MAIL FROM:<> causes 553 in sendmail 8.9.3 on linux
Markus Grossmann
I'm using sendmail 8.9.3 and have trouble with one customer.
When we want to send mails to him, their server returns:
>>> RCPT To:<f...@customer.com>
<<< 550-Callback setup failed while verifying <us...@mycompany.com>
<<< 550-Called: some-ip-address
<<< 550-Sent: MAIL FROM:<>
<<< 550-Response: 553 <>... @
<<< 550-The initial connection, or a HELO or MAIL FROM:<> command was
<<< 550-rejected. Refusing MAIL FROM:<> does not help fight spam, disregards
<<< 550-RFC requirements, and stops you from receiving standard bounce
<<< 550-messages. This host does not accept mail from domains whose servers
<<< 550-refuse bounces.
<<< 550 Sender verify failed
In my /var/log/mail I see:
Aug 4 11:26:01 linux sendmail[21091]: LAA21091: ruleset=check_mail,
arg1=<>, relay=foo.bar.de [some-ip-address], reject=553 <>... @
It's clear to me, what is happening, and that the fault is on my side. To be
RFC-compliant, I should change something. But I don't know, what I have to
change in my sendmail.cf.
I know, that I could use a newer sendmail-version, and that is what I will
do in future, but I'm to scared, just to install a new version on a
production server without testing.
I need a fast solution, so is there a way with sendmail 8.9?
King regards,
Markus
Matej Vela
> Aug 4 11:26:01 linux sendmail[21091]: LAA21091: ruleset=check_mail,
> arg1=<>, relay=foo.bar.de [some-ip-address], reject=553 <>... @
>
> It's clear to me, what is happening, and that the fault is on my side. To be
> RFC-compliant, I should change something. But I don't know, what I have to
> change in my sendmail.cf.
Please post your sendmail.mc, or, if you don't have one, your check_mail
ruleset.
Markus Grossmann
news:slrnch1nac...@home.irb.hr...
Sorry, I haven't got an actual sendmail.mc. Too many changes in sendmail.cf
:-(
see my check_mail rulesets below.
Thanx for help,
Markus
######################################################################
### check_mail -- check SMTP `MAIL FROM:' command argument
######################################################################
# spam site list files
F{SpamDomains} /etc/spamdomains.txt
F{Spammer} /etc/spammers.txt
SLocal_check_mail
Scheck_mail
R$* $: $>"check_spam_mail" $1
R$* $: $1 $| $>"Local_check_mail" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_mail" $1
Scheck_spam_mail
#19.09.2002 by M. Grossmann
R<$={Spammer}> $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R<$={Spammer}.> $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R$={Spammer} $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R$={Spammer}. $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R$* $: $>3 $1
R$*<@$={SpamDomains}.>$* $#error $@ 5.7.1 $: "550 We don't accept junk mail
from your domain"
R$*<@$={SpamDomains}>$* $#error $@ 5.7.1 $: "550 We don't accept junk
mail from your domain"
R$* $: $>4 $1
SBasic_check_mail
# check for deferred delivery mode
R$* $: < ${deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
R<> $@ <OK>
R$* $: <?> $>CanonAddr $1
R<?> $* < @ $+ . > <?> $1 < @ $2 > strip trailing dots
# handle non-DNS hostnames (*.bitnet, *.decnet, *.uucp, etc)
R<?> $* < $* $=P > $* $: <OK> $1 < @ $2 $3 > $4
R<?> $* < @ $+ > $* $: <? $(resolve $2 $: $2 <PERM> $) > $1 < @ $2 > $3
R<? $* <$->> $* < @ $+ > $*
$: <$2> $3 < @ $4 > $5
# handle case of @localhost on address
R<$+> $* < @localhost > $: < ? $&{client_name} > <$1> $2 < @localhost >
R<$+> $* < @localhost.$m >
$: < ? $&{client_name} > <$1> $2 < @localhost.$m >
R<$+> $* < @localhost.UUCP >
$: < ? $&{client_name} > <$1> $2 < @localhost.UUCP >
R<? $=w> <$+> $* <?> <$2> $3
R<? $+> <$+> $* $#error $@ 5.5.4 $: "553 Real domain name required"
R<?> <$+> $* $: <$1> $2
# lookup localpart (user@)
R<$+> $* < @ $+ > $* $: <USER $(access $2@ $: ? $) > <$1> $2 < @ $3 > $4
# no match, try full address (user@domain rest)
R<USER ?> <$+> $* < @ $* > $*
$: <USER $(access $2@$3$4 $: ? $) > <$1> $2 < @ $3 > $4
