailertable < mailertable\r\n<\/pre>\n
    ** Note above domain1 needed to be passed off to a specific relay on the internal network and domain2 needed to be passed on direct to the Internet.<\/p>\n
    On Solaris set local_only to false and start senmdail service.<\/span><\/p>\n
    \r\n# svccfg -s svc:\/network\/smtp:sendmail setprop config\/local_only = false\r\n# svcadm disable svc:\/network\/smtp:sendmail\r\n# svcadm enable svc:\/network\/smtp:sendmail\r\n<\/pre>\n
    From client setup a smarthost poitning to new server we configured and then test as follow:<\/span><\/p>\n
    \r\n# cat \/tmp\/test.eml\r\nTo: user@domain1.com\r\nSubject: MAILHOST TEST -&gt; via domain1\r\nFrom: luser@domain.com\r\n\r\nbody....\r\n\r\n# sendmail -d7.99 -d38.99 -vt &lt; \/tmp\/test.eml\r\n<\/pre>\n
    Monitor var\/log\/syslog:<\/span><\/p>\n
    \r\nDec 27 14:44:34 myhost sendmail[6774]: [ID 801593 mail.info] rBRJiYFA006774: from=&lt;root@myclient&gt;, size=554,, nrcpts=1, msgid=&lt;201312271946.rBRJkgq8001045@myclient&gt;, proto=ESMTP, daemon=MTA, relay=myclient [10.1.11.62]\r\nDec 27 14:44:35 myhost sendmail[6776]: [ID 702911 mail.info] STARTTLS=client, relay=mail.arbonne.com., version=TLSv1\/SSLv3, verify=FAIL, cipher=AES128-SHA, bits=128\/128\r\nDec 27 14:44:36 myhost sendmail[6776]: [ID 801593 mail.info] rBRJiYFA006774: to=&lt;user@domain1.com&gt;, delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=120554, relay=mail.domain1.com. [10.10.1.130], dsn=2.0.0, stat=Sent (&lt;201312271946.rBRJkgq8001045@usla-psag-ag01.prd.asg.ad&gt; [InternalId=15753532] Queued mail for delivery)\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
    In some projects I need to block outbound email but still allow email to a select few domains (or even<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39,40,14],"tags":[],"class_list":["post-502","post","type-post","status-publish","format-standard","hentry","category-sendmail","category-smtp","category-solaris"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=502"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/502\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}