I am tinkering with ldap routing and while I was running some things in
debug mode I noticed that sendmail does a query for mailRoutingAddress and
mailHost if a return address domain is in the ldaproute_domain. While it
does work and get the correct mailRoutingAddress and mailHost for the email
address being delivered to why does it do a query on the return address as
well? It does not do the query on the return address if the return address
is not in the ldaproute_domain. I think doing this extra query is a waste
especially since it does not appear to use it in any way. Is there a way to
stop it?

I am using sendmail-8.13.8 and openldap 2.3.28 on a slackware 11 box.

Mark Hamilton wrote:
> I am tinkering with ldap routing and while I was running some things in
> debug mode I noticed that sendmail does a query for mailRoutingAddress and
> mailHost if a return address domain is in the ldaproute_domain. While it
> does work and get the correct mailRoutingAddress and mailHost for the email
> address being delivered to why does it do a query on the return address as
> well? It does not do the query on the return address if the return address
> is not in the ldaproute_domain. I think doing this extra query is a waste
> especially since it does not appear to use it in any way. Is there a way to
> stop it?

Before accepting a message, and taking responibility for sending
delivery failure notifications if needed, sendmail wants to check that
at least the domain part of the return address is valid. It does so by
processing that address exactly as would be done if a message was sent
to that address.
I don't think it's a good idea to switch this check off -- if that can
be done at all.

--
Kees Theunissen.

In article <12k3ismlbdvake7@corp.supernews.com> Kees Theunissen
<theuniss@rijnh.nl> writes:
>Mark Hamilton wrote:
>> I am tinkering with ldap routing and while I was running some things in
>> debug mode I noticed that sendmail does a query for mailRoutingAddress and
>> mailHost if a return address domain is in the ldaproute_domain. While it
>> does work and get the correct mailRoutingAddress and mailHost for the email
>> address being delivered to why does it do a query on the return address as
>> well? It does not do the query on the return address if the return address
>> is not in the ldaproute_domain. I think doing this extra query is a waste
>> especially since it does not appear to use it in any way. Is there a way to
>> stop it?

Sendmail generally does most of the processing for envelope recipient
addresses also for envelope sender addresses - in particular it does the
processing needed to resolve the sender address to a "mailer", since the
mailer associated with the sender address is used for some decisions and
statistics. Hence if map lookups are done as part of the processing to
resolve a recipient address to a mailer, those map lookups will also be
done when that address is the sender - it's not specific to ldap_routing.

You could avoid this (and possibly cause some problems, but probably
not), by short-circuiting the address resolution for envelope sender
addresses with some custom rules in a LOCAL_RULE_0 section in your .mc
file. Something like this might work (totally untested):

LOCAL_RULE_0
R$* $: $1 $| $&{addr_type}
R$* < @$* > $* $| e s $#esmtp $@ $2 $: $1 < @ $2 > $3
R$* $| $* $: $1

>Before accepting a message, and taking responibility for sending
>delivery failure notifications if needed, sendmail wants to check that
>at least the domain part of the return address is valid. It does so by
>processing that address exactly as would be done if a message was sent
>to that address.

Well, yes and no... The "exactly as" processing of the sender address
isn't really done for that reason, see above - and while it will IIRC
cause rejection if the address resolves to the #error mailer, this will
only happen for e.g. non-existent local users, and not for an address
that has a non-existent domain part (it generally resolves to the #esmtp
mailer, and the problem is detected when the mailer tries to connect to
the destination MX/host - the processing of the sender address is *not*
taken that far).

Then there is the (comparatively recent) checking of the sender domain
that can be turned off with accept_unresolvable_domains. This is
essentially an anti-spam feature (don't know if there still are spammers
stupid enough to be blocked by it), though it can certainly be motivated
with the responsibility/reliability argument that you make (the
introduction of this check is the single good thing that spam-fighting
has brought us:-). However this is quite unrelated to the "exactly as"
processing, and done with dedicated rules invoked via the check_mail
ruleset.

>I don't think it's a good idea to switch this check off -- if that can
>be done at all.

