Force delivery through spamchecking mailserver for some domains

29/08/2007, 12h07

Hello,
my sendmail installation is responsible for several domains. These
domains are delivered locally. How can i configure sendmail, that
mails for one of these domains are only accepted from a predefined
mailserver (mailserver with spam filter) or authenticated users?

Example:
Nameserver Setup:

Domain1 MX my.server
Domain1 A <ip of my.server>

Domain2 MX my.server
Domain2 A <ip of my.server>

Domain3 MX spam.filter.server
Domain3 A <ip of my.server>

spam.filter.server: Forward with mailertable to [my.server]

Some spam senders deliver directly to the A-record instead of the mx-
record. This should be blocked. But i cannot add a firewall rule to
accept connections only from spam.filter.server because i must accept
mails for domain1 and domain2.

Is this possible (for access-map):
Connect:spam.filter.server OK
To:domain3 REJECT

Can spam.filter.server still send mails to domain?
Can authenticated users still send to domain3?
Can a local process still send to domain3?

Is the order of the entries in the access-map important?

I know, that i can try my solution myself, but i fear, that my
solution could work but have some unrecognized side effects. So i put
my solution up for discussion. Maybe anyone has the some problem and
already found a solution.

Thanks for your .

Andreas

29/08/2007, 20h43

On Wed, 29 Aug 2007 04:07:43 -0700, andi <andreas.sachs@gmail.com>
wrote:

>Hello,
>my sendmail installation is responsible for several domains. These
>domains are delivered locally. How can i configure sendmail, that
>mails for one of these domains are only accepted from a predefined
>mailserver (mailserver with spam filter) or authenticated users?

Reorder your parameters a bit. If you're going to trust some other
mailhost to spam filter, and figure they're good, and of course you
also have authenticated users, what does it matter what domain they're
delivering to? Let these sources mail period.

Thus, allow authenticated users (this is inherent to the
authentication mechanism anyway), and allow connections from specific
mailhosts, then disallow all mail to the specific domains you want
protected from all other sources.

>Some spam senders deliver directly to the A-record instead of the mx-
>record.

Indeed. It s to have multiple IP addresses: you can set up a
honeypot on the A address, and an actual sendmail on an alternate
address (say, at a mailhost.domain.tld host entry, rather than the
base domain).

>Is this possible (for access-map):
>Connect:spam.filter.server OK
>To:domain3 REJECT

Exactly as I suggest above (and suggested yesterday on another similar
topic here). I generally don't use REJECT and instead issue a
specific error message, often providing a policy URL in it.

>Can spam.filter.server still send mails to domain?

Yes - you're explicity saying "accept connections from this host",
which bypasses all rejects (and is clearly documented to do so). Same
principle applies to authenticated users - you're saying "ok, I *KNOW*
this guy, so let him do his thing.

You may also find the following config change to be useful for
tracking. Place it in the .mc file which you use to generate your
..cf:

dnl # delays RBL checks until after AUTH (also allows intended
dnl # recipient to be determined - if you subsequently reject, you
dnl # know who the spam was directed at)
FEATURE(`delay_checks')dnl

You will probably benefit from reading the section titled ANTI-SPAM
CONFIGURATION CONTROL in the README file in the sendmail/cf dir in the
source distribution.

I have some notes from this section embedded into the top of my
access.txt on all my hosts to make editing of that file a bit easier
when you're up in the middle of the night dealing with something and
the syntax reminders are ful.

>Can authenticated users still send to domain3?

Yup, they're authenticated.

>Can a local process still send to domain3?

From the above referenced section of the README, you'd find:

<quote>
Notice: to avoid checking your own local domains against those
blacklists, use the access_db feature and add:

Connect:10.1 OK
Connect:127.0.0.1 RELAY

to the access map, where 10.1 is your local network. You may
want to use "RELAY" instead of "OK" to allow also relaying
instead of just disabling the DNS lookups in the backlists.
</quote>

For just localhost, omit the first connect line - but if you use the
first connect line, be sure it specifies your net. My sendmail make
process runs the access map file against CIDREXPAND, so I can put
standard CIDR notation netblocks in there, and when the db gets
regenerated, they'll be expanded as needed.

>Is the order of the entries in the access-map important?

Not really - it isn't parsed to fist match conditions in a linear
fashion. I keep them organized though for easier management, and drop
lots of comments (which are stripped out when it is hashed).

