Dual Sendmail Config and Rejecting non existing recipients
Simone Marx
I've a dual sendmail configuration with Amavisd-New server.
The scenario is like this:
1. Sendmail-rx: a daemon that listens on *:25 and *:587
This sendmail should check if a user ( real or virtuser ) exists
and forward all mails to MAIL_HUB or SMART_HOST even if the
recipient
is a local user ( real or virtual )
2. Amavis daemon that listens on localhost:10024
This daemon receives mails from sendmail-rx and, after some AV/Spam
checks,
forwards all clean mails to sendmail-tx
3. Sendmail-tx: a daemon that listens on localhost:10025
This sendmail receives mails from amavis daemon and delivers all
mails normally ( local mails / virtuser and mails to other servers )
Now, I have only one little problem:
sendmail-rx accepts all addresses; if a user does not exist,
a bounce will be produced in sendmail-tx... this is a bad behaviour for
my system because I receive an impressive quantity of emails with
dictionary-based recipients, and by now, for all these mails, my system
checks for spam and viruses....
How can I reject mails with non existing recipients? ( real and virtual
ones )
Thank you in advance,
Simone Marx.
There is my sendmail-rx.mc file:
divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for My Linux')dnl
OSTYPE(`linux')
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')
FEATURE(`blacklist_recipients')
define(`confPRIVACY_FLAGS', `noexpn,novrfy,authwarnings')dnl
define(`confTO_IDENT', `0')dnl Disable IDENT
define(`confREFUSE_LA', 6)
define(`confMAX_DAEMON_CHILDREN', `25')dnl
define(`confRUN_AS_USER',`smmsp:smmsp')dnl Drop privileges (see
SECURITY NOTE)
define(`confPID_FILE', `/var/run/sendmail-rx.pid')dnl Non-default pid
file
define(`STATUS_FILE', `/etc/mail/stat-rx')dnl Non-default stat file
define(`QUEUE_DIR', `/var/spool/mqueue-rx')dnl Non-default queue area
define(`confQUEUE_SORT_ORDER',`Modification')dnl Modif or Random are
reasonable
QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue-rx, R=2, F=f')dnl
FEATURE(stickyhost)dnl Keep envelope addr "u...@local.host" when fwd to
MAIL_HUB
define(`MAIL_HUB', `esmtp:[127.0.0.1]')dnl Forward all local mail to
amavisd
define(`SMART_HOST',`esmtp:[127.0.0.1]')dnl Forward all other mail to
amavisd
define(`confDELIVERY_MODE',`q')dnl Delivery mode: queue only (a
must,
otherwise the advantage of this setup of being able to specify the
number of
queue runners is lost)
define(`ESMTP_MAILER_ARGS',`TCP $h 10024')dnl To tcp port 10024
instead of 25
MODIFY_MAILER_FLAGS(`ESMTP', `+z')dnl Speak LMTP (this is optional)
define(`SMTP_MAILER_MAXMSGS',`10')dnl Max no. of msgs in a single
connection
define(`confTO_DATAFINAL',`5m')dnl (20 minute originally) 5 minute
timeout
for content checking
DAEMON_OPTIONS(`Name=MTA-RX')dnl Daemon name used in logged
messages
undefine(`ALIAS_FILE')dnl No aliases file, all local mail goes to
MAIL_HUB
define(`confFORWARD_PATH')dnl Empty search path for .forward files
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
undefine(`DECNET_RELAY')dnl
MAILER(smtp)
Matej Vela
> I've a dual sendmail configuration with Amavisd-New server.
>
> The scenario is like this:
>
> 1. Sendmail-rx: a daemon that listens on *:25 and *:587
> 2. Amavis daemon that listens on localhost:10024
> 3. Sendmail-tx: a daemon that listens on localhost:10025
>
> How can I reject mails with non existing recipients? ( real and virtual
> ones )
IMHO, the best solution is to switch to amavis milter:
* It's easier to maintain because there's only one instance of
sendmail, which consults with amavis after doing its own checks
(but before accepting the mail).
* It allows you to reject spam and viruses directly in the SMTP
conversation (IIRC, D_BOUNCE setting in amavis). No more worries
about false positives -- if there is one, the sender should be
notified immediately by the sending MTA.
