A check_expn rule I wrote a while ago. This also works for use as a check_vrfy rule. It could probably use a little clean up or canonicalizing into Sendmail Standard Form.

Basic logic:
look up foo.domain.com in /etc/mail/access using the F rule and look for an entry like this:

EXPN:webmaster@foo.domain.com		OK
EXPN:postmaster				OK
EXPN:root@bar.domain.com		DENY

Else, use the A rule to look up the IP address or octet based netblock in /etc/mail/access. (Don't think anyone has done real CIDR in sendmail.cf yet ...)

EXPN:		OK # allow localhost to expn
EXPN:		OK # allow UCB-ETHER to expn

R$*			$: $>F <$1> <?> <! Expn> <$1>
R<?> <$*>	    	$: <$&{client_addr}> <$1>
R<$*> <$*>		$: $>A <$1> <?> <! Expn> <$2>
R<OK> <$*>		$@ $1
R$*			$#error $@ 5.7.0 $: "502 sorry, we do not allow this operation."

Notes: This rule, as written, has the behaviour of denying EXPN on 'verboten' email addresses even if the query comes from an allowed IP range. Changing this is left as an excercise to the reader. Essentially:

Feedback, questions, comments? Email me