29/08/2007, 21h08

Hello,
thanks for your reply. I also found your reply to the other post
before my post, but the case with authenticated users is not
mentioned.

Since i was curious if this solution will work, i already tried it
before your answer and i run into the following problem:

Messages from hosts not listet with "Connect" are rejected, even if
the user is authenticated.

Log from mailclient:
SMTP: 21:04:55 [rx] 220 xxxxxxx ESMTP Sendmail MTA; Wed, 29 Aug 2007
21:04:45 +0200
SMTP: 21:04:55 [tx] EHLO asc2d
SMTP: 21:04:55 [rx] 250-xxxxx Hello xxxxx [xxxxxx], pleased to meet
you
SMTP: 21:04:55 [rx] 250-ENHANCEDSTATUSCODES
SMTP: 21:04:55 [rx] 250-PIPELINING
SMTP: 21:04:55 [rx] 250-EXPN
SMTP: 21:04:55 [rx] 250-VERB
SMTP: 21:04:55 [rx] 250-8BITMIME
SMTP: 21:04:55 [rx] 250-SIZE 50000000
SMTP: 21:04:55 [rx] 250-DSN
SMTP: 21:04:55 [rx] 250-ETRN
SMTP: 21:04:55 [rx] 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
SMTP: 21:04:55 [rx] 250-STARTTLS
SMTP: 21:04:55 [rx] 250-DELIVERBY
SMTP: 21:04:55 [rx] 250
SMTP: 21:04:55 [tx] AUTH CRAM-MD5
SMTP: 21:04:55 [rx] 334 xxxxx
SMTP: 21:04:55 [tx] xxxxxx
SMTP: 21:04:55 [rx] 235 2.0.0 OK Authenticated
SMTP: 21:04:55 [tx] MAIL FROM:<xxxxx>
SMTP: 21:04:55 [rx] 250 2.1.0 <xxxxx>... Sender ok
SMTP: 21:04:55 [tx] RCPT TO:<xxxx>
SMTP: 21:04:55 [rx] 550 5.2.1 <xxxxx>... Mailbox disabled for this
recipient

Andreas

29/08/2007, 12h07	#1
andi Messages: n/a Hébergeur:	Force delivery through spamchecking mailserver for some domains Hello, my sendmail installation is responsible for several domains. These domains are delivered locally. How can i configure sendmail, that mails for one of these domains are only accepted from a predefined mailserver (mailserver with spam filter) or authenticated users? Example: Nameserver Setup: Domain1 MX my.server Domain1 A <ip of my.server> Domain2 MX my.server Domain2 A <ip of my.server> Domain3 MX spam.filter.server Domain3 A <ip of my.server> spam.filter.server: Forward with mailertable to [my.server] Some spam senders deliver directly to the A-record instead of the mx- record. This should be blocked. But i cannot add a firewall rule to accept connections only from spam.filter.server because i must accept mails for domain1 and domain2. Is this possible (for access-map): Connect:spam.filter.server OK To:domain3 REJECT Can spam.filter.server still send mails to domain? Can authenticated users still send to domain3? Can a local process still send to domain3? Is the order of the entries in the access-map important? I know, that i can try my solution myself, but i fear, that my solution could work but have some unrecognized side effects. So i put my solution up for discussion. Maybe anyone has the some problem and already found a solution. Thanks for your . Andreas