* It's usually less resource-intensive. With your current setup,
sendmail-rx writes the whole message physically to disk before
amavis sees it. With a milter, you can put the amavis working
directory on a RAM disk, set confSAFE_QUEUE to PostMilter, raise
confDF_BUFFER_SIZE to 100 KB or thereabouts, and the majority of
viruses and spam won't even touch the disk.
The major downside is that sendmail will temporarily reject mail if
amavis is overwhelmed. In my experience, the advantages more than
compensate for that, but if that's a show-stopper for you, the
following should work in your current configuration:
[...]
> There is my sendmail-rx.mc file:
>
[...]
> FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
(The -o flag is deprecated because it hides problems. Either remove
the second argument -- it contains default values anyway -- or the
whole line if you don't use access_db.)
> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')
This should already be rejecting non-existent users. If not, make
sure each domain has a catch-all entry:
@example.org error:5.1.1:"550 User unknown"
Finally, add
define(`LUSER_RELAY', `error:5.1.1:"550 User unknown"')dnl
Matej Vela
[...]
> Finally, add
>
> define(`LUSER_RELAY', `error:5.1.1:"550 User unknown"')dnl
Hmm, you should also remove
undefine(`ALIAS_FILE')dnl
However, that won't work if you use program aliases; some custom rules
are needed. Search the group archive or ask, I think I still have
them somewhere...
Simone Marx
thank you very much for your help.
I've modified my sendmail-rx.mc file as described, but unfortunately
the problem still persists...
I've added/modified these lines:
FEATURE(`access_db')dnl
FEATURE(`virtusertable')dnl
define(`LUSER_RELAY', `error:5.1.1:"550 User unknown"')dnl
and removed this one:
undefine(`ALIAS_FILE')dnl
I've also tried with and without this line too:
define(`LOCAL_RELAY',`esmtp:[127.0.0.1]')dnl
But sendmail-rx still not checks if recipients exist...
( the problem persist for real users too )
However I suspect that sendmail-rx does not care about
the existance of any kind of user ( real, alias, virtuser ) even if
I specify these FEATUREs and defines...
May the problem relies on MAIL_HUB feature?
Do you know if sendmail has to ignore these directives (virtuser,
alias,etc...) and all local checks if MAIL_HUB is used?
Thanks for your support,
Simone.
Matej Vela
> the problem still persists...
>
>
> May the problem relies on MAIL_HUB feature?
> Do you know if sendmail has to ignore these directives (virtuser,
> alias,etc...) and all local checks if MAIL_HUB is used?
No, they should still work. Make sure you restarted sendmail, and that
it is using the modified file. If that doesn't work, post the output of
# echo '$L' | sendmail -C/etc/mail/sendmail-rx.cf -bt
# echo '5 root' | sendmail -C/etc/mail/sendmail-rx.cf -bt -d21.10
Simone Marx
I'm sure... I've launched
m4 sendmail-rx.mc > sendmail-rx.cf
then I've completely restarted sendmail...
Below there is the output you have requested:
Thank you, Matej, for you interest....
Simone.
# echo '$L' | sendmail -C/etc/mail/sendmail-rx.cf -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> Undefined
# echo '5 root' | sendmail -C/etc/mail/sendmail-rx.cf -bt -d21.10
> [root@william /etc/mail]# echo '5 root' | sendmail -C/etc/mail/sendmail-rx.cf -bt -d21.10
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> localaddr input: root
-----skip subr Local_localaddr (197)
rewritten as: root $| root
----- rule fails
----- rule fails
rewritten as: root
----- rule fails
----- rule fails
rewritten as: < > root
rewritten as: < esmtp : [ 127 . 0 . 0 . 1 ] > root
----- rule fails
----- rule fails
----- rule fails
----- rule fails
----- rule fails
----- rule fails
rewrite: RHS $&{h} => "(NULL)"
rewritten as: < esmtp : [ 127 . 0 . 0 . 1 ] > root < >
----- rule fails
rewritten as: < esmtp : [ 127 . 0 . 0 . 1 ] > root
----- rule fails
----- rule fails
MailerToTriple input: < esmtp : [ 127 . 0 . 0 . 1 ] > root < @ [
127 . 0 . 0 . 1 ] >
----- rule fails
----- rule fails
----- rule fails
----- rule fails
----- rule fails
----- rule fails
rewritten as: $# esmtp $@ [ 127 . 0 . 0 . 1 ] $: root < @ [ 127 . 0 . 0
. 1 ] >
MailerToTriple returns: $# esmtp $@ [ 127 . 0 . 0 . 1 ] $: root < @ [
127 . 0 . 0 . 1 ] >
rewritten as: $# esmtp $@ [ 127 . 0 . 0 . 1 ] $: root < @ [ 127 . 0 . 0
. 1 ] >
localaddr returns: $# esmtp $@ [ 127 . 0 . 0 . 1 ] $: root < @ [
127 . 0 . 0 . 1 ] >
Matej Vela
[...]
