Hi, I thought I'd post this to debian-user, since Anthony thought this was worth sharing. I've deleted the attachment with the HACKs in it -- you can find this at http://www.informatik.uni-kiel.de/~ca/email/check.html The message details how to implement relay controls and use of the MAPS RBL on a bo system with sendmail. hamm sendmail already has the HACKs installed, so you can skip that step (although I'm not sure how recent the HACKs in bo sendmail are, so you may need to do it anyway. I used the ones from Dec. 19) If people think it's worthwhile, I'll turn it into a HOWTO, or organize something with Mr Assman, since his docs are a little cryptic. It probably needs to be consolidated into an Antispam-HOWTO with details of how to stop relaying and prevent incoming UCE for all MTAs packaged for Debian, as well as some pointers for use of procmail for spam control. Closing relays is my #1 priority, however. Please contact me if you're interested in putting something like this together. Thomas. ---------- Forwarded message ---------- From: Thomas Lakofski <tommy@88.net> To: Anthony Landreneau <landrena@adam.idsno.com> Date: Mon, 29 Dec 1997 13:48:31 -0500 (EST) Subject: Re: sendmail relay against spam on debian Anthony- Try the following procedure. It may seem like a lot, but go step by step and you should be OK. Send me mail if you have a problem, or try 'talk tommy@88.net' for a speedier method of communication. No, I don't counsel updating to hamm for this one feature, especially if it's a production machine (I was running hamm until, for reasons unknown, the system froze, causing my watchdog daemon to reboot the machine, resulting unfortunately in spectacular filesystem damage. I'm running bo until at least debian 2.0.2 or so... ;) OK -- I guess I'll do this step by step. I'll attach relevant files to this message and refer to them. 1- Install the HACKS: (as root) zcat check.tar.gz | tar xvf - # in some temporary folder... cd hack cp * /usr/lib/sendmail.cf/hack/ if you now cd /usr/lib/sendmail.cf/hack/ , you should see: root@oi:/usr/lib/sendmail.cf/hack$ ls check_mail.m4 check_rcpt.m4 check_relay.m4 use_names.m4 check_mail2.m4 check_rcpt2.m4 check_relay3.m4 use_relayto.m4 check_mail3.m4 check_rcpt3.m4 spamdoms.m4 check_mail_exp.m4 check_rcpt4.m4 spammers.m4 check_rcpt-t.m4 check_rcpt5.m4 use_ip.m4 (well, your prompt will be different) 2- Configure sendmail to use them... (as root) First, backup your existing /etc/mail/sendmail.mc with something like 'cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.backup', in case something goes wrong. Then, in a temporary location, ungzip the mailconfig.tar.gz file: zcat mailconfig.tar.gz | tar xvf - cd mailconfig ls -- should give you: root@oi:~/mailconfig# ls LocalIP LocalNames RelayTo junk.db sendmail.mc These files are all destined for /etc/mail/ Do not just copy them all over, however, since you'll overwrite your current sendmail.mc . You will probably only want to include some of the items in my sendmail.mc in your /etc/mail/sendmail.mc -- so open both of them at once and compare them, while referring to the rest of this email. I'll actually just include some of the file in this mail and describe what they do, so you can decide whether you want to include them or not. There are more things in my sendmail.mc happening than just use of the HACKs -- I also define procmail as my default local mailer (so biff(1) instant mail notification works, as well as procmail recipies to sort mail into folders), as well as using smrsh to restrict sendmail's access to programs on my system I have explicitly given it access to (something you should consider implementing for enhanced security -- if you do, put symlinks to programs you want sendmail to have access to in /usr/lib/sm.bin/ ) Here's the sendmail.mc file, with my annotations: [copyright deleted] divert(0) VERSIONID(`@(#)sendmail.mc 8.7 (Linux) 3/5/96') OSTYPE(debian)dnl FEATURE(masquerade_envelope)dnl FEATURE(use_cw_file)dnl FEATURE(use_ct_file)dnl FEATURE(redirect)dnl FEATURE(nouucp)dnl # up to this point your file should be exactly the same. # Put this next line in if you want to use the sendmail restricted shell, # as described above. FEATURE(smrsh, `/usr/sbin/smrsh')dnl # Put the next two lines in if you want to use procmail as your local MDA FEATURE(local_procmail, /usr/bin/procmail)dnl define(`LOCAL_MAILER_ARGS', `procmail -Y -d $u')dnl # The next 2 lines should be the same in your setup. MAILER(local)dnl MAILER(smtp)dnl # The next two lines will be different in your setup -- leave them as they # are in your /etc/mail/sendmail.mc Cw88.net MASQUERADE_AS(88.net)dnl # OK, here come the HACKs ## Custom configurations below (will be preserved) # The next two lines cause mail with an unresolvable name destined to your # domain to bounce with a transient failure (421). This is dangerous, # because some valid mail may have this problem. Use it with caution, but # it does eliminate some incoming spam. define(`_IP_LOOKUP_',1)dnl define(`_DNSVALID_',1)dnl # The next line enables use of the MAPS RBL (Realtime blackhole list), # which is maintained by Paul Vixie. The MAPS RBL is a listing of IP # addresses of known spammers and spