Restricting Delivered Messages with Recipient Whitelisting

 

Applies to HMS Version: 2.1+

It is often useful to separate different types of outbound messages between multiple accounts on a Hurricane MTA Server. Some accounts may only deliver to specific addresses or domains, depending on their purpose. For example, an account may be configured to specifically handle messages for internal consumption within a company. Accounts such as these can take advantage of the Recipient Whitelisting feature to prevent the processing of messages to unintended recipients, either inadvertently or through malicious intent. This feature can be particularly useful for preventing compromised machines that are generating spam messages from using an MTA account to deliver messages to random addresses, greatly restricting the amount of damage done before such activity is detected and stopped.

CONSIDERATIONS

The following should be considered before using this feature:

  • Messages rejected by Recipient Whitelisting are rejected during the initial SMTP protocol exchange, so the messages are not even received by the HMS before being rejected.
  • If a message specifies multiple recipients via RCPT TO commands, the message is accepted and processed for any recipient that was not rejected by whitelisting.
  • RCPT TO addresses are not authenticated, and thus can be easily spoofed. Do not rely on Recipient Whitelisting as the sole method of restricting what messages are delivered by any MTA account!

CONFIGURATION

This feature is enabled and configured by adding a single line to the [RESTRICTIONS] section of the GENERAL.CONFIG file found in an individual account's config directory. Please remember to reload the target account's configuration after making these changes in order for these changes to take effect.

FIELD: AllowedRcptToList

DESCRIPTION: A comma-delimited list of email addresses. If set to anything other than an empty string, this account will only accept email with a RCPT TO address that is on this list. The comparison is a case insensitive string match.  At this time wildcards are not supported.

EXAMPLE: The following example shows how to create a Recipient Whitelist.

AllowedRcptToList=user2@example.com,ceo@example.org

Using the above configuration, only messages that identify themselves as being delivered to any address at @example.com or ceo@example.org via the RCPT TO component of the SMTP protocol are accepted by the MTA.

RELATED ARTICLES

For more information about writing regular expressions, we recommend third-party resources such as the following:

The following Knowledge Base article may also be of interest:

Restricting Received Messages with Mail From Whitelisting