Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

blocking unknown domain users

9 views
Skip to first unread message

al

unread,
Sep 18, 2004, 3:29:33 PM9/18/04
to
Hi all,
If we want to block an unknown user in our domain, I do it in /etc/aliases
and add for example:
michael: /dev/null
that means we don't have any michael in our domain.
the problem is that we have to keep adding unknown users in the aliases.
Is there are way where I can do it the other way where we enter all our
legit users and block anybody not in the lists?
Thanks,
Al


Claus Aßmann

unread,
Sep 18, 2004, 4:06:53 PM9/18/04
to
al wrote:

> Is there are way where I can do it the other way where we enter all our
> legit users and block anybody not in the lists?

That's the default configuration (the 'w' flag for the local
mailer, see doc/op/op.*). Which configuration do you use?
--
A: Maybe because some people are too annoyed by top-posting.
Q: Why do I not get an answer to my question(s)?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

al

unread,
Sep 18, 2004, 6:09:30 PM9/18/04
to
But this sendmail box is just an email gateway.
There are no users created on this box, all emails are being forwarded to
our Exchange server.
Is there a place where I can enter all our users then everything else will
be dropped?
Thanks again,
Al


"Claus Aßmann" <ca+sendmail(-no-copies-please)@mine.informatik.uni-kiel.de>
wrote in message news:cii4gt$qgp$1...@zardoc.esmtp.org...

Alexander Dalloz

unread,
Sep 18, 2004, 7:31:14 PM9/18/04
to
On Sat, 18 Sep 2004 22:09:30 +0000 al wrote:

> But this sendmail box is just an email gateway.
> There are no users created on this box, all emails are being forwarded to
> our Exchange server.
> Is there a place where I can enter all our users then everything else will
> be dropped?

> Al

http://www.milter.info/milter-ahead/index.shtml

Btw. Claus has his signature for a good reason, don't you think?

Alexander


--
Alexander Dalloz | Enger, Germany
PGP key valid: made 13.07.1999
PGP fingerprint: 2307 88FD 2D41 038E 7416 14CD E197 6E88 ED69 5653

Måns Nilsson

unread,
Sep 18, 2004, 8:39:37 PM9/18/04
to
Thus spoke al:

> But this sendmail box is just an email gateway.
> There are no users created on this box, all emails are being forwarded to
> our Exchange server.
> Is there a place where I can enter all our users then everything else will
> be dropped?

Most people I talk to are of the clearly stated opinion that the lowest
MX host for a given domain should be able to tell whether a local-part
in that domain is valid. Yes. Using a machine without that knowledge as
a gateway (because yes, you are right, no sane person lets the exchange
server talk to the internet, you got that right (but really clever
people throw the exchange box out of the window)) is, as I am certain
you have discovered, not very amusing. Dig your account list out of the
exchange server some way or another (gotta love those proprietary data
formats, right?) and build an aliases file on the sendmail box.

So: For every account you want mail for, do an aliases or
virtusertable entry. Automate the process some way. Use a mailertable
instead of the smarthost you probably have now in order to get the mail
into the exchange server.
--
Måns Nilsson Systems Specialist
+46 70 681 7204 KTHNOC
MN1334-RIPE

Kari Hurtta

unread,
Sep 19, 2004, 8:34:35 AM9/19/04
to
Måns Nilsson <mans...@sunet.se> writes:

Or use something more generic (assuming that 'border' or 'gateway' MTA
passes mail to several internal hosts/domains).

dnl # is CommungatePro mailbox separator
define(`confOPERATORS',confOPERATORS`\#')

LOCAL_CONFIG
Kvalid hash /usr/local/mail/tables/valid
C{valid}Postmaster
F{vdomain}/usr/local/mail/tables/valid.domain
F{Incoming_Relays}/usr/local/mail/tables/incoming-relays

