Maintaining valid user list on relay
Nels Lindquist
We have a huge problem with "joe job" blowback on a Sendmail v8.13.6
relay. I'm trying to configure a list of valid e-mail addresses on
the relay in such a way that Sendmail relays mail for valid users and
returns an error for invalid users.
I've seen many references to using virtusertable for defining a list
of valid users on the secondary MX, but I must be missing something,
because try as I might I can't get sendmail to reject the invalid
users.
I listed all valid users and put a catch-all entry in virtusertable
like so:
us...@example.org us...@example.org
[...]
use...@example.org use...@example.org
use...@example.org use...@example.org
@example.org ERROR:5.1.1:550 User unknown
but it still relays mail for all users in the domain (and yes, I
recompiled the virtusertable map).
In access, I also have these:
To:example.org RELAY
Connect:example.org RELAY
I've also tried various iterations with access map entries rather than
virtualuser, including (with FEATURE(`blacklist_recipients')):
To:us...@example.org RELAY
To:example.org ERROR:5.1.1:550 User unknown
and (with FEATURE(`delay_checks',`friend')):
Spam:us...@example.org FRIEND
To:example.org ERROR:5.1.1:User unknown
all to no avail. Either all mail is rejected, or all mail is relayed.
----
Nels Lindquist <*>
Andrzej Adam Filip
> Hi, all.
>
> We have a huge problem with "joe job" blowback on a Sendmail v8.13.6
> relay. I'm trying to configure a list of valid e-mail addresses on
> the relay in such a way that Sendmail relays mail for valid users and
> returns an error for invalid users.
>
> I've seen many references to using virtusertable for defining a list
> of valid users on the secondary MX, but I must be missing something,
> because try as I might I can't get sendmail to reject the invalid
> users.
>
> I listed all valid users and put a catch-all entry in virtusertable
> like so:
>
> us...@example.org us...@example.org
> [...]
> use...@example.org use...@example.org
> use...@example.org use...@example.org
> @example.org ERROR:5.1.1:550 User unknown
>
> but it still relays mail for all users in the domain (and yes, I
> recompiled the virtusertable map).
>
> In access, I also have these:
>
> To:example.org RELAY
> Connect:example.org RELAY
["Connect:example.org RELAY" is "unrelated" ]
Have you added example.org to $={VirtHost} list?
*.mc file:
LOCAL_CONIG
F{VirtHost}/etc/mail/virtual-domains
/etc/mail/virtual-domains file:]
example.org
*Before* using macros provided by sendmail.org fol filling $={VirtHost}
read *carefully* about side effects.
> [...]
--
[pl>en: Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
http://anfi.homeunix.net/sendmail/ http://www.linkedin.com/in/andfil
Before You Ask: http://anfi.homeunix.net/sendmail/B4UAsk-Sendmail.html
Nels Lindquist
>Nels Lindquist <ne...@maei.ca> writes:
>> [...]
>> I've seen many references to using virtusertable for defining a list
>> of valid users on the secondary MX, but I must be missing something,
>> because try as I might I can't get sendmail to reject the invalid
>> users.
>>
>> I listed all valid users and put a catch-all entry in virtusertable
>> like so:
>>
>> us...@example.org us...@example.org
>> [...]
>> use...@example.org use...@example.org
>> use...@example.org use...@example.org
>> @example.org ERROR:5.1.1:550 User unknown
>> [...]
>
>Have you added example.org to $={VirtHost} list?
I hadn't done so--it wasn't mentioned on
http://www.sendmail.org/tips/virtual-hosting.html
[...]
>*Before* using macros provided by sendmail.org fol filling $={VirtHost}
>read *carefully* about side effects.
I've read the relevant section in cf/README and I wasnt sure what I
was supposed to use on the RHS of the virtusertable map for valid
addresses. I started getting a "554 5.0.0 rewrite: excessive
recursion (max 50), ruleset canonify" error, presumably because the
RHS is the same as the LHS in my map. The docs don't suggest I can
use OK or RELAY here, and I'm not actually redirecting the messages to
a different host--I just want them to be relayed on to the higher
priority MX.
** FIXED (posting for future archive searchers) **
I did some searching and found an earlier post you replied to about
some undocumented features, and I'm now using "!" which seems to be
working well. Is that more, less or equally likely to change than
"define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_')"?
Thanks very much for your help!
Why do so many people make vague mention of this whole setup with a
vague handwave which amounts to an RTFM? Making use of undocumented
features doesn't strike me as inherently obvious. :-)
----
Nels Lindquist <*>
Kari Hurtta
I have some times posted following solution. That is
separate file which list valid addressess.
