sendmail/cyrus accepts mails for "unknown users"

[Marcus Schopen]

Hi,

the info-cyrus maillingliste told me to place my question here:

I'm runnung sendmail 8.12.3 (Debian woody standard package) with
cyrusv2mailer (cyrusv2.m4,v 1.1 2002/06/01) and cyrus 2.1.17 (backport from
http://people.debian.org/~hmh/).
Today I had a heavy spam attack caused by the fact, that sendmail accepts
mails for non existing users (all addresses are defined in aliases or
virtusertable). Emails those unknown accounts on local domains
(local-host-names) will be accepted and than(!) bounced. Is there a way to
stop/reject these mails at "rcpt to: user unknown"-point?

Thanks,
Marcus

[Ingo Freund]

Hi,

Marcus Schopen wrote:

if you really have all your users in virtusertable (those with
local mailboxes too) you can do this:

virtusertable:

# for these users we accept mails (and maybe redirect)
us...@domain.com user1
us...@domain.com %1...@domain.de
us...@domain.de user3

# the rest must be unknown and can be rejected
@domain.com ERROR 5.5.0:"550 unknown user"
@domain.de ERROR 5.5.0:"550 unknown user"

did you already think about using greylisting against spam?
It is incredible.

Bye - Ingo.

[Marcus Schopen]

Ingo Freund wrote:

That doesn't work. As soon as the cyrusv2 mailer is used in sendmail.mc the
virtusertable seems not to be checkt at the "rcpt to:"-point any more. The
message is accepted and than bounced. It must have something to to with the
cyrusv2 mailer.

Andrzej Adam Filip posted me this link on the info-cyrus list:

http://anfi.homeunix.net/sendmail/rtcyrus2.html

but there are no sendmail-8.13.x and Cyrus-2.2.x packages for Debian and I
don't want to build all that stuff from source. Isn't there another way?

Cheers,
Marcus

[Ingo Freund]

Marcus Schopen wrote:

I use cyrus and the config works.
Now let's see where we could find differences.
When I tell my sendmail to use the cyrusv2 mailer I can find
these Mailer specs in sendmail.cf

##################################################
### Cyrus Mailer specification ###
##################################################

##### $Id: cyrus.m4,v 8.23 2001/11/12 23:11:34 ca Exp $ (Carnegie
Mellon) #####

Mcyrus, P=/usr/cyrus/bin/deliver, F=lsDFMnPqAh5@/:|, S=EnvFromL,
R=EnvToL/HdrToL,
U=cyrus:mail, T=DNS/RFC822/X-Unix,
A=deliver -e -m $h -- $u

Mcyrusbb, P=/usr/cyrus/bin/deliver, F=lsDFMnPu, S=EnvFromL,
R=EnvToL/HdrToL,
U=cyrus:mail, T=DNS/RFC822/X-Unix,
A=deliver -e -m $u

#########################################
### Cyrus V2 Mailer specification ###
#########################################

##### $Id: cyrusv2.m4,v 1.1 2002/06/01 21:14:57 ca Exp $ #####

Mcyrusv2, P=[IPC], F=lsDFMnqXzA@/:|m,
S=EnvFromSMTP/HdrFromL, R=EnvToL/HdrToL, E=\r\n,
T=DNS/RFC822/SMTP,
A=FILE /var/imap/socket/lmtp

The Mailer Flags

cyrus: F=lsDFMnPqAh5@/:|
cyrusv2: F=lsDFMn qXzA@/:|m

differ for: cyrus: P h 5
and cyrusv2: X z m

From sendmail-source-tree/doc/op/op.txt

P Use the route-addr style reverse-path in the SMTP
"MAIL FROM:" command rather than just the return
address; although this is required in RFC 821 sec-
tion 3.1, many hosts do not process reverse-paths
properly. Reverse-paths are officially discour-
aged by RFC 1123.

h Upper case should be preserved in host names (the
$@ portion of the mailer triplet resolved from
ruleset 0) for this mailer.

5 If no aliases are found for this address, pass the
address through ruleset 5 for possible alternate
resolution. This is intended to forward the mail
to an alternate delivery spot.

