Email question
Cowles, Steve
steve at stevecowles.com
Fri Jul 30 00:52:35 UTC 2004
Jake McHenry wrote:
> I'm not running iptables ... on the old setup I had mailscanner
> running and another utility that gave me stats on email that could
> add spammers to the access db, maybe I'll just configure all that
> again. The only problem was some addresses entered into the access db
> were legitimate people. Can anyone recommend a better solution?
Jake,
I no longer use sendmail (I now use postfix), but I had a similar problem
with dictionary attacks because my sendmail MTA was a frontend for an
exchange server. To insure that sendmail "only" accepted/relayed e-mail for
valid accounts on the exchange server, I used the following approach (trick)
in /etc/mail/access. Maybe it will work for you. I have copy/pasted a backup
copy of my previous sendmail access file configuration (with a few edits).
As always, you milage may vary based on how sendmail is configured at your
end, so be sure to make a backup of your current access file -and- be sure
to run an open relay checker against any changes you make. I've always used
the following site for testing:
http://www.abuse.net/relay.html
<copy/paste /etc/mail/access>
# If this is both an inbound and outbound MTA, then add the systems that
# are allowed to relay e-mail through this system.
192.168.1 RELAY
# Reject both envelope sender (mail from) and recipients (rcpt to)
# that contain mydomain.com
mydomain.com REJECT
# To negate the above reject, add only "valid" recipients for mydomain.com
scowles at mydomain.com OK
postmaster at mydomain.com OK
etc...
Note 1: The above implementation was based on reading:
http://www.sendmail.org/m4/anti_spam.html#access_db
The really confusing part about sendmail (versus postfix) is understanding
in which context the access file is consulted. i.e. is the test done against
the envelope sender or recipient or both. What a PITA. Postfix does a lot
better job at implementing these types of tests.
Note 2: Maintaining a valid list of exchange recipients (mailboxes) on the
sendmail server was accomplished by writing a shell script that did an LDAP
query against the exchange server to build an access formatted list of valid
mailboxes. This script was run as an hourly cronjob. This way, when I made a
change (add/delete) on the exchange server, it was replicated to the
sendmail frontend. In fact, I still do this with postfix as a frontend.
Note 3: When an invalid recipient was specifed (like during a dictionary
attack), it was rejected after the "rcpt to"; thus no DSN/bounce was
generated by sendmail. i.e. The rejection occurs before the inbound e-mail
is submitted to the queue for delivery. Nice!!!
Hope the above solution at least points you in the right direction for
achieving your goal.
Steve Cowles
More information about the fedora-list
mailing list