Large Prod Env Mail Host Was [Re: ClamAV Feedback]

Paul Howarth paul at city-fan.org
Wed Oct 27 08:57:19 UTC 2004 

Ow Mun Heng wrote:
> I couldn't locate a check_mail and check_rcpt in sendmail's Doc (in
> /usr/share/doc)

check_mail and check_rcpt are rulesets in the sendmail.cf configuration file. 
They're probably explained in the sendmail operations guide (?) in the 
sendmail-doc package.

 > What I did find was just references to it. I did find this though
> loose_relay_check
>                 Normally, if % addressing is used for a recipient, e.g.
>                 user%site at othersite, and othersite is in class {R}, the
>                 check_rcpt ruleset will strip @othersite and recheck
>                 user at site for relaying.  This feature changes that
>                 behavior.  It should not be needed for most installations.
> 
> But that is only useful if you're using a single email account to forward to multiple users
> within your organisation. (but this would need intervention from your ISP to get them
> to implement the % thingy)

There was a time when % routing was widely implemented. Not now I suspect, but 
this isn't what the OP was talking about anyway.

> I believe you're building sendmail yourself them. How does one check if
> using rpm(?) Do you know? (I'm booted into gentoo and I know sendmail is
> compiled with ldap support)

Run: sendmail -d0.10 < /dev/null

The output should include LDAPMAP.

> If I understand your explanation of check_mail and check_rcpt correctly,
> it only adds a level of security/anti-relay check correct?

check_mail and check_rcpt are rulesets called by sendmail when the SMTP MAIL 
FROM: and RCPT TO: commands are issued respectively [actually that's not 
strictly true if FEATURE(`delay_checks') is being used, but it's the same 
principle]. Just about any sort of check that can be expressed in rulesets can 
be done at these times. For instance, I check that the connecting client isn't 
trying to forge my hostname or IP address in their SMTP HELO greeting. I also 
use checks in these rulesets to reject mail from domains whose MX records are 
in IP space controlled by certain spammers.

 > You're
> already using TLS, how about using SASL as well? Postfix can also query
> against LDAP, so theoretically (anyway) check_mail and check_rcpt can
> also be done. (also with a MySQL backend, much like LDAP, that could
> also be a solution right?)

LDAP and SASL shouldn't be a problem for any decent MTA. The point is that 
sendmail's rulesets are *extremely* versatile and can be used for a wide 
variety of checks, if you can understand sendmail's configuration language 
(which is not easy). I think similar things can be done in Postfix using 
perl-based "policy daemons".

>>This is also where Bogofilter is
>>called if we do spam filtering.  
> 
> Stupid Question. Is Spamassassin via spamass-milter (the mitler side)
> slower or more resource intensive compared to bogofilter?

SpamAssassin does much more than bogofilter so I'd expect it to be more 
resource intensive. Since I don't use either though, I couldn't say definitively.

I'm sure the OP will address your other points.

Paul.

More information about the fedora-list mailing list