> # echo '$L' | sendmail -C/etc/mail/sendmail-rx.cf -bt
>
> ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
> Enter <ruleset> <address>
>> Undefined
This means that LUSER_RELAY didn't make it to sendmail-rx.cf... Perhaps
you made a typo in sendmail-rx.mc, or used an old copy, or placed the
resulting .cf in the wrong directory?
Kari Hurtta
To check existence of (local) user (ie. do passwd lookupup)
mail must resolve to mailer which have 'w' -flag set.
/ Kari Hurtta
Kari Hurtta
>
> To check existence of (local) user (ie. do passwd lookupup)
> mail must resolve to mailer which have 'w' -flag set.
I should add quote from Sendmail Installation and
Operation Guide (doc/op/op.mem doc/op/op.ps) to here:
| The following flags may be set in the mailer
| description. Any other flags may be used freely to
<...>
| w The user must have a valid account on this
| machine, i.e., getpwnam must succeed. If not, the
| mail is bounced. See also the MailBoxDatabase
| option. This is required to get ".forward"
| capability.
/ Kari Hurtta
Simone Marx
Hi,
I've moved
LUSER_RELAY and ALIAS_FILE defines closely to the top of the .mc file
Now, if I launch
echo '$L' | sendmail -C/etc/mail/sendmail-rx.cf -bt
I receive this output:
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> error:5.1.1:550 User unknown
>
Note that if I connect to mail server
if I give a rcpt to:f...@bar.ext
always I receive a Recipient Ok
if I give a rcpt to:foo
and the local user does not exist I correctly receive a 'User
unknown'...
For Kari Hurtta:
Sorry, I haven't understood your note....
In my sendmail-rx.cf I see 2 mailers: prog and local
local contains the w flag
prog does not...
if I move the w flag, nothing changes...
Thanks,
Simone.
Matej Vela
> Hi,
> I've moved
> LUSER_RELAY and ALIAS_FILE defines closely to the top of the .mc file
>
> Now, if I launch
> echo '$L' | sendmail -C/etc/mail/sendmail-rx.cf -bt
>
> I receive this output:
>
> ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
> Enter <ruleset> <address>
>> error:5.1.1:550 User unknown
>>
Great, that should solve the problem for local domains (i.e. ones
listed in "echo '$=w' | sendmail -Csendmail-rx.cf -bt").
> Note that if I connect to mail server
> if I give a rcpt to:f...@bar.ext
> always I receive a Recipient Ok
> if I give a rcpt to:foo
> and the local user does not exist I correctly receive a 'User
> unknown'...
Is "bar.ext" listed in
# echo '$={VirtHost}' | sendmail -Csendmail-rx.cf -bt
If so, see the previous message:
> This should already be rejecting non-existent users. If not, make
> sure each domain has a catch-all entry:
>
> @example.org error:5.1.1:"550 User unknown"
Simone Marx
echo '$={VirtHost}' | sendmail -Csendmail-rx.cf -bt
produces no results....
This means that sendmail does not read local-host-names or
relay-domains
or ...what?
Thank you,
Simone.
Matej Vela
> mmm...
> echo '$={VirtHost}' | sendmail -Csendmail-rx.cf -bt
>
> produces no results....
> This means that sendmail does not read local-host-names or
> relay-domains
As I already said, you can see the list of local domains with
# echo '$=w' | sendmail -Csendmail-rx.cf -bt
If the ones from /etc/mail/local-host-names are missing, make sure
sendmail-rx.mc uses
FEATURE(`use_cw_file')dnl
> or ...what?
It means that no virtusertable domains are defined in sendmail-rx.mc.
What did you mean by bar.ext then?
Simone Marx
the feature use_cw_file is present and
echo '$=w' | sendmail -Csendmail-rx.cf -bt
returns all local host names correctly....
> It means that no virtusertable domains are defined in sendmail-rx.mc.
