the info-cyrus maillingliste told me to place my question here:
I'm runnung sendmail 8.12.3 (Debian woody standard package) with cyrusv2mailer (cyrusv2.m4,v 1.1 2002/06/01) and cyrus 2.1.17 (backport from http://people.debian.org/~hmh/). Today I had a heavy spam attack caused by the fact, that sendmail accepts mails for non existing users (all addresses are defined in aliases or virtusertable). Emails those unknown accounts on local domains (local-host-names) will be accepted and than(!) bounced. Is there a way to stop/reject these mails at "rcpt to: user unknown"-point?
> the info-cyrus maillingliste told me to place my question here:
> I'm runnung sendmail 8.12.3 (Debian woody standard package) with > cyrusv2mailer (cyrusv2.m4,v 1.1 2002/06/01) and cyrus 2.1.17 > (backport from http://people.debian.org/~hmh/). > Today I had a heavy spam attack caused by the fact, that sendmail > accepts mails for non existing users (all addresses are defined in > aliases or virtusertable). Emails those unknown accounts on local > domains (local-host-names) will be accepted and than(!) bounced. Is > there a way to stop/reject these mails at "rcpt to: user > unknown"-point?
if you really have all your users in virtusertable (those with local mailboxes too) you can do this:
virtusertable:
# for these users we accept mails (and maybe redirect) us...@domain.com user1 us...@domain.com %...@domain.de us...@domain.de user3
# the rest must be unknown and can be rejected @domain.com ERROR 5.5.0:"550 unknown user" @domain.de ERROR 5.5.0:"550 unknown user"
did you already think about using greylisting against spam? It is incredible.
>> the info-cyrus maillingliste told me to place my question here:
>> I'm runnung sendmail 8.12.3 (Debian woody standard package) with >> cyrusv2mailer (cyrusv2.m4,v 1.1 2002/06/01) and cyrus 2.1.17 >> (backport from http://people.debian.org/~hmh/). >> Today I had a heavy spam attack caused by the fact, that sendmail >> accepts mails for non existing users (all addresses are defined in >> aliases or virtusertable). Emails those unknown accounts on local >> domains (local-host-names) will be accepted and than(!) bounced. Is >> there a way to stop/reject these mails at "rcpt to: user >> unknown"-point?
> if you really have all your users in virtusertable (those with > local mailboxes too) you can do this:
> virtusertable:
> # for these users we accept mails (and maybe redirect) > us...@domain.com user1 > us...@domain.com %...@domain.de > us...@domain.de user3
> # the rest must be unknown and can be rejected > @domain.com ERROR 5.5.0:"550 unknown user" > @domain.de ERROR 5.5.0:"550 unknown user"
That doesn't work. As soon as the cyrusv2 mailer is used in sendmail.mc the virtusertable seems not to be checkt at the "rcpt to:"-point any more. The message is accepted and than bounced. It must have something to to with the cyrusv2 mailer.
Andrzej Adam Filip posted me this link on the info-cyrus list:
> >> the info-cyrus maillingliste told me to place my question here:
> >> I'm runnung sendmail 8.12.3 (Debian woody standard package) with > >> cyrusv2mailer (cyrusv2.m4,v 1.1 2002/06/01) and cyrus 2.1.17 > >> (backport from http://people.debian.org/~hmh/). > >> Today I had a heavy spam attack caused by the fact, that sendmail > >> accepts mails for non existing users (all addresses are defined in > >> aliases or virtusertable). Emails those unknown accounts on local > >> domains (local-host-names) will be accepted and than(!) bounced. > >> Is there a way to stop/reject these mails at "rcpt to: user > >> unknown"-point?
> > if you really have all your users in virtusertable (those with > > local mailboxes too) you can do this:
> > virtusertable:
> > # for these users we accept mails (and maybe redirect) > > us...@domain.com user1 > > us...@domain.com %...@domain.de > > us...@domain.de user3
> > # the rest must be unknown and can be rejected > > @domain.com ERROR 5.5.0:"550 unknown user" > > @domain.de ERROR 5.5.0:"550 unknown user"
> That doesn't work. As soon as the cyrusv2 mailer is used in > sendmail.mc the virtusertable seems not to be checkt at the "rcpt > to:"-point any more. The message is accepted and than bounced. It > must have something to to with the cyrusv2 mailer.
