Access Control Database

Starting in version 8.9, sendmail provides a flexible, built-in access control mechanism. This feature is selected with the FEATURE(access_db) configuration macro.

To set up the database, create a text file /etc/mail/access with lines of one of the following forms:

user@		disposition
user@host	disposition
domainname	disposition
###.###		disposition
The first form will match on the username portion of the sender address. The second form will match all mail from a specific user@host. The third form will match all mail from any host in domainname. The fourth form will match any host inside a dotted-decimal numeric IP network (see example below).

The left hand side of each entry can optionally be prefixed with one of the tags To:, From:, or Connect:. Entries marked this way will match only envelope recipients, envelope senders, or the client host address, respectively. Entries which are not marked with one of these tags will match messages on any of the envelope recipients, envelope sender, or client host address.

The disposition should be one of the following:

We are allowed to accept mail from the host.
Allow the matched domain to relay through your SMTP server. This implies OK.
Reject the sender/recipient with a general-purpose message.
Discard the message completely.
ERROR:D.S.N:### bong message
Reject the message with the supplied error string, where D.S.N is an RFC 1893 compliant error code, ### is an RFC 821 compliant SMTP response code, and bong message is some text which will follow it.
Here's an example Access Control Database:		REJECT
LUSER@				REJECT		ERROR:5.0.0:550 We dont accept Spam	OK
From:128.174			RELAY			REJECT
This will reject mail from, but allow mail to be sent to All messages with an envelope sender or envelope recipient whose username matches LUSER will be rejected. No hosts in the domain except for will be allowed to connect. All hosts in the 128.174.*.* IP address range will be allowed to send outgoing mail through us, but we won't relay outside mail back to them. And lastly, all connections will be denied from, and all messages with an envelope sender or envelope recipient address from will be rejected.

Mark D. Roth <>