Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

sapm FRIEND problem

22 views
Skip to first unread message

ER

unread,
Mar 23, 2005, 10:29:51 PM3/23/05
to
I'm having trouble getting an anti-spam configuration to work

The Internet connected MTA is running sendmail 8.13.3 and is configured
to act as a mail relay, no local mail is delivered. Mail routing is done
using LDAP. Entries in the access database are used to allow certain domains
to relay through the server.

To:example2.com.au RELAY
To:example3.com.au RELAY

This has working for some while and is rejecting mail not destined for a
domain that is not listed in the access db. All permitted mail is looked
up in LDAP and routed correctly.

I'm now trying to permit specific users within a domain while still
rejecting all other addresses in that domain. To do this, I've added to
the .mc file FEATURE(`delay_checks',`friend') and to the access file I've
added:

Spam:ad...@example1.com.au FRIEND
Spam:postm...@example1.com.au FRIEND
Spam:us...@example1.com.au FRIEND

I've run a makemap whenever the access list is changed

I still can't relay to any of these addresses, I get:

550 5.7.1 <ad...@example1.com.au>... Relaying denied

I've tried taking out LDAP just in case but the same problem.

Here's the current .mc file

divert(0)dnl
OSTYPE(`linux')dnl
LDAPROUTE_DOMAIN_FILE(`/etc/mail/LDAPRoute')dnl
define(`QUEUE_DIR', `/var/spool/mqueue/q*')dnl
define(`confLDAP_DEFAULT_SPEC', ` -w3 -h localhost -b ""')dnl
define(`confMAX_DAEMON_CHILDREN', `250')dnl
define(`confPRIVACY_FLAGS', `authwarnings,needexpnhelo,needmailhelo,needvrfyhelo,noexpn,novrfy,goaway,noetrn,noreceipts')dnl
define(`confQUEUE_LA', `15')dnl
define(`confQUEUE_SORT_ORDER', `time')dnl
define(`confBIND_OPTS',`WorkAroundBrokenAAAA')dnl
define(`confREFUSE_LA', `48')dnl
define(`confTO_RCPT', `10m')dnl
define(`confTO_DATABLOCK', `10m')dnl
define(`confTO_COMMAND', `5m')dnl
define(`confTO_IDENT', `0s')dnl
define(`confDELIVERY_MODE', `background')dnl
FEATURE(`access_db')dnl
FEATURE(`delay_checks',`friend')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`ldap_routing',,,`bounce',,,`queue')dnl
FEATURE(`no_default_msa')dnl
FEATURE(`nouucp', `nospecial')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

Can someone tell me what I'm doing wrong here?

ER

unread,
Mar 23, 2005, 10:37:49 PM3/23/05
to

Johann (swap last 2 domainparts) Klasek

unread,
Mar 24, 2005, 6:01:48 AM3/24/05
to
ER <snowys...@yahoo.com> wrote:
> I'm having trouble getting an anti-spam configuration to work
>
> The Internet connected MTA is running sendmail 8.13.3 and is configured
> to act as a mail relay, no local mail is delivered. Mail routing is done
> using LDAP. Entries in the access database are used to allow certain domains
> to relay through the server.
>
> To:example2.com.au RELAY
> To:example3.com.au RELAY
>
> This has working for some while and is rejecting mail not destined for a
> domain that is not listed in the access db. All permitted mail is looked
> up in LDAP and routed correctly.
>
> I'm now trying to permit specific users within a domain while still
> rejecting all other addresses in that domain. To do this, I've added to
> the .mc file FEATURE(`delay_checks',`friend') and to the access file I've
> added:
>
> Spam:ad...@example1.com.au FRIEND
> Spam:postm...@example1.com.au FRIEND
> Spam:us...@example1.com.au FRIEND
>
> I've run a makemap whenever the access list is changed
>
> I still can't relay to any of these addresses, I get:
>
> 550 5.7.1 <ad...@example1.com.au>... Relaying denied
[..]

> Can someone tell me what I'm doing wrong here?


Use FEATURE(virtusertable) for this. SPAM friend works in a complete
other way: Even with spam friend you have to allow relaying for the
domain the spam friends are in. For a spam friend address typical tests
and checks (sender checks, relay checks and recipient rejects, discards,
errors comming from access.db) are ignored.


Johann Klasek

ER

unread,
Mar 24, 2005, 6:57:08 PM3/24/05
to

I don't think virtusertable will help me here. The mail that the gateway
accepts is routed to the next hop via LDAP. The next hop is not the final
delivery host, it's another internal host that applies some processing
(typically AV)prior to final delivery. There is no need for any
aliasing or address rewriting.

ER

Per Hedeland

unread,
Mar 25, 2005, 4:30:33 AM3/25/05
to
In article <pan.2005.03.24....@yahoo.com> "ER"

I don't see how virtusertable table would help either, but the point
about relaying vs spamfriend that Johann makes is what you need to note
- spamfriend won't allow relaying as such, it can only negate the
effects of various blocking mechanisms. I *think* you can allow relaying
for the whole domain and by judicious use of blacklist_recipients block
those users that you don't want relayed, but a more convenient way is
probably to allow relaying based on the complete recipient address
rather than just the domain-part. This is available with an undocumented
feature as of sendmail 8.13.0 - in your .mc file:

define(`_RELAY_FULL_ADDR_', `1')

Then you can use access db entries like

To:ad...@example1.com.au RELAY

(You don't need delay_checks for this.)

--Per Hedeland
p...@hedeland.org

Geoff Steer

unread,
Mar 26, 2005, 1:44:13 AM3/26/05
to

Thanks Per,

The RELAY_FULL_ADDR is exactly what I needed. The rebuilt sendmail.cf is
accepting the listed addresses and rejecting (Relaying denied) any other
address within that domain. Just what I need to drop the 1 million or so
mail attempts reeived daily to the domain in question - [valid mail to the domain is 10
messages a day]

Regards
Geoff Steer
[Posted from new address, not borrowed mail/news account]


0 new messages