Access Control Database

Starting in version 8.9, sendmail provides a flexible, built-in access control mechanism. This feature is selected with the FEATURE(access_db) configuration macro.

To set up the database, create a text file /etc/mail/access with lines of one of the following forms:

user@		disposition
user@host	disposition
domainname	disposition
###.###		disposition
The first form will match on the username portion of the sender address. The second form will match all mail from a specific user@host. The third form will match all mail from any host in domainname. The fourth form will match any host inside a dotted-decimal numeric IP network (see example below).

The left hand side of each entry can optionally be prefixed with one of the tags To:, From:, or Connect:. Entries marked this way will match only envelope recipients, envelope senders, or the client host address, respectively. Entries which are not marked with one of these tags will match messages on any of the envelope recipients, envelope sender, or client host address.

The disposition should be one of the following:

OK
We are allowed to accept mail from the host.
RELAY
Allow the matched domain to relay through your SMTP server. This implies OK.
REJECT
Reject the sender/recipient with a general-purpose message.
DISCARD
Discard the message completely.
ERROR:D.S.N:### bong message
Reject the message with the supplied error string, where D.S.N is an RFC 1893 compliant error code, ### is an RFC 821 compliant SMTP response code, and bong message is some text which will follow it.
Here's an example Access Control Database:
From:ME_TOO@aol.com		REJECT
LUSER@				REJECT
Connect:spam-king.com		ERROR:5.0.0:550 We dont accept Spam
Connect:goodhost.spam-king.com	OK
From:128.174			RELAY
bad-domain.com			REJECT
This will reject mail from ME_TOO@aol.com, but allow mail to be sent to ME_TOO@aol.com. All messages with an envelope sender or envelope recipient whose username matches LUSER will be rejected. No hosts in the domain spam-king.com except for goodhost.spam-king.com will be allowed to connect. All hosts in the 128.174.*.* IP address range will be allowed to send outgoing mail through us, but we won't relay outside mail back to them. And lastly, all connections will be denied from bad-domain.com, and all messages with an envelope sender or envelope recipient address from bad-domain.com will be rejected.



Mark D. Roth <roth@feep.net>