LOCAL_RULE_0
R $* <@$={vdomain}.> $1 <@ $2 . > $| $(valid $1@$2 $: BAD $) < ${opMode} >
R $={valid} <@ $* .> $| $* <$-> $1 <@ $2 .> # No local part on $={valid}
R $* <@ $* .> $| $* <i> $1 <@ $2 .> # No check when building alias
R $* <@ $* .> $| BAD <$-> $: $1 <@ $2 .> $| $>CheckAddr1 $1 <@ $2 .>
R $* <@ $* .> $| BAD <$-> $#error $@ nouser $: "550 Sorry, user " $1 " do not found from " $2 " -dictionary"
R $* <@ $* .> $| $* $1 <@ $2 .> # Cleanup

LOCAL_RULESETS
SCheckAddr1
R $+ + $* <@ $* .> $@ $(valid $1@$3 $: BAD $) < ${opMode} > # If user+detail return status without detail
R $* \# $+ <@ $* .> $@ $(valid $2@$3 $: BAD $) < ${opMode} > # If mailbox#user return status without mailbox
R $* $@ BAD < ${opMode} > # Otherwise status is bad

( Except that his do not handle exchange servers on downstream yet. I have
access mailbox data via quering LDAP from AD servers, but that gives
'too many results' tms. error and nt return all accounts. And quering
just is single mailbox valid means that 'border' or 'gateway' MTAs
must access internal directory servers via LDAP... that also make DOS
possible so batch mode data retriaval is better )

( CommunigatePro mailboxes are queried via it's CLI API. )


Hugo Villeneuve

unread,
Sep 19, 2004, 1:04:54 PM9/19/04
to
al wrote:
> But this sendmail box is just an email gateway.
> There are no users created on this box, all emails are being forwarded to
> our Exchange server.
> Is there a place where I can enter all our users then everything else will
> be dropped?
> Thanks again,
> Al
>

I put this in effect last week on my 2 public MX.

define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_')dnl
FEATURE(`virtusertable')dnl
VIRTUSER_DOMAIN(`eintr.net')dnl

(eintr.net is not in Cw)

And virtusertable is filled with entries looking like:

@eintr.net error:5.7.0:550 Address invalid

hu...@eintr.net hugo%3...@eintr.net
harp...@eintr.net harpagon%3...@eintr.net


After that, normal mailertable forwarding happen (uucp-dom in this case).

I did that because I was receiving an anoying level of mail to unknown
accounts (message-id, etc) and the bounce backs to invalid spammer
address piled up on my mail gateways. (I had REJECT access entries
before that but toward the end, there was more of them than valid
alias/accounts.)

It should be noted that this tricks works both ways, MAIL FROM and RCPT
TO will return Address invalid. You can't forget anyone.

Although the machine holding the accounts is unix-like with sendmail. I
got a simple script that creates all the entries. For you with MS
Exchange, it might be easier with that miler Alexender proposed.

Jeff Rife

unread,
Sep 18, 2004, 4:53:21 PM9/18/04
to
al (al...@somplace.com) wrote in comp.mail.sendmail:

> Is there are way where I can do it the other way where we enter all our
> legit users and block anybody not in the lists?

I think you can use virtusertable and a catchall:

good-add...@yourdomain.com good-address-one-user@localhost
good-add...@yourdomain.com good-address-two-user@localhost
@yourdomain.com bad-user

Then, in the alias file, add:
bad-user: /dev/null

--
Jeff Rife |
SPAM bait: | http://www.nabs.net/Cartoons/CloseToHome/NamespacePollution.gif
Ask...@usdoj.gov |
sp...@ftc.gov |

al

unread,
Sep 22, 2004, 8:29:15 PM9/22/04
to
Hi,
Thanks for your reply but that didn't work.
It ended up blocking even the good-add...@mydomain.com
thanks,
Al


"Jeff Rife" <we...@nabs.net> wrote in message
news:MPG.1bb66a49e...@news.nabs.net...

0 new messages