X This mailer wants to use the hidden dot algorithm
as specified in RFC 821; basically, any line
beginning with a dot will have an extra dot
prepended (to be stripped at the other end). This
insures that lines in the message containing a dot
will not terminate the message prematurely.

z Run Local Mail Transfer Protocol (LMTP) between
sendmail and the local mailer. This is a variant
on SMTP defined in RFC 2033 that is specifically
designed for delivery to a local mailbox.

m This mailer can send to multiple users on the same
host in one transaction. When a $u macro occurs
in the argv part of the mailer definition, that
field will be repeated as necessary for all quali-
fying users. Removing this flag can defeat dupli-
cate supression on a remote site as each recipient
is sent in a separate transaction.

The only idea I have for this could be the different
flag "5" in the mailer spec.

So you might try:

MODIFY_MAILER_FLAGS(`CYRUSV2', `+5')dnl

in your .mc file

Bye - Ingo.

[Ingo Freund]

"Ingo Freund" wrote:

[...]

forget what I wrote before, it is definitly not the right way.

Bye - Ingo.

[Andrzej Adam Filip]

Take a look at http://anfi.homeunix.net/sendmail/localtab.html

It uses script to periodically dump info about cyrus mailboxes into "sendmail
useful" format.

Yet another option is to use modified "dump script" with "Cyrus Aliases" via
virtusertable [ http://anfi.homeunix.net/sendmail/localNalias.html ].

virtusertable entries:
us...@cyrus.domain user1@CYRUS
us...@cyrus.domain user2@CYRUS
@cyrus.domain error:nouser User unknown

--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
*Random Epigram* :
A late Easter, a long cold spring.
-- French Proverb

[Alexander Dalloz]

On Wed, 01 Dec 2004 22:16:00 +0000 Andrzej Adam Filip wrote:

>> That doesn't work. As soon as the cyrusv2 mailer is used in sendmail.mc the
>> virtusertable seems not to be checkt at the "rcpt to:"-point any more. The
>> message is accepted and than bounced. It must have something to to with the
>> cyrusv2 mailer.
>>
>> Andrzej Adam Filip posted me this link on the info-cyrus list:
>>
>> http://anfi.homeunix.net/sendmail/rtcyrus2.html
>>
>> but there are no sendmail-8.13.x and Cyrus-2.2.x packages for Debian and I
>> don't want to build all that stuff from source. Isn't there another way?
>
> Take a look at http://anfi.homeunix.net/sendmail/localtab.html
>
> It uses script to periodically dump info about cyrus mailboxes into "sendmail
> useful" format.
>
> Yet another option is to use modified "dump script" with "Cyrus Aliases" via
> virtusertable [ http://anfi.homeunix.net/sendmail/localNalias.html ].
>
> virtusertable entries:
> us...@cyrus.domain user1@CYRUS
> us...@cyrus.domain user2@CYRUS
> @cyrus.domain error:nouser User unknown

But the question for me is: why does the setup which Marcus asks for run
properly on my Redhat / Fedora hosts (Sendmail 8.12) and a FreeBSD system
(Sendmail 8.13) without any special "tweaking" and not with the Sendmail
8.12.3 on the Debian Woody host? Simply getting the cyrusv2.m4 macro from
a non Debian stable system and using that with Woody seems to be a
problem. Maybe Debian's Sendmail maintainer did some changes in i.e.
proto.m4?

Alexander

--
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp
Serendipity 23:50:33 up 11 days, 18:38, load average: 0.67, 1.38, 1.60

[Andrzej Adam Filip]

Alexander Dalloz wrote:
> [...]

> But the question for me is: why does the setup which Marcus asks for run
> properly on my Redhat / Fedora hosts (Sendmail 8.12) and a FreeBSD system
> (Sendmail 8.13) without any special "tweaking" and not with the Sendmail
> 8.12.3 on the Debian Woody host? Simply getting the cyrusv2.m4 macro from
> a non Debian stable system and using that with Woody seems to be a
> problem. Maybe Debian's Sendmail maintainer did some changes in i.e.
> proto.m4?

