info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Does sendmail ignore milter result?
5 views
Skip to first unread message
Piotr Lechowicz
Apr 13, 2016, 5:35:48 AM4/13/16
to
Hello,
In my server sendmail log I noticed such an effect of milter (dnsbl-milter exactly) action in case of valid recipient address:
Apr 13 10:40:41 server1 sendmail[5806]: u3D8eaTa005806: Milter: to=<valid...@example.com>, reject=550 5.7.1 mail from 62.80.171.235 rejected - zen; see http://www.spamhaus.org/query/bl?ip=62.80.171.235
and different sendmail behaviour in case of invalid recipient address:
Apr 13 10:40:42 server1 sendmail[5806]: u3D8eaTa005806: <invali...@example.com>... User unknown
Both log entries come from the same connection (and the same sender ip address).
It seems such a way sendmail responds to delivery to invalid recipient address (ignoring milter result or not running milter at all) can be used by spamers to verify their address list.
Is it possible to configure sendmail (or milter itself) to reject connections from "milter detected" bad sender to invalid recipient address with milter response as in first log entry?
Piotr
In my server sendmail log I noticed such an effect of milter (dnsbl-milter exactly) action in case of valid recipient address:
Apr 13 10:40:41 server1 sendmail[5806]: u3D8eaTa005806: Milter: to=<valid...@example.com>, reject=550 5.7.1 mail from 62.80.171.235 rejected - zen; see http://www.spamhaus.org/query/bl?ip=62.80.171.235
and different sendmail behaviour in case of invalid recipient address:
Apr 13 10:40:42 server1 sendmail[5806]: u3D8eaTa005806: <invali...@example.com>... User unknown
Both log entries come from the same connection (and the same sender ip address).
It seems such a way sendmail responds to delivery to invalid recipient address (ignoring milter result or not running milter at all) can be used by spamers to verify their address list.
Is it possible to configure sendmail (or milter itself) to reject connections from "milter detected" bad sender to invalid recipient address with milter response as in first log entry?
Piotr
Claus Aßmann
Apr 13, 2016, 9:25:03 AM4/13/16
to
Piotr Lechowicz wrote:
> Is it possible to configure sendmail (or milter itself) to reject connections from "milter detected" bad sender
> to invalid recipient address with milter response as in first log entry?
Tell the milter to reject those sessions before any transaction starts.
> Is it possible to configure sendmail (or milter itself) to reject connections from "milter detected" bad sender
> to invalid recipient address with milter response as in first log entry?
Or see the fine libmilter documentation and look for SMFIP_RCPT_REJ.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
Carl Byington
Apr 13, 2016, 2:44:10 PM4/13/16
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, 13 Apr 2016 13:15:28 +0000, Claus Assmann wrote:
> Or see the fine libmilter documentation and look for SMFIP_RCPT_REJ.
Ok, we can use xxfi_negotiate() and SMFIP_RCPT_REJ to get those invalid
recipients passed into the milter. But from reading the documentation,
it seems that the response to the mail client has already been sent
before the milter sees this invalid recipient. Can the milter
(smfi_setreply(); return SMFIS_REJECT;) from this invalid recipient
change the default sendmail "user unknown" response?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAlcOk10ACgkQL6j7milTFsFBSgCcDcHIviWZXjDMIW7bDIZ9pEaD
O1UAnjWdnrylx3xspwC3EZF8Qsfd8q+H
=x5qg
-----END PGP SIGNATURE-----
Hash: SHA512
On Wed, 13 Apr 2016 13:15:28 +0000, Claus Assmann wrote:
> Or see the fine libmilter documentation and look for SMFIP_RCPT_REJ.
recipients passed into the milter. But from reading the documentation,
it seems that the response to the mail client has already been sent
before the milter sees this invalid recipient. Can the milter
(smfi_setreply(); return SMFIS_REJECT;) from this invalid recipient
change the default sendmail "user unknown" response?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEAREKAAYFAlcOk10ACgkQL6j7milTFsFBSgCcDcHIviWZXjDMIW7bDIZ9pEaD
O1UAnjWdnrylx3xspwC3EZF8Qsfd8q+H
=x5qg
-----END PGP SIGNATURE-----
0 new messages