The ${client_addr} macro is assigned its value when a host connects to the running daemon. The value assigned is the IP address of that connecting host and is the same as the IP address stored in the $_ macro, but without the surrounding square brackets and other non-IP information.

The ${client_addr} macro can be useful in the Local_check_rcpt (Section 7.1.3) and Local_check_mail (Section 7.1.2) rule sets. It can, for example, be used to detect whether an external host is trying to send external mail through your outgoing firewall machine:

LOCAL_CONFIG
D{ourdomain}123.45.6

LOCAL_RULESETS
SLocal_check_mail
R $*                    $: $&{client_addr}
R ${ourdomain} . $-     $@ OK our domain
R $*                    $#error $@ 5.7.1 $: "550 cannot send out from the outside"

Here, the first rule transfers the value of ${client_addr} into the workspace. The $& prefix (Section 21.5.3) prevents that macro from wrongly being expanded when the configuration file is read. The second rule compares the domain part of your IP domain (that of your internal network) to the workspace. If they match, the connection is from a host in your internal domain space. If not, an error is generated in response to the MAIL FROM: command.

Note that this rule set rejects all mail coming from outside your network, which might be overkill (depending, of course, on what you want). It is really useful only at sites that have two firewalls, one for incoming traffic and one for outgoing traffic. This rule set might go on the outgoing firewall.

${client_addr} is transient. If it is defined in the configuration file or in the command line, that definition can be ignored by sendmail. Note that ${client_addr} is not guaranteed to be available in the check_compat rule set (Section 7.1.4). Note also that a $& prefix is necessary when you reference this macro in rules (that is, use $&{client_addr}, not ${client_addr}).