Email question

Jake McHenry linux at nittanytravel.com
Fri Jul 30 01:14:29 UTC 2004 

----- Original Message ----- 
From: "Cowles, Steve" <steve at stevecowles.com>
To: "'For users of Fedora Core releases'" <fedora-list at redhat.com>
Sent: Thursday, July 29, 2004 8:52 PM
Subject: RE: Email question


> Jake McHenry wrote:
> > I'm not running iptables ...  on the old setup I had mailscanner
> > running and another utility that gave me stats on email that could
> > add spammers to the access db, maybe I'll just configure all that
> > again. The only problem was some addresses entered into the access db
> > were legitimate people. Can anyone recommend a better solution?
>
> Jake,
>
> I no longer use sendmail (I now use postfix), but I had a similar problem
> with dictionary attacks because my sendmail MTA was a frontend for an
> exchange server. To insure that sendmail "only" accepted/relayed e-mail
for
> valid accounts on the exchange server, I used the following approach
(trick)
> in /etc/mail/access. Maybe it will work for you. I have copy/pasted a
backup
> copy of my previous sendmail access file configuration (with a few edits).
>
> As always, you milage may vary based on how sendmail is configured at your
> end, so be sure to make a backup of your current access file -and- be sure
> to run an open relay checker against any changes you make. I've always
used
> the following site for testing:
> http://www.abuse.net/relay.html
>
>
> <copy/paste /etc/mail/access>
>
> # If this is both an inbound and outbound MTA, then add the systems that
> # are allowed to relay e-mail through this system.
> 192.168.1 RELAY
>
> # Reject both envelope sender (mail from) and recipients (rcpt to)
> # that contain mydomain.com
> mydomain.com REJECT
>
> # To negate the above reject, add only "valid" recipients for mydomain.com
> scowles at mydomain.com OK
> postmaster at mydomain.com OK
> etc...
>
> Note 1: The above implementation was based on reading:
> http://www.sendmail.org/m4/anti_spam.html#access_db
>
> The really confusing part about sendmail (versus postfix) is understanding
> in which context the access file is consulted. i.e. is the test done
against
> the envelope sender or recipient or both. What a PITA. Postfix does a lot
> better job at implementing these types of tests.
>
> Note 2: Maintaining a valid list of exchange recipients (mailboxes) on the
> sendmail server was accomplished by writing a shell script that did an
LDAP
> query against the exchange server to build an access formatted list of
valid
> mailboxes. This script was run as an hourly cronjob. This way, when I made
a
> change (add/delete) on the exchange server, it was replicated to the
> sendmail frontend. In fact, I still do this with postfix as a frontend.
>
> Note 3: When an invalid recipient was specifed (like during a dictionary
> attack), it was rejected after the "rcpt to"; thus no DSN/bounce was
> generated by sendmail. i.e. The rejection occurs before the inbound e-mail
> is submitted to the queue for delivery. Nice!!!
>
> Hope the above solution at least points you in the right direction for
> achieving your goal.
>
> Steve Cowles
>
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>


Can I put just the username after the rejects or do I need the entire domain
name? I am hosting 6 domain names.. I would need to put each username at
each domain... :-(

Jake

More information about the fedora-list mailing list