[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

How to close a sendmail relay, and more


I thought I'd post this to debian-user, since Anthony thought this was
worth sharing.  I've deleted the attachment with the HACKs in it -- you
can find this at http://www.informatik.uni-kiel.de/~ca/email/check.html

The message details how to implement relay controls and use of the MAPS
RBL on a bo system with sendmail. hamm sendmail already has the HACKs
installed, so you can skip that step (although I'm not sure how recent the
HACKs in bo sendmail are, so you may need to do it anyway. I used the ones
from Dec. 19) 

If people think it's worthwhile, I'll turn it into a HOWTO, or organize
something with Mr Assman, since his docs are a little cryptic.  It
probably needs to be consolidated into an Antispam-HOWTO with details of
how to stop relaying and prevent incoming UCE for all MTAs packaged for
Debian, as well as some pointers for use of procmail for spam control.
Closing relays is my #1 priority, however. Please contact me if you're
interested in putting something like this together.


---------- Forwarded message ----------
From: Thomas Lakofski <tommy@88.net>
To: Anthony Landreneau <landrena@adam.idsno.com>
Date: Mon, 29 Dec 1997 13:48:31 -0500 (EST)
Subject: Re: sendmail relay against spam on debian


Try the following procedure.  It may seem like a lot, but go step by step
and you should be OK.  Send me mail if you have a problem, or try 'talk
tommy@88.net' for a speedier method of communication.

No, I don't counsel updating to hamm for this one feature, especially if
it's a production machine (I was running hamm until, for reasons unknown,
the system froze, causing my watchdog daemon to reboot the machine,
resulting unfortunately in spectacular filesystem damage. I'm running bo
until at least debian 2.0.2 or so... ;)

OK -- I guess I'll do this step by step. I'll attach relevant files to
this message and refer to them.

1- Install the HACKS:
 (as root)
 zcat check.tar.gz | tar xvf -     # in some temporary folder...
 cd hack
 cp * /usr/lib/sendmail.cf/hack/

if you now cd /usr/lib/sendmail.cf/hack/ , you should see:

root@oi:/usr/lib/sendmail.cf/hack$ ls
check_mail.m4      check_rcpt.m4      check_relay.m4     use_names.m4
check_mail2.m4     check_rcpt2.m4     check_relay3.m4    use_relayto.m4
check_mail3.m4     check_rcpt3.m4     spamdoms.m4
check_mail_exp.m4  check_rcpt4.m4     spammers.m4
check_rcpt-t.m4    check_rcpt5.m4     use_ip.m4

(well, your prompt will be different)

2- Configure sendmail to use them...
 (as root)
 First, backup your existing /etc/mail/sendmail.mc with something like 'cp
 /etc/mail/sendmail.mc /etc/mail/sendmail.mc.backup', in case something
 goes wrong.

 Then, in a temporary location, ungzip the mailconfig.tar.gz file:
 zcat mailconfig.tar.gz | tar xvf -
 cd mailconfig
 ls -- should give you:

root@oi:~/mailconfig# ls
LocalIP      LocalNames   RelayTo      junk.db      sendmail.mc

These files are all destined for /etc/mail/

Do not just copy them all over, however, since you'll overwrite your
current sendmail.mc . You will probably only want to include some of the
items in my sendmail.mc in your /etc/mail/sendmail.mc -- so open both of
them at once and compare them, while referring to the rest of this email.
I'll actually just include some of the file in this mail and describe what
they do, so you can decide whether you want to include them or not.

There are more things in my sendmail.mc happening than just use of the
HACKs -- I also define procmail as my default local mailer (so biff(1) 
instant mail notification works, as well as procmail recipies to sort mail
into folders), as well as using smrsh to restrict sendmail's access to
programs on my system I have explicitly given it access to (something you
should consider implementing for enhanced security -- if you do, put
symlinks to programs you want sendmail to have access to in
/usr/lib/sm.bin/ )

Here's the sendmail.mc file, with my annotations:

[copyright deleted]

VERSIONID(`@(#)sendmail.mc	8.7 (Linux) 3/5/96')
# up to this point your file should be exactly the same.

# Put this next line in if you want to use the sendmail restricted shell,
# as described above.
FEATURE(smrsh, `/usr/sbin/smrsh')dnl

# Put the next two lines in if you want to use procmail as your local MDA
FEATURE(local_procmail, /usr/bin/procmail)dnl
define(`LOCAL_MAILER_ARGS', `procmail -Y -d $u')dnl

# The next 2 lines should be the same in your setup.

# The next two lines will be different in your setup -- leave them as they
# are in your /etc/mail/sendmail.mc

# OK, here come the HACKs

## Custom configurations below (will be preserved)

# The next two lines cause mail with an unresolvable name destined to your
# domain to bounce with a transient failure (421).  This is dangerous,
# because some valid mail may have this problem.  Use it with caution, but
# it does eliminate some incoming spam.