I use cyrus and the config works. Now let's see where we could find differences. When I tell my sendmail to use the cyrusv2 mailer I can find these Mailer specs in sendmail.cf
################################################## ### Cyrus Mailer specification ### ##################################################
P Use the route-addr style reverse-path in the SMTP "MAIL FROM:" command rather than just the return address; although this is required in RFC 821 sec- tion 3.1, many hosts do not process reverse-paths properly. Reverse-paths are officially discour- aged by RFC 1123.
h Upper case should be preserved in host names (the $@ portion of the mailer triplet resolved from ruleset 0) for this mailer.
5 If no aliases are found for this address, pass the address through ruleset 5 for possible alternate resolution. This is intended to forward the mail to an alternate delivery spot.
X This mailer wants to use the hidden dot algorithm as specified in RFC 821; basically, any line beginning with a dot will have an extra dot prepended (to be stripped at the other end). This insures that lines in the message containing a dot will not terminate the message prematurely.
z Run Local Mail Transfer Protocol (LMTP) between sendmail and the local mailer. This is a variant on SMTP defined in RFC 2033 that is specifically designed for delivery to a local mailbox.
m This mailer can send to multiple users on the same host in one transaction. When a $u macro occurs in the argv part of the mailer definition, that field will be repeated as necessary for all quali- fying users. Removing this flag can defeat dupli- cate supression on a remote site as each recipient is sent in a separate transaction.
The only idea I have for this could be the different flag "5" in the mailer spec.
>>>the info-cyrus maillingliste told me to place my question here:
>>>I'm runnung sendmail 8.12.3 (Debian woody standard package) with >>>cyrusv2mailer (cyrusv2.m4,v 1.1 2002/06/01) and cyrus 2.1.17 >>>(backport from http://people.debian.org/~hmh/). >>>Today I had a heavy spam attack caused by the fact, that sendmail >>>accepts mails for non existing users (all addresses are defined in >>>aliases or virtusertable). Emails those unknown accounts on local >>>domains (local-host-names) will be accepted and than(!) bounced. Is >>>there a way to stop/reject these mails at "rcpt to: user >>>unknown"-point?
>>if you really have all your users in virtusertable (those with >>local mailboxes too) you can do this:
>>virtusertable:
>># for these users we accept mails (and maybe redirect) >>us...@domain.com user1 >>us...@domain.com %...@domain.de >>us...@domain.de user3
>># the rest must be unknown and can be rejected >>@domain.com ERROR 5.5.0:"550 unknown user" >>@domain.de ERROR 5.5.0:"550 unknown user"
> That doesn't work. As soon as the cyrusv2 mailer is used in sendmail.mc the > virtusertable seems not to be checkt at the "rcpt to:"-point any more. The > message is accepted and than bounced. It must have something to to with the > cyrusv2 mailer.
> Andrzej Adam Filip posted me this link on the info-cyrus list:
> but there are no sendmail-8.13.x and Cyrus-2.2.x packages for Debian and I > don't want to build all that stuff from source. Isn't there another way?
virtusertable entries: us...@cyrus.domain user1@CYRUS us...@cyrus.domain user2@CYRUS @cyrus.domain error:nouser User unknown
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl Home Page http://anfi.homeunix.net/ [ PageRank 6 ] *Random Epigram* : A late Easter, a long cold spring. -- French Proverb
>> That doesn't work. As soon as the cyrusv2 mailer is used in sendmail.mc the >> virtusertable seems not to be checkt at the "rcpt to:"-point any more. The >> message is accepted and than bounced. It must have something to to with the >> cyrusv2 mailer.