Marcus,

Could you post result produced by the to tests of virtusertable given below:

# email with an entry in virtusertable
sendmail -d60.5 -bv us...@domain.com
# email catche by "all remaning" entry in virtusertable
sendmail -d60.5 -bv no-suc...@domain.com

--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
*Random Epigram* :

He that composes himself is wiser than he that composes a book.
-- B. Franklin

[Marcus Schopen]

http://anfi.homeunix.net/ wrote:

> Alexander Dalloz wrote:
>> [...]
>> But the question for me is: why does the setup which Marcus asks for run
>> properly on my Redhat / Fedora hosts (Sendmail 8.12) and a FreeBSD system
>> (Sendmail 8.13) without any special "tweaking" and not with the Sendmail
>> 8.12.3 on the Debian Woody host? Simply getting the cyrusv2.m4 macro from
>> a non Debian stable system and using that with Woody seems to be a
>> problem. Maybe Debian's Sendmail maintainer did some changes in i.e.
>> proto.m4?

Interesting question ;-)

> Could you post result produced by the to tests of virtusertable given
> below:

of course, of course. here we go:

> # email with an entry in virtusertable
> sendmail -d60.5 -bv us...@domain.com

# sendmail -d60.5 -bv te...@schopen.net
map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0)
map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0)
map_lookup(dequote, test, %0=test) => NOT FOUND (0)
map_lookup(virtuser, te...@schopen.net, %0=te...@schopen.net, %1=test) =>
schopen-net-test (0)
map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND (0)
te...@schopen.net... deliverable: mailer cyrusv2, user schopen-net-test

> # email catche by "all remaning" entry in virtusertable
> sendmail -d60.5 -bv no-suc...@domain.com

I'm not sure what you mean by "all remaining", but this is the out put of an
non existing address.

# sendmail -d60.5 -bv x...@schopen.net
map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0)
map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0)
map_lookup(dequote, xxx, %0=xxx) => NOT FOUND (0)
map_lookup(virtuser, x...@schopen.net, %0=x...@schopen.net, %1=xxx) => NOT
FOUND (0)
map_lookup(virtuser, @schopen.net, %0=@schopen.net, %1=xxx) => NOT FOUND (0)
x...@schopen.net... deliverable: mailer cyrusv2, user xxx

After that I created following entry in virtusertable (may be that's what
you mean by above "all remaining"):

/etc/mail/virtusertable:
@schopen.net schopen-net-test

The output of "sendmail -d60.5 -bv x...@schopen.net" now is:

map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0)
map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0)
map_lookup(dequote, xxx, %0=xxx) => NOT FOUND (0)
map_lookup(virtuser, x...@schopen.net, %0=x...@schopen.net, %1=xxx) => NOT
FOUND (0)
map_lookup(virtuser, @schopen.net, %0=@schopen.net, %1=xxx) =>
schopen-net-test (0)
map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND (0)
x...@schopen.net... deliverable: mailer cyrusv2, user schopen-net-test

Thanks,
Marcus

[Alexander Dalloz]

On Thu, 02 Dec 2004 01:04:10 +0100 Marcus Schopen wrote:

>> Could you post result produced by the to tests of virtusertable given
>> below:
>
> of course, of course. here we go:
>
>> # email with an entry in virtusertable
>> sendmail -d60.5 -bv us...@domain.com
>
> # sendmail -d60.5 -bv te...@schopen.net
> map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0)
> map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0)
> map_lookup(dequote, test, %0=test) => NOT FOUND (0)
> map_lookup(virtuser, te...@schopen.net, %0=te...@schopen.net, %1=test) =>
> schopen-net-test (0)
> map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND (0)
> te...@schopen.net... deliverable: mailer cyrusv2, user schopen-net-test

To be sure. When you did this test, did you have there a virtusertable
entry for te...@schopen.net like

te...@schopen.net test

or already the catch-all entry from below "@schopen.net schopen-net-test"?
Because the last line should have shown

te...@schopen.net... deliverable: mailer cyrusv2, user <target>

where <target> is the RHS of the virtusertable map entry.