# no match, try address (user@domain)
R<USER ?> <$+> $+ < @ $+ > $*
$: <USER $(access $2@$3 $: ? $) > <$1> $2 < @ $3 > $4
# no match, try (sub)domain (domain)
R<USER ?> <$+> $* < @ $+ > $*
$: $>LookUpDomain <$3> <$1> <>
# check unqualified user in access database
R<?> $* $: <USER $(access $1@ $: ? $) > <?> $1
# retransform for further use
R<USER $+> <$+> $* $: <$1> $3
# handle case of no @domain on address
R<?> $* $: < ? $&{client_name} > $1
R<?> $* $@ <OK> ...local unqualed ok
R<? $+> $* $#error $@ 5.5.4 $: "553 Domain name required"
...remote is not
# check results
R<?> $* $@ <OK>
R<OK> $* $@ <OK>
R<TEMP> $* $#error $@ 4.1.8 $: "451 Sender domain must resolve"
R<PERM> $* $#error $@ 5.1.8 $: "501 Sender domain must exist"
R<RELAY> $* $@ <RELAY>
R<DISCARD> $* $#discard $: discard
R<REJECT> $* $#error $@ 5.7.1 $: "550 Access denied"
R<$+> $* $#error $@ 5.7.1 $: $1 error from access db
Matej Vela
> SLocal_check_mail
> Scheck_mail
> R$* $: $>"check_spam_mail" $1
> R$* $: $1 $| $>"Local_check_mail" $1
> R$* $| $#$* $#$2
> R$* $| $* $@ $>"Basic_check_mail" $1
>
> Scheck_spam_mail
> #19.09.2002 by M. Grossmann
> R<$={Spammer}> $#error $@ 5.7.1 $: "550 We don't accept junk mail"
> R<$={Spammer}.> $#error $@ 5.7.1 $: "550 We don't accept junk mail"
> R$={Spammer} $#error $@ 5.7.1 $: "550 We don't accept junk mail"
> R$={Spammer}. $#error $@ 5.7.1 $: "550 We don't accept junk mail"
> R$* $: $>3 $1
Here, ruleset 3 converts "<>" to its internal canonical form, "<@>"...
> R$*<@$={SpamDomains}.>$* $#error $@ 5.7.1 $: "550 We don't accept junk mail
> from your domain"
> R$*<@$={SpamDomains}>$* $#error $@ 5.7.1 $: "550 We don't accept junk
> mail from your domain"
> R$* $: $>4 $1
... and here ruleset 4 rewrites "<@>" to its external form, the null
address, but doesn't use angle brackets...
> SBasic_check_mail
> # check for deferred delivery mode
> R$* $: < ${deliveryMode} > $1
> R< d > $* $@ deferred
> R< $* > $* $: $2
>
> R<> $@ <OK>
... which is why this rule doesn't match, eventually resulting in a
parse error.
check_spam_mail should be working on a copy of the address rather than
in-place -- see how check_mail invokes Local_check_mail. In fact,
local checks are precisely what Local_check_mail is for; adding your
own ruleset is unnecessary. Here's a working version, trimmed a bit:
SLocal_check_mail
# let canonify strip angle brackets, trailing dots, and source routes
R$* $: $>4 $>3 $1
R$={Spammer} $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R$* @ $={SpamDomains} $#error $@ 5.7.1 $: "550 We don't accept junk mail from your domain"
Scheck_mail
R$* $: $1 $| $>"Local_check_mail" $1
R$* $| $#$* $#$2
R$* $| $* $@ $>"Basic_check_mail" $1
(No need to change the F lines or Basic_check_mail.)
BTW, think about using FEATURE(access_db).
Chuck Yerkes
> "Matej Vela" <mv...@irb.hr> schrieb im Newsbeitrag
> news:slrnch1nac...@home.irb.hr...
>
>>On 2004-08-04, Markus Grossmann <m_gro...@gmx.de> wrote:
>>
>>>Aug 4 11:26:01 linux sendmail[21091]: LAA21091: ruleset=check_mail,
>>>arg1=<>, relay=foo.bar.de [some-ip-address], reject=553 <>... @
>>>
>>>It's clear to me, what is happening, and that the fault is on my side. To be
>>>RFC-compliant, I should change something. But I don't know, what I have to
>>>change in my sendmail.cf.
>>
>>Please post your sendmail.mc, or, if you don't have one, your check_mail
>>ruleset.
>
> Sorry, I haven't got an actual sendmail.mc. Too many changes in sendmail.cf
> :-(
So you can't upgrade from 1998 sendmail because you're sendmail.cf
is cobbled together and unmaintainable.
At some point, you're going to have to bite the bullet, understand what
it does, functionally, and reproduce it in an m4 file.
Then you get to move your sendmail forward 6 years to 8.13.\
Sorry to make you an example. At least you're running 8.9 which has
anti-relay stuff built in. I recently m4'd a machine with configs from
8.7 times (thank god it was fairly deeply internal).
Markus Grossmann
>
>
Thats it! Thanx a lot, it workes!
regards,
Markus