Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
access_db not recognized
18 views
Skip to first unread message
Marco Moock
Sep 3, 2023, 7:43:14 AM9/3/23
to
Hello everyone!
I would like to use accessdb to block certain recipient domains and
only allow some addresses to be locally delivered (to avoid backscatter
attacks).
First, I only test to block one address.
For me, that looks fine and means the access db hash database includes
the option.
m@srv1:/etc/mail$ sudo sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> /map access To:b...@test.dorfdsl.de
map_lookup: access (To:b...@test.dorfdsl.de) returns REJECT (0)
Although, the MTA doesn't care about it.
m@srv1:/etc/mail$ sudo /usr/lib/sendmail -bv b...@test.dorfdsl.de
b...@test.dorfdsl.de... deliverable: mailer esmtp, host test.dorfdsl.de,
user b...@test.dorfdsl.de m@srv1:/etc/mail$
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.17.1.9-2 2023-01-11 23:26:28 cowboy
Exp $') OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS=
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSP, Port=submission, M=Ea')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSP, Port=submissions, M=sEa')dnl
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`access_db',, `relaytofulladdress')dnl
FEATURE(`blocklist_recipients')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
TRUST_AUTH_MECH(`PLAIN')dnl
define(`confAUTH_MECHANISMS', `PLAIN')dnl
include(`/etc/mail/tls/starttls.m4')dnl
dnl Conf lines for certificate, removed here for simplicity
FEATURE(`virtusertable')dnl
VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomains')
define(`confLOCAL_MAILER', `cyrusv2')dnl MAILER_DEFINITIONS
MAILER(`local')dnl MAILER(`cyrusv2')dnl MAILER(`smtp')dnl
access db is listed in .cf:
m@srv1:/etc/mail$ grep ^K /etc/mail/sendmail.cf
Kresolve host -a<OKR> -T<TEMP>
Karith arith
Kmacro macro
Kdequote dequote
Kaccess hash -T<TMPF> /etc/mail/access
Kvirtuser hash /etc/mail/virtusertable
m@srv1:/etc/mail$
What is the problem?
--
kind regards
Marco
I would like to use accessdb to block certain recipient domains and
only allow some addresses to be locally delivered (to avoid backscatter
attacks).
First, I only test to block one address.
For me, that looks fine and means the access db hash database includes
the option.
m@srv1:/etc/mail$ sudo sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> /map access To:b...@test.dorfdsl.de
map_lookup: access (To:b...@test.dorfdsl.de) returns REJECT (0)
Although, the MTA doesn't care about it.
m@srv1:/etc/mail$ sudo /usr/lib/sendmail -bv b...@test.dorfdsl.de
b...@test.dorfdsl.de... deliverable: mailer esmtp, host test.dorfdsl.de,
user b...@test.dorfdsl.de m@srv1:/etc/mail$
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.17.1.9-2 2023-01-11 23:26:28 cowboy
Exp $') OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS=
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSP, Port=submission, M=Ea')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSP, Port=submissions, M=sEa')dnl
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`access_db',, `relaytofulladdress')dnl
FEATURE(`blocklist_recipients')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
TRUST_AUTH_MECH(`PLAIN')dnl
define(`confAUTH_MECHANISMS', `PLAIN')dnl
include(`/etc/mail/tls/starttls.m4')dnl
dnl Conf lines for certificate, removed here for simplicity
FEATURE(`virtusertable')dnl
VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomains')
define(`confLOCAL_MAILER', `cyrusv2')dnl MAILER_DEFINITIONS
MAILER(`local')dnl MAILER(`cyrusv2')dnl MAILER(`smtp')dnl
access db is listed in .cf:
m@srv1:/etc/mail$ grep ^K /etc/mail/sendmail.cf
Kresolve host -a<OKR> -T<TEMP>
Karith arith
Kmacro macro
Kdequote dequote
Kaccess hash -T<TMPF> /etc/mail/access
Kvirtuser hash /etc/mail/virtusertable
m@srv1:/etc/mail$
What is the problem?
--
kind regards
Marco
Kalevi Kolttonen
Sep 3, 2023, 8:51:27 AM9/3/23
to
Marco Moock <mo...@posteo.de> wrote:
> For me, that looks fine and means the access db hash database includes
> the option.
>
> m@srv1:/etc/mail$ sudo sendmail -bt
> ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
> Enter <ruleset> <address>
>> /map access To:b...@test.dorfdsl.de
> map_lookup: access (To:b...@test.dorfdsl.de) returns REJECT (0)
>
> Although, the MTA doesn't care about it.
>
> m@srv1:/etc/mail$ sudo /usr/lib/sendmail -bv b...@test.dorfdsl.de
> b...@test.dorfdsl.de... deliverable: mailer esmtp, host test.dorfdsl.de,
> user b...@test.dorfdsl.de m@srv1:/etc/mail$
> [...]
> For me, that looks fine and means the access db hash database includes
> the option.
>
> m@srv1:/etc/mail$ sudo sendmail -bt
> ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
> Enter <ruleset> <address>
>> /map access To:b...@test.dorfdsl.de
> map_lookup: access (To:b...@test.dorfdsl.de) returns REJECT (0)
>
> Although, the MTA doesn't care about it.
>
> m@srv1:/etc/mail$ sudo /usr/lib/sendmail -bv b...@test.dorfdsl.de
> b...@test.dorfdsl.de... deliverable: mailer esmtp, host test.dorfdsl.de,
> user b...@test.dorfdsl.de m@srv1:/etc/mail$
> What is the problem?
It's been a while since I worked with Sendmail, but I seem
to remember that this is a (mis)feature of the "-bv" option.
Just test with:
telnet localhost 587
or
telnet localhost 25
and manually create an SMTP session. I am pretty sure
that your b...@test.dorfdsl.de will be rejected during
the session, just like it should.
br,
KK
Marco Moock
Sep 3, 2023, 11:22:57 AM9/3/23
to
Am 03.09.2023 um 12:51:24 Uhr schrieb Kalevi Kolttonen:
> It's been a while since I worked with Sendmail, but I seem
> to remember that this is a (mis)feature of the "-bv" option.
Thanks.
> It's been a while since I worked with Sendmail, but I seem
> to remember that this is a (mis)feature of the "-bv" option.
That IS exactly the issue.
Now it would be interesting why that is the case (maybe intentionally).
Claus Aßmann
Sep 4, 2023, 2:15:51 AM9/4/23
to
Marco Moock wrote:
> Now it would be interesting why that is the case (maybe intentionally).
See the fine documentation:
> Now it would be interesting why that is the case (maybe intentionally).
5.1.4.3. check_rcpt
The check_rcpt ruleset is passed the user
name parameter of the SMTP RCPT command. ...
That's where your "To:address" access_db entry is used.
sendmail -bv doesn't use SMTP.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
0 new messages