> What did you mean by bar.ext then?
bar.ext is one domain listed in relay-domains and local-host-names...
Also, is my default domain.
( my MX server is william.foo.it and 'real' users are in the format
sim...@william.foo.it or sim...@foo.it )
Matej Vela
FEATURE(luser_relay) really should cover it then. Can you post your
current sendmail-rx.mc (modulo comments) and local-host-names?
Simone Marx
there are my sendmail-rx.mc file ( without comments )
and local-host-names.
Note that local-host-names is 373 lines long. I've cutted off
all domains that we can ignore for now....
-------------sendmail-rx.mc------------------
divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for My Linux')dnl
OSTYPE(`linux')
FEATURE(`access_db')
FEATURE(`virtusertable')
FEATURE(`blacklist_recipients')
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
define(`LUSER_RELAY', `error:5.1.1:"550 User unknown"')
define(`ALIAS_FILE', `/etc/mail/aliases')
define(`confPRIVACY_FLAGS', `noexpn,novrfy,authwarnings')
define(`confTO_IDENT', `0')
define(`confREFUSE_LA', 5)
define(`confMAX_DAEMON_CHILDREN', `15')
define(`confRUN_AS_USER',`smmsp:smmsp')
define(`confPID_FILE', `/var/run/sendmail-rx.pid')
define(`STATUS_FILE', `/etc/mail/stat-rx')
define(`QUEUE_DIR', `/var/spool/mqueue-rx')
define(`confQUEUE_SORT_ORDER',`Modification')
QUEUE_GROUP(`mqueue', `P=/var/spool/mqueue-rx, R=2, F=f')
FEATURE(stickyhost)
define(`MAIL_HUB', `esmtp:[127.0.0.1]')
define(`SMART_HOST',`esmtp:[127.0.0.1]')
define(`LOCAL_RELAY',`esmtp:[127.0.0.1]')
define(`confDELIVERY_MODE',`q')
define(`ESMTP_MAILER_ARGS',`TCP $h 10024')
MODIFY_MAILER_FLAGS(`ESMTP', `+z')
define(`SMTP_MAILER_MAXMSGS',`10')
define(`confTO_DATAFINAL',`5m')
FEATURE(`no_default_msa')
define(`confDONT_PROBE_INTERFACES', true)
DAEMON_OPTIONS(`Addr=127.0.0.1, Port=10026, Name=MTA-RX')
define(`confFORWARD_PATH')
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
undefine(`DECNET_RELAY')
LOCAL_DOMAIN(`localhost.localdomain')
MAILER(smtp)
-------------sendmail-rx.mc (END)------------------
-------------local-host-names------------------
localhost
127.0.0.1
mail.ivg.it
mbox.ivg.it
william.ivg.it
accomics.it
aceaalbenga.com
aeffefloricoltura.com
agenzia4mura.it
.
.
.
ivg.it
.
.
.
nandorizzo.it
studioraffaello.net
giuseppematarrese.com
-------------local-host-names (END)------------------
relay_domains has the same content of local-host-names
Thanks,
Simone.
Peter Guhl
"Simone Marx" <sma...@gmail.com> writes:
> I've a dual sendmail configuration with Amavisd-New server.
>
> a bounce will be produced in sendmail-tx... this is a bad behaviour for
> my system because I receive an impressive quantity of emails with
> dictionary-based recipients, and by now, for all these mails, my system
> checks for spam and viruses....
We have got a similar setup but spread over a couple of different
computers. The problem always occurs when the MX doesn't carry the
mail-accounts. Since there is, in my case, no chance to check the
recipients automatically we use the access-file (access.db) containing
a (manually updated...) list.
The syntax is like this:
To: a...@xyz.xy OK
To: x...@xyz.xy OK
To: xyz.xy 550 User unknown!
First all the addresses you want to pass and then blocking all the others.
To install it into your one-hardware-setup most likely needs some more
tweaking. We have only one sendmail-daemon per machine.
Regards
Peter
--
http://www.netzwerkcenter.ch FreeBSD/PHP/MySQL
Gegen Würmer: http://www.heise.de/security/dienste/antivirus/links.shtml
spamg...@netzwerkcenter.ch - gets me spam for training my filters
Matej Vela
> Hi Matej,
> there are my sendmail-rx.mc file ( without comments )
> and local-host-names.