>> Andrzej Adam Filip posted me this link on the info-cyrus list:
>> but there are no sendmail-8.13.x and Cyrus-2.2.x packages for Debian and I >> don't want to build all that stuff from source. Isn't there another way?
But the question for me is: why does the setup which Marcus asks for run properly on my Redhat / Fedora hosts (Sendmail 8.12) and a FreeBSD system (Sendmail 8.13) without any special "tweaking" and not with the Sendmail 8.12.3 on the Debian Woody host? Simply getting the cyrusv2.m4 macro from a non Debian stable system and using that with Woody seems to be a problem. Maybe Debian's Sendmail maintainer did some changes in i.e. proto.m4?
Alexander
-- Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp Serendipity 23:50:33 up 11 days, 18:38, load average: 0.67, 1.38, 1.60
Alexander Dalloz wrote: > [...] > But the question for me is: why does the setup which Marcus asks for run > properly on my Redhat / Fedora hosts (Sendmail 8.12) and a FreeBSD system > (Sendmail 8.13) without any special "tweaking" and not with the Sendmail > 8.12.3 on the Debian Woody host? Simply getting the cyrusv2.m4 macro from > a non Debian stable system and using that with Woody seems to be a > problem. Maybe Debian's Sendmail maintainer did some changes in i.e. > proto.m4?
Marcus,
Could you post result produced by the to tests of virtusertable given below:
# email with an entry in virtusertable sendmail -d60.5 -bv us...@domain.com # email catche by "all remaning" entry in virtusertable sendmail -d60.5 -bv no-such-u...@domain.com
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl Home Page http://anfi.homeunix.net/ [ PageRank 6 ] *Random Epigram* : He that composes himself is wiser than he that composes a book. -- B. Franklin
http://anfi.homeunix.net/ wrote: > Alexander Dalloz wrote: >> [...] >> But the question for me is: why does the setup which Marcus asks for run >> properly on my Redhat / Fedora hosts (Sendmail 8.12) and a FreeBSD system >> (Sendmail 8.13) without any special "tweaking" and not with the Sendmail >> 8.12.3 on the Debian Woody host? Simply getting the cyrusv2.m4 macro from >> a non Debian stable system and using that with Woody seems to be a >> problem. Maybe Debian's Sendmail maintainer did some changes in i.e. >> proto.m4?
Interesting question ;-)
> Could you post result produced by the to tests of virtusertable given > below:
of course, of course. here we go:
> # email with an entry in virtusertable > sendmail -d60.5 -bv us...@domain.com
# sendmail -d60.5 -bv t...@schopen.net map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0) map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0) map_lookup(dequote, test, %0=test) => NOT FOUND (0) map_lookup(virtuser, t...@schopen.net, %0=t...@schopen.net, %1=test) => schopen-net-test (0) map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND (0) t...@schopen.net... deliverable: mailer cyrusv2, user schopen-net-test
> # email catche by "all remaning" entry in virtusertable > sendmail -d60.5 -bv no-such-u...@domain.com
I'm not sure what you mean by "all remaining", but this is the out put of an non existing address.
# sendmail -d60.5 -bv x...@schopen.net map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0) map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0) map_lookup(dequote, xxx, %0=xxx) => NOT FOUND (0) map_lookup(virtuser, x...@schopen.net, %0=...@schopen.net, %1=xxx) => NOT FOUND (0) map_lookup(virtuser, @schopen.net, %...@schopen.net, %1=xxx) => NOT FOUND (0) x...@schopen.net... deliverable: mailer cyrusv2, user xxx
After that I created following entry in virtusertable (may be that's what you mean by above "all remaining"):
> The output of "sendmail -d60.5 -bv x...@schopen.net" now is:
> map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0) > map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0) > map_lookup(dequote, xxx, %0=xxx) => NOT FOUND (0) > map_lookup(virtuser, x...@schopen.net, %0=...@schopen.net, %1=xxx) => NOT > FOUND (0) > map_lookup(virtuser, @schopen.net, %...@schopen.net, %1=xxx) => > schopen-net-test (0) > map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND (0) > x...@schopen.net... deliverable: mailer cyrusv2, user schopen-net-test
Try the following virtusertable entry: @schopen.net error:nouser User unknown
It should make sendmail reject in reply to "RCPT TO:" all addresses in schopen.net not listed in virtusertable. [ sendmail "strips" +detail during *some* virtusertable lookups]
Virtusertable redirects some addresses. Adresses not redirected by virtusertable are handled "as usual" - in your case they are handled to cyrusv2 mailer. Cyrusv2 mailer accepts all addresses.