And taking *that* a step further, getting back to the original question,
you can *make use* of those LDAP lookups instead of preventing them from
happening, via the setting of the <bounce> argument to ldap_routing -
from cf/README:

if set to "sendertoo", the sender will be rejected if not
found in LDAP

(this is a superset of the "bounce" a.k.a. not-"passthru" setting, as
the name indicates). I.e. if a spammer uses some random but non-existent
address in your domain as sender (not uncommon), you can reject the
message immediately. Likewise if one of your users has failed to
configure his MUA with a working sender address.

--Per Hedeland
per@hedeland.org

"Per Hedeland" <per@hedeland.org> wrote in message
news:ehtq02$bv6$1@hedeland.org...
> In article <12k3ismlbdvake7@corp.supernews.com> Kees Theunissen
> <theuniss@rijnh.nl> writes:
>>Mark Hamilton wrote:
>>> I am tinkering with ldap routing and while I was running some things in
>>> debug mode I noticed that sendmail does a query for mailRoutingAddress
>>> and
>>> mailHost if a return address domain is in the ldaproute_domain. While
>>> it
>>> does work and get the correct mailRoutingAddress and mailHost for the
>>> email
>>> address being delivered to why does it do a query on the return address
>>> as
>>> well? It does not do the query on the return address if the return
>>> address
>>> is not in the ldaproute_domain. I think doing this extra query is a
>>> waste
>>> especially since it does not appear to use it in any way. Is there a
>>> way to
>>> stop it?
>
> Sendmail generally does most of the processing for envelope recipient
> addresses also for envelope sender addresses - in particular it does the
> processing needed to resolve the sender address to a "mailer", since the
> mailer associated with the sender address is used for some decisions and
> statistics. Hence if map lookups are done as part of the processing to
> resolve a recipient address to a mailer, those map lookups will also be
> done when that address is the sender - it's not specific to ldap_routing.
>
> You could avoid this (and possibly cause some problems, but probably
> not), by short-circuiting the address resolution for envelope sender
> addresses with some custom rules in a LOCAL_RULE_0 section in your .mc
> file. Something like this might work (totally untested):
>
> LOCAL_RULE_0
> R$* $: $1 $| $&{addr_type}
> R$* < @$* > $* $| e s $#esmtp $@ $2 $: $1 < @ $2 > $3
> R$* $| $* $: $1
>
>>Before accepting a message, and taking responibility for sending
>>delivery failure notifications if needed, sendmail wants to check that
>>at least the domain part of the return address is valid. It does so by
>>processing that address exactly as would be done if a message was sent
>>to that address.
>
> Well, yes and no... The "exactly as" processing of the sender address
> isn't really done for that reason, see above - and while it will IIRC
> cause rejection if the address resolves to the #error mailer, this will
> only happen for e.g. non-existent local users, and not for an address
> that has a non-existent domain part (it generally resolves to the #esmtp
> mailer, and the problem is detected when the mailer tries to connect to
> the destination MX/host - the processing of the sender address is *not*
> taken that far).
>
> Then there is the (comparatively recent) checking of the sender domain
> that can be turned off with accept_unresolvable_domains. This is
> essentially an anti-spam feature (don't know if there still are spammers
> stupid enough to be blocked by it), though it can certainly be motivated
> with the responsibility/reliability argument that you make (the
> introduction of this check is the single good thing that spam-fighting
> has brought us:-). However this is quite unrelated to the "exactly as"
> processing, and done with dedicated rules invoked via the check_mail
> ruleset.
>
>>I don't think it's a good idea to switch this check off -- if that can
>>be done at all.
>
> And taking *that* a step further, getting back to the original question,
> you can *make use* of those LDAP lookups instead of preventing them from
> happening, via the setting of the <bounce> argument to ldap_routing -
> from cf/README:
>
> if set to "sendertoo", the sender will be rejected if not
> found in LDAP
>
> (this is a superset of the "bounce" a.k.a. not-"passthru" setting, as
> the name indicates). I.e. if a spammer uses some random but non-existent
> address in your domain as sender (not uncommon), you can reject the
> message immediately. Likewise if one of your users has failed to
> configure his MUA with a working sender address.
>
> --Per Hedeland
> per@hedeland.org


Thank you for the responses. That last idea of using the lookup to verify
the sender is very interesting. I know it would not be perfect but it could
slow down the spambots a little. I will have to see how it acts with
different clients that use different reply tags. Thanks again.