Your MX servers should reject email for unknown users at the SMTP initial transaction and NOT forward them to internal SMTP servers without a “user check”.

Step1: In MX SERVER, add these 4 lines to your “.mc” file in the right place:

FEATURE(access_db, hash -T<TMPF> /etc/mail/access)dnl
FEATURE(`blacklist_recipients’)dnl
define(`VIRTUSER_TABLE’, `hash -o /etc/mail/virtusertable’)dnl
VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomain’)dnl

Step2: In MX SERVER,  put YOUR internal valid domains in /etc/mail/virtuserdomain
example.com
my.org
 
Step3: In MX SERVER, add these lines to your “access” file (/etc/mail/access):

#List of internal domains that have their own servers and you do not serve them. Your server only #receives email from them. Equal to “internal domains that you receive email via MX”
From:example.my.org         OK
From:example.example.com    OK

#check_mail <valid.user@example.com> –> ACCESS DENIED
From:example.com      REJECT
#check_mail <valid.user@my.org> –> ACCESS DENIED
From:my.org           REJECT

#General rejection strings

To:example.com     error:5.1.1:”550 User unknown”
To:my.org          error:5.1.1:”550 User unknown”

#List ALL valid internal EMAIL addresses. If not listed here, sender server will get a “550 User unknown

To:john.doe@example.com    RELAY
To:jane.joe@my.org         RELAY
To:postmaster@example.com  RELAY
etc…

Step4: In MX SERVER, regenerate your “sendmail.cf” and re-makemap your “access” database.

Step5: In MX SERVER, TEST the configuration using an external IP address (in this example 200.89.70.8 mx.uchile.cl):$ /usr/lib/sendmail -bt -d21.4
.D{client_addr}200.89.70.8
.D{client_name}mx.uchile.cl

#check_rcpt <user.notexist@example.com> should produce a —> “550 User unknown"