> Note that local-host-names is 373 lines long. I've cutted off
> all domains that we can ignore for now....
>
[...]
> FEATURE(stickyhost)
[...]
Ah, should have thought of that! It turns out that FEATURE(stickyhost)
short-circuits FEATURE(luser_relay).
A simple solution is to disable FEATURE(stickyhost).
If this is not possible in your setup, the alternative is to replace
FEATURE(luser_relay) with custom rules. The latter have the advantage
of properly handling special aliases ("|program", "/mailbox", and
":include:/list"). If you choose this route, you should re-enable
`undefine(`ALIAS_FILE')dnl', and append the following to sendmail-rx.mc
(replacing multiple spaces with tabs):
LOCAL_CONFIG
Kaliasp hash -m /etc/mail/aliases
Kuserp user -m
LOCAL_RULESETS
SLocal_check_rcpt
R$* $: <?> $&{rcpt_mailer}:$&{rcpt_host}
R<?> local:$* $: <@> $&{rcpt_addr} verify local user
R<?> $*:$H $: <@> $&{rcpt_addr} verify mail hub user
R<?> $H $: <@> $&{rcpt_addr} ($H can be mailer:host)
R<?> $* $@ OK ignore other addresses
R<@> $* @ $* $: <@> $1 strip domain
R<@> $+ + $* $: < $(aliasp $1+$2 $: @ $) > $1 + * plussed alias?
R<@> $+ + $* $: < $(aliasp $1+$2 $: @ $) > $1 +* alias?
R<@> $+ $: < $(aliasp $1 $: @ $) > $1 normal alias?
R<@> $+ $: < $(userp $1 $: @ $) > $1 system user?
R<@> $+ $#error $@ 5.1.1 $: "550 User unknown" nope, go away
[...]
> relay_domains has the same content of local-host-names
(Relaying is implicitly allowed for local-host-names, so this is not
necessary.)
Simone Marx
Wow! Now non existing local recipients (real/virtual ) are rejected!
Great!
But there is still a little problem...now I can't send mails to other
servers...
for example I can't send emails to x...@yahoo.com ......sendmail-rx
says that x...@yahoo.com is an unknown user....
from log file:
ruleset=check_rcpt, arg1=x...@yahoo.com, relay=localhost [127.0.0.1],
reject=550 5.1.1 x...@yahoo.com ... User unknown
Thank you Matej,
Simone.
PS: you know a good guide to learn how to build custom ruleset / to
understand what a ruleset means ?
Matej Vela
> Wow! Now non existing local recipients (real/virtual ) are rejected!
> Great!
> But there is still a little problem...now I can't send mails to other
> servers...
> for example I can't send emails to x...@yahoo.com ......sendmail-rx
> says that x...@yahoo.com is an unknown user....
>
> from log file:
> ruleset=check_rcpt, arg1=x...@yahoo.com, relay=localhost [127.0.0.1],
> reject=550 5.1.1 x...@yahoo.com ... User unknown
Bah, didn't take SMART_HOST into account. This ought to work:
LOCAL_CONFIG
Kaliasp hash -m /etc/mail/aliases
Kuserp user -m
LOCAL_RULESETS
SLocal_check_rcpt
R$* $: <?> $&{rcpt_addr}
R<?> $+ @ $=w $: <@> $1 mark local address
R<?> $* @ $* $@ OK ignore remote address
R<?> $+ $: <@> $1 mark unqualified user
R<@> $+ + $* $: < $(aliasp $1+$2 $: @ $) > $1 + * plussed alias?
R<@> $+ + $* $: < $(aliasp $1+$2 $: @ $) > $1 +* alias?
R<@> $+ $: < $(aliasp $1 $: @ $) > $1 normal alias?
R<@> $+ $: < $(userp $1 $: @ $) > $1 system user?
R<@> $+ $#error $@ 5.1.1 $: "550 User unknown" nope, go away
> PS: you know a good guide to learn how to build custom ruleset / to
> understand what a ruleset means ?
Well, section 5 of the Operation Guide (op.*) is the canonical
reference, but O'Reilly's _Sendmail_ [1] (the "Bat Book") provides a
much gentler introduction. (Copies can be found on-line.)
Simone Marx
Everything seems to work correctly!
Emails for local recipients are rejected if they don't exist, allowed
otherwise
Emails for NON local recipients are allowed too!!!
Thank you very much Matej,
Simone.