# The next line enables use of the MAPS RBL (Realtime blackhole list),
# which is maintained by Paul Vixie.  The MAPS RBL is a listing of IP
# addresses of known spammers and spam-friendly sites.  Incoming mail from
# IP addresses listed in the MAPS RBL will bounce with a permanent
# failure, and an explanation of why.  You can get more information at
# http://maps.vix.com/rbl/


# The next five lines you should include
# The first 4 do the relay checking

# This last one does the MAPS RBL stuff. It can also block known spammers
#(that you know) in the database /etc/mail/junk.db . I've included a blank
#database in the mailconfig.tar.gz file -- why use a blank database? I
#don't bother to maintain such a thing (and there's little point, since
#most spam has invalid and random MAIL FROM: envelope info anyway), and
#rely on the MAPS RBL anyway. The HACK just expects a database, so I give
#it an empty one. 

HACK(check_mail2,`hash /etc/mail/junk.db')

(Note: the format of the database file will change when you upgrade to
hamm when it becomes stable -- I didn't bother to recompile the HACKs to
use the debian standard database format, but the sendmail maintainer did.
Just a heads-up for when this occurs...)

OK, now the last step is to allow people to relay who should have the
privilige.  This is done by IP address or hostname:

contains IP addresses of the form:

ie, to allow a class b access, include the line:
or for a class c

Don't forget to leave in there! ;)
You should also leave the IP address(es) of the localhost in there too
(ie, for my machine, I have and -- two IP
addresses of my host) otherwise some things won't work.
This is useful if you have contiguous netblocks to grant access...
otherwise, try:

if you have reverse name resolution set up for your subdomain hosts (ie,
your host can resolve a name from their IP address), then include domains
that should be able to relay in this file, one per line.

There's also another file /etc/mail/RelayTo , in which you can put host IP
addresses (I think -- I've never used it) which your machine will always
relay to, no matter where the mail came from. I think this is needed in
mailhub-type configurations, where the host receives mail destined for
other hosts and forwards it.

OK -- almost there. With all this done, you now run 'sendmailconfig' as
root. Answer 'Y' to the question "Configure sendmail with the existing
/etc/mail/sendmail.mc? [Y]", say yes again to "Reload the running sendmail
now with the new configuration? [Y]" and then try sending some mail to see
if everything's in order. If it's not, move the /etc/mail/sendmail.mc to
/etc/mail/sendmail.mc.new and restore /etc/mail/sendmail.backup to
/etc/mail/sendmail.mc, and rerun sendmailconfig to restore your original

If it works, now try checking to see if relaying is allowed through the
box at this URL: http://maps.vix.com/tsi/ar-test.html

Phew, that was quite a marathon, but I think I might wrap it up into
somekind of a HOWTO document for using the HACKs, since the documentation
it comes with is pretty cryptic. ;)

Tell me how it goes,

Thomas Lakofski.

On Mon, 29 Dec 1997, Anthony Landreneau wrote:

> From: Anthony Landreneau <landrena@adam.idsno.com>
> To: Thomas Lakofski <tommy@88.net>
> Date: Mon, 29 Dec 1997 11:21:07 -0600
> Subject: Re: sendmail relay against spam on debian
> Debian version 1.3. Right now I am running from bo, but if it is easier I
> can download the updated software.
> Anthony
> >OK, first off, what version of Debian are you running? bo or hamm? hamm
> >has the hacks already added to sendmail, so it'll only take a little
> >configuration.  If you're running bo, you'll have to download a file and
> >extract it, then do the configuration. I'll detail the next steps when you
> >give me the answer to this question...
> >
> >> Greetings Thomas,
> >> 	Any help that you would be willing to offer would be appreciated.  Right
> >> now sendmail is off, as in not running.  I looked into HACKs but for some
> >> reason it wasn't making a whole lot of sense to me.  If you could shed some
> >> light, I will be in your debt!  (c:
> >> 
> >> 
> >> >
> >> >I have my box set up with Claus Assman's HACKs for using the check_*
> >> >features in sendmail 8.8.x -- what tool did you use to disable relaying?
> >> >If you're using the tools I am, I should be able to give you a few
> >> >pointers, as well as some hints for overcoming the problem of incoming
> >> >spam as well as relaying issues.
> >> 
> >> >> Greetings,
> >> >> 	I have two Debian boxes that sit on my Network.  The network is host to
> >> >> about 100 domains.  Along with acting as the DNS for the network, the
> two
> >> >> boxes also act as MX relay for all of the domains.  The problem is
> someone
> >> >> out there found my boxes and used them to dump spam.
> >> >> 	Have disabled the  relay feature, but this is causing problems for my
> >> >> domain users.  I would like to reinstate this feature, but want to limit
> >> >> who these boxes sendmail to.  I want to me able to relay mail to all
> of my
> >> >> domains, but not to relay mail to anyone else.  But I do wish to accept
> >> >> mail from the universe, to relay to my domains.
> >> >> 	I have read the information about configuring sendmail, spam and all
> that
> >> >> other stuff.  I must say that my head is spinning.  Has anyone else out
> >> >> there resolved this problem, and would be willing to hold my hand
> while I
> >> >> institute it on my two debian boxes?  Thanks,
> >> >> 

Attachment: mailconfig.tar.gz
Description: sendmail config files

Reply to: