[milters] Archive

Lists Index Date Thread Search

Article: 510
From: Anthony Howe
Date: 2005-04-19 04:32:30 -0400
Subject: Re: Sendmail Question.

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Ismael Perin wrote:
> Because the users with 3D<something>@mydomain.com be sent frequently to my
> real users. And too e-mails like this sss_hhd_hhhes_df@mydomain.com be sent.
This is a constant problem. Consider looking at a grey-listing milter:

	http://www.milter.info/milter-gris/

Or look into SPF or hash-cash.

milter-sender does not validate senders that claim to be from the 
localhost. It was a early design choice, because a sendmail ruleset is 
better for this.

You could try the Sendmail ruleset I've attached (take care of any line 
wrapping and the need for tabs between left and right sides of the 
rules). I've only just written this and its lightly tested. You should 
test it very carefully before using it: real addresses, virtusertable 
addresses, aliases, acounts without a shell (daemons), false users, 
emails with subdomains or machine name, etc...

NOTE that this ruleset will NOT stop a spammer using a locally valid 
address, in which case you should look into SPF and SMTP+AUTH.

One thing to avoid: remove all catch-all addresses from your 
virtusertable. A catch-all address will just allow spammers to send mail 
with any user name they want to the domain owner or handler of the 
catch-all mailbox. Catch-all addresses are EVIL and any business that 
thinks they should have one just to be sure not to lose a potentially 
important mail is certainly welcome to all the spam they get, because of 
the it.

> How to I enable only users listed on /etc/passwd and aliases to send emails?

SMTP+AUTH+STARTLS is the only sure way. Settting this up by hand from 
the source is sufficiently complex (I know because I've done it). Please 
see sendmail.org and/or comp.mail.sendmail about doing this. I recommend 
using a prebuilt package or /usr/port that does most of the work for you.

-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

"held in my arms / his sun washed face / eyes closed" - Anthony


-- Attached file included as plaintext by Ecartis --
-- File: islocalsender.mc

LOCAL_CONFIG
KhasShell user -vshell
KisAlias hash -m /etc/mail/aliases

LOCAL_RULESETS
#
# If the sender claims to be within a domain we handle, then
# is it a local user account with a shell from /bin, a virtual
# user mapping, or an alias. Reject if its none of the above.
#
SLocal_check_mail
R$*				$: $>canonify $1
R$+ <@ $* $=w .>		$: $1 <@ $2 $3 .> $(hasShell $1 $)
R$+ <@ $* $=w .> /bin $+	$@ OK
R$+ <@ $* $=w .> $*		$: $1 <@ $2 $3 .> $(virtuser $1 @ $2 $3 $: .NOMATCH $)
R$+ <@ $* $=w .> .NOMATCH	$: $1 <@ $2 $3 .> $(isAlias $1 $: .NOMATCH $)
R$+ <@ $* $=w .> .NOMATCH	$#error $@ 5.7.1 $: "User unknown"



Lists Index Date Thread Search