>> # email catche by "all remaning" entry in virtusertable sendmail -d60.5
>> -bv no-suc...@domain.com
>
> I'm not sure what you mean by "all remaining", but this is the out put
> of an non existing address.
>
> # sendmail -d60.5 -bv x...@schopen.net map_lookup(dequote, schoppa,
> %0=schoppa) => NOT FOUND (0) map_lookup(host, schopen.net,
> %0=schopen.net) => schopen.net. (0) map_lookup(dequote, xxx, %0=xxx) =>
> NOT FOUND (0) map_lookup(virtuser, x...@schopen.net, %0=x...@schopen.net,
> %1=xxx) => NOT FOUND (0)
> map_lookup(virtuser, @schopen.net, %0=@schopen.net, %1=xxx) => NOT FOUND
> (0) x...@schopen.net... deliverable: mailer cyrusv2, user xxx

How looks your catch-all entry in the virtusertable? Should be like

@schopen.net error:nouser no such user here

> After that I created following entry in virtusertable (may be that's
> what you mean by above "all remaining"):
>
> /etc/mail/virtusertable:
> @schopen.net schopen-net-test
>
> The output of "sendmail -d60.5 -bv x...@schopen.net" now is:
>
> map_lookup(dequote, schoppa, %0=schoppa) => NOT FOUND (0)
> map_lookup(host, schopen.net, %0=schopen.net) => schopen.net. (0)
> map_lookup(dequote, xxx, %0=xxx) => NOT FOUND (0) map_lookup(virtuser,
> x...@schopen.net, %0=x...@schopen.net, %1=xxx) => NOT FOUND (0)
> map_lookup(virtuser, @schopen.net, %0=@schopen.net, %1=xxx) =>
> schopen-net-test (0)
> map_lookup(dequote, schopen-net-test, %0=schopen-net-test) => NOT FOUND
> (0) x...@schopen.net... deliverable: mailer cyrusv2, user
> schopen-net-test

This one looks proper to me. More insights by Andrzej?

> Marcus

Alexander

--
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp

Serendipity 01:25:53 up 11 days, 20:13, load average: 0.28, 0.34, 0.38

[Andrzej Adam Filip]

Marcus Schopen wrote:
> Andrzej Adam Filip wrote:
>[...]

Try the following virtusertable entry:
@schopen.net error:nouser User unknown

It should make sendmail reject in reply to "RCPT TO:" all addresses in
schopen.net not listed in virtusertable.
[ sendmail "strips" +detail during *some* virtusertable lookups]

Virtusertable redirects some addresses. Adresses not redirected by
virtusertable are handled "as usual" - in your case they are handled to
cyrusv2 mailer. Cyrusv2 mailer accepts all addresses.

--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
*Random Epigram* :

Words have a longer life than deeds.
-- Pindar

[Marcus Schopen]

http://anfi.homeunix.net/ wrote:

jippi, that's working!

Is there a way to add this as "default behaviour" to my sendmail config
instead of adding a "error:nouser User unknown"-catchall-entry to each
domain in virtusertable?

Thanks,
Marcus

[Andrzej Adam Filip]

Marcus Schopen wrote:
> [...]

> Is there a way to add this as "default behaviour" to my sendmail config
> instead of adding a "error:nouser User unknown"-catchall-entry to each
> domain in virtusertable?

Have you investigated local table ? [I wrote about it in the thread]
http://anfi.homeunix.net/sendmail/localtab.html

*DO NOT* define cyrus* mailer as confLOCAL_MAILER when you use local table.

--
Andrzej [en:Andrew] Adam Filip an...@priv.onet.pl an...@xl.wp.pl
Home Page http://anfi.homeunix.net/ [ PageRank 6 ]
*Random Epigram* :

"In the long run, every program becomes rococo, and then rubble."
-- Alan Perlis

[mayan...@gmail.com]

[Andrzej Adam Filip]

Cyrus offers information about existing mailboxes via "socket map".

Sample sendmail configurations using it are provided at
http://anfi.homeunix.org/sendmail/#cyrus

RTCyrus2 - recipients without domain part
RTCyrus3 - recipients with domain part