Following is for .mc file.
dnl # is CommungatePro mailbox separator
define(`confOPERATORS',confOPERATORS`\#')
LOCAL_CONFIG
Kvalid hash /usr/local/mail/tables/valid
C{valid}Postmaster
F{vdomain}/usr/local/mail/tables/valid.domain
LOCAL_RULE_O
R $* <@$={vdomain}.> $1 <@ $2 . > $| $(valid $1@$2 $: BAD $) < ${opMode} >
R $={valid} <@ $* .> $| $* <$-> $1 <@ $2 .> # No local part on $={valid}
R $* <@ $* .> $| $* <i> $1 <@ $2 .> # No check when building alias
R $* <@ $* .> $| BAD <$-> $: $1 <@ $2 .> $| $>CheckAddr1 $1 <@ $2 .>
R $* <@ $* .> $| BAD <$-> $#error $@ nouser $: "550 Sorry, user " $1 " do not found from " $2 " -dictionary"
R $* <@ $* .> $| $* $1 <@ $2 .> # Cleanup
LOCAL_RULESETS
SCheckAddr1
R $+ + $* <@ $* .> $@ $(valid $1@$3 $: BAD $) < ${opMode} > # If user+detail return status without detail
R $* \# $+ <@ $* .> $@ $(valid $2@$3 $: BAD $) < ${opMode} > # If mailbox#user return status without mailbox
R $* $@ BAD < ${opMode} > # Otherwise status is bad
/usr/local/mail/tables/valid.domain is file which list checked domains
/usr/local/mail/tables/valid is map which list valid addresses on these domain.
Right hand side can be some other token than BAD (for example OK).
/ Kari Hurtta
Andrzej Adam Filip
> Andrzej Adam Filip <an...@priv.onet.pl> wrote:
>
>>Nels Lindquist <ne...@maei.ca> writes:
>
>>> [...]
>>> I've seen many references to using virtusertable for defining a list
>>> of valid users on the secondary MX, but I must be missing something,
>>> because try as I might I can't get sendmail to reject the invalid
>>> users.
>>>
>>> I listed all valid users and put a catch-all entry in virtusertable
>>> like so:
>>>
>>> us...@example.org us...@example.org
>>> [...]
>>> use...@example.org use...@example.org
>>> use...@example.org use...@example.org
>>> @example.org ERROR:5.1.1:550 User unknown
>>> [...]
>>
>>Have you added example.org to $={VirtHost} list?
>
> I hadn't done so--it wasn't mentioned on
> http://www.sendmail.org/tips/virtual-hosting.html
I think the document is intended for different audience.
Virtusertable handles only addresses in local email domains ($=w) and
$={VirtHost} domains.
I suggest you contacting the web-master to suggest improvements in the
document [ http://www.sendmail.org/misc/email-addresses.html ]
> [...]
>
>>*Before* using macros provided by sendmail.org fol filling $={VirtHost}
>>read *carefully* about side effects.
>
> I've read the relevant section in cf/README and I wasnt sure what I
> was supposed to use on the RHS of the virtusertable map for valid
> addresses. I started getting a "554 5.0.0 rewrite: excessive
> recursion (max 50), ruleset canonify" error, presumably because the
> RHS is the same as the LHS in my map. The docs don't suggest I can
> use OK or RELAY here, and I'm not actually redirecting the messages to
> a different host--I just want them to be relayed on to the higher
> priority MX.
>
> ** FIXED (posting for future archive searchers) **
> I did some searching and found an earlier post you replied to about
> some undocumented features, and I'm now using "!" which seems to be
> working well. Is that more, less or equally likely to change than
> "define(`_VIRTUSER_STOP_ONE_LEVEL_RECURSION_')"?
Both _VIRTUSER_STOP_ONE_LEVEL_RECURSION_ and "!" in RHS are
*undocumented*. The first seems to be on its way to be officially
included/documented in future releases but it is (already) a *long way*,
the second is a side effect of "implementation detail". *BOTH* may
change between releases without a warning.
I personally slightly prefer "!" RHS, AFAIR Claus (and Per?) recommended
using _VIRTUSER_STOP_ONE_LEVEL_RECURSION_ as more preferred.
[ AFAIR I dug out use of "!" myself :-) ]
> Thanks very much for your help!
>
> Why do so many people make vague mention of this whole setup with a
> vague handwave which amounts to an RTFM?
Because it is (very) *simple after*" :-)
Without wide sendmail knowledge it may take many hours to dig it out
oneself (in double digits range).
> Making use of undocumented features doesn't strike me as inherently
> obvious. :-)
Feel free to ask/demand _VIRTUSER_STOP_ONE_LEVEL_RECURSION_ being
officially documented :-)
Tomasz Ostrowski
> I've seen many references to using virtusertable for defining a list
> of valid users on the secondary MX, but I must be missing something,
> because try as I might I can't get sendmail to reject the invalid
> users.