29/08/2007, 20h43	#2
Sean Straw (to email, replace lutefisk with mail) Messages: n/a Hébergeur:	Re: Force delivery through spamchecking mailserver for some domains On Wed, 29 Aug 2007 04:07:43 -0700, andi <andreas.sachs@gmail.com> wrote: >Hello, >my sendmail installation is responsible for several domains. These >domains are delivered locally. How can i configure sendmail, that >mails for one of these domains are only accepted from a predefined >mailserver (mailserver with spam filter) or authenticated users? Reorder your parameters a bit. If you're going to trust some other mailhost to spam filter, and figure they're good, and of course you also have authenticated users, what does it matter what domain they're delivering to? Let these sources mail period. Thus, allow authenticated users (this is inherent to the authentication mechanism anyway), and allow connections from specific mailhosts, then disallow all mail to the specific domains you want protected from all other sources. >Some spam senders deliver directly to the A-record instead of the mx- >record. Indeed. It s to have multiple IP addresses: you can set up a honeypot on the A address, and an actual sendmail on an alternate address (say, at a mailhost.domain.tld host entry, rather than the base domain). >Is this possible (for access-map): >Connect:spam.filter.server OK >To:domain3 REJECT Exactly as I suggest above (and suggested yesterday on another similar topic here). I generally don't use REJECT and instead issue a specific error message, often providing a policy URL in it. >Can spam.filter.server still send mails to domain? Yes - you're explicity saying "accept connections from this host", which bypasses all rejects (and is clearly documented to do so). Same principle applies to authenticated users - you're saying "ok, I KNOW this guy, so let him do his thing. You may also find the following config change to be useful for tracking. Place it in the .mc file which you use to generate your ..cf: dnl # delays RBL checks until after AUTH (also allows intended dnl # recipient to be determined - if you subsequently reject, you dnl # know who the spam was directed at) FEATURE(`delay_checks')dnl You will probably benefit from reading the section titled ANTI-SPAM CONFIGURATION CONTROL in the README file in the sendmail/cf dir in the source distribution. I have some notes from this section embedded into the top of my access.txt on all my hosts to make editing of that file a bit easier when you're up in the middle of the night dealing with something and the syntax reminders are ful. >Can authenticated users still send to domain3? Yup, they're authenticated. >Can a local process still send to domain3? From the above referenced section of the README, you'd find: <quote> Notice: to avoid checking your own local domains against those blacklists, use the access_db feature and add: Connect:10.1 OK Connect:127.0.0.1 RELAY to the access map, where 10.1 is your local network. You may want to use "RELAY" instead of "OK" to allow also relaying instead of just disabling the DNS lookups in the backlists. </quote> For just localhost, omit the first connect line - but if you use the first connect line, be sure it specifies your net. My sendmail make process runs the access map file against CIDREXPAND, so I can put standard CIDR notation netblocks in there, and when the db gets regenerated, they'll be expanded as needed. >Is the order of the entries in the access-map important? Not really - it isn't parsed to fist match conditions in a linear fashion. I keep them organized though for easier management, and drop lots of comments (which are stripped out when it is hashed).

29/08/2007, 21h08	#3
andi Messages: n/a Hébergeur:	Re: Force delivery through spamchecking mailserver for some domains Hello, thanks for your reply. I also found your reply to the other post before my post, but the case with authenticated users is not mentioned. Since i was curious if this solution will work, i already tried it before your answer and i run into the following problem: Messages from hosts not listet with "Connect" are rejected, even if the user is authenticated. Log from mailclient: SMTP: 21:04:55 [rx] 220 xxxxxxx ESMTP Sendmail MTA; Wed, 29 Aug 2007 21:04:45 +0200 SMTP: 21:04:55 [tx] EHLO asc2d SMTP: 21:04:55 [rx] 250-xxxxx Hello xxxxx [xxxxxx], pleased to meet you SMTP: 21:04:55 [rx] 250-ENHANCEDSTATUSCODES SMTP: 21:04:55 [rx] 250-PIPELINING SMTP: 21:04:55 [rx] 250-EXPN SMTP: 21:04:55 [rx] 250-VERB SMTP: 21:04:55 [rx] 250-8BITMIME SMTP: 21:04:55 [rx] 250-SIZE 50000000 SMTP: 21:04:55 [rx] 250-DSN SMTP: 21:04:55 [rx] 250-ETRN SMTP: 21:04:55 [rx] 250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN SMTP: 21:04:55 [rx] 250-STARTTLS SMTP: 21:04:55 [rx] 250-DELIVERBY SMTP: 21:04:55 [rx] 250 SMTP: 21:04:55 [tx] AUTH CRAM-MD5 SMTP: 21:04:55 [rx] 334 xxxxx SMTP: 21:04:55 [tx] xxxxxx SMTP: 21:04:55 [rx] 235 2.0.0 OK Authenticated SMTP: 21:04:55 [tx] MAIL FROM:<xxxxx> SMTP: 21:04:55 [rx] 250 2.1.0 <xxxxx>... Sender ok SMTP: 21:04:55 [tx] RCPT TO:<xxxx> SMTP: 21:04:55 [rx] 550 5.2.1 <xxxxx>... Mailbox disabled for this recipient Andreas

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email