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl Home Page http://anfi.homeunix.net/ [ PageRank 6 ] *Random Epigram* : Words have a longer life than deeds. -- Pindar
http://anfi.homeunix.net/ wrote: > Marcus Schopen wrote: >> Andrzej Adam Filip wrote: >>[...] >>>Could you post result produced by the to tests of virtusertable given >>>below:
>> of course, of course. here we go:
>>># email with an entry in virtusertable >>>sendmail -d60.5 -bv us...@domain.com
>> # sendmail -d60.5 -bv t...@schopen.net >> map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0) >> map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0) >> map_lookup(dequote, test, %0=test) => NOT FOUND (0) >> map_lookup(virtuser, t...@schopen.net, %0=t...@schopen.net, %1=test) => >> schopen-net-test (0) >> map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND >> (0) t...@schopen.net... deliverable: mailer cyrusv2, user >> schopen-net-test
>>># email catche by "all remaning" entry in virtusertable >>>sendmail -d60.5 -bv no-such-u...@domain.com
>> I'm not sure what you mean by "all remaining", but this is the out put of >> an non existing address.
>> # sendmail -d60.5 -bv x...@schopen.net >> map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0) >> map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0) >> map_lookup(dequote, xxx, %0=xxx) => NOT FOUND (0) >> map_lookup(virtuser, x...@schopen.net, %0=...@schopen.net, %1=xxx) => NOT >> FOUND (0) >> map_lookup(virtuser, @schopen.net, %...@schopen.net, %1=xxx) => NOT FOUND >> (0) x...@schopen.net... deliverable: mailer cyrusv2, user xxx
>> After that I created following entry in virtusertable (may be that's what >> you mean by above "all remaining"):
>> The output of "sendmail -d60.5 -bv x...@schopen.net" now is:
>> map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0) >> map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0) >> map_lookup(dequote, xxx, %0=xxx) => NOT FOUND (0) >> map_lookup(virtuser, x...@schopen.net, %0=...@schopen.net, %1=xxx) => NOT >> FOUND (0) >> map_lookup(virtuser, @schopen.net, %...@schopen.net, %1=xxx) => >> schopen-net-test (0) >> map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND >> (0) x...@schopen.net... deliverable: mailer cyrusv2, user schopen-net-test
> Try the following virtusertable entry: > @schopen.net error:nouser User unknown
> It should make sendmail reject in reply to "RCPT TO:" all addresses in > schopen.net not listed in virtusertable. > [ sendmail "strips" +detail during *some* virtusertable lookups]
> Virtusertable redirects some addresses. Adresses not redirected by > virtusertable are handled "as usual" - in your case they are handled to > cyrusv2 mailer. Cyrusv2 mailer accepts all addresses.
jippi, that's working!
Is there a way to add this as "default behaviour" to my sendmail config instead of adding a "error:nouser User unknown"-catchall-entry to each domain in virtusertable?
Marcus Schopen wrote: > [...] > Is there a way to add this as "default behaviour" to my sendmail config > instead of adding a "error:nouser User unknown"-catchall-entry to each > domain in virtusertable?
*DO NOT* define cyrus* mailer as confLOCAL_MAILER when you use local table.
-- Andrzej [en:Andrew] Adam Filip a...@priv.onet.pl a...@xl.wp.pl Home Page http://anfi.homeunix.net/ [ PageRank 6 ] *Random Epigram* : "In the long run, every program becomes rococo, and then rubble." -- Alan Perlis