Forget virtusertable and do it in "/etc/mail/access":
To:us...@example.org RELAY
To:us...@example.org RELAY
#...#
To:us...@example.org RELAY
To:example.org error:5.1.1:"550 User unknown"
Add this to "/etc/mail/sendmail.mc":
VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomain')dnl
And create "/etc/mail/virtuserdomain" with a line:
example.org
--
Regards ...although Eating Honey was a very good thing to do,
Tometzky there was a moment just before you began to eat it
which was better than when you were...
Winnie the Pooh
Per Hedeland
Ostrowski <tometzk...@prhn.dnsalias.org> writes:
>On Thu, 11 May 2006 11:57:35 -0600, Nels Lindquist wrote:
>
>> I've seen many references to using virtusertable for defining a list
>> of valid users on the secondary MX, but I must be missing something,
>> because try as I might I can't get sendmail to reject the invalid
>> users.
>
>Forget virtusertable and do it in "/etc/mail/access":
> To:us...@example.org RELAY
> To:us...@example.org RELAY
> #...#
> To:us...@example.org RELAY
> To:example.org error:5.1.1:"550 User unknown"
Did you verify that? It sure doesn't work unless you define the
undocumented _RELAY_ENTIRE_DOMAIN_ macro.
>Add this to "/etc/mail/sendmail.mc":
> VIRTUSER_DOMAIN_FILE(`/etc/mail/virtuserdomain')dnl
>
>And create "/etc/mail/virtuserdomain" with a line:
> example.org
Why would you do that if you "forget virtusertable"?
--Per Hedeland
p...@hedeland.org
Per Hedeland
<an...@priv.onet.pl> writes:
>
>Both _VIRTUSER_STOP_ONE_LEVEL_RECURSION_ and "!" in RHS are
>*undocumented*. The first seems to be on its way to be officially
>included/documented in future releases but it is (already) a *long way*,
>the second is a side effect of "implementation detail". *BOTH* may
>change between releases without a warning.
>
>I personally slightly prefer "!" RHS, AFAIR Claus (and Per?) recommended
>using _VIRTUSER_STOP_ONE_LEVEL_RECURSION_ as more preferred.
>[ AFAIR I dug out use of "!" myself :-) ]
I may have recommended that as the lesser of two evils:-), but my
preferred recommendation would be to use the ldap_routing method (with
LDAP or file map for <mailRoutingAddress>, null map for <mailHost>).
Or maybe _RELAY_ENTIRE_DOMAIN_ and access db. I don't know, they just
feel less hackish to me.
>> Why do so many people make vague mention of this whole setup with a
>> vague handwave which amounts to an RTFM?
>
>Because it is (very) *simple after*" :-)
Maybe - I think it's more that a) there isn't an *obviously* right way
to do it, and b) it has been discussed *a lot* in the group - a
dejagoogle search should bring up most of the discussions.
--Per Hedeland
p...@hedeland.org
Andrzej Adam Filip
> In article <87wtcr8...@anfi.homeunix.net> Andrzej Adam Filip
> <an...@priv.onet.pl> writes:
>>
>>Both _VIRTUSER_STOP_ONE_LEVEL_RECURSION_ and "!" in RHS are
>>*undocumented*. The first seems to be on its way to be officially
>>included/documented in future releases but it is (already) a *long way*,
>>the second is a side effect of "implementation detail". *BOTH* may
>>change between releases without a warning.
>>
>>I personally slightly prefer "!" RHS, AFAIR Claus (and Per?) recommended
>>using _VIRTUSER_STOP_ONE_LEVEL_RECURSION_ as more preferred.
>>[ AFAIR I dug out use of "!" myself :-) ]
>
> I may have recommended that as the lesser of two evils:-), but my
> preferred recommendation would be to use the ldap_routing method (with
> LDAP or file map for <mailRoutingAddress>, null map for <mailHost>).
> Or maybe _RELAY_ENTIRE_DOMAIN_ and access db. I don't know, they just
> feel less hackish to me.
It does not use "undocumented features" but using the feature without
LDAP is "non intuitive" for people without sendmail experience.
>>> Why do so many people make vague mention of this whole setup with a
>>> vague handwave which amounts to an RTFM?
>>
>>Because it is (very) *simple after*" :-)
>
> Maybe - I think it's more that a) there isn't an *obviously* right way
> to do it, and b) it has been discussed *a lot* in the group - a
> dejagoogle search should bring up most of the discussions.
I know you and I can locate easily past discussion about the subject but
it will not be easy for less experienced sendmail masters.
Nels Lindquist
I did do quite a bit of google/newsgroup searching before I posted,
but it seems that when you approach the search from the perspective of
"here's conceptually what I want to do" rather than "here's the
specific method I want to implement" you tend not to choose keywords
which elicit a useful answer. :-) Instead, you get a whole bunch of
responses which mention virtusertable and point to the documentation
at http://www.sendmail.org, which is demonstrably inadequate for
solving the problem at hand.
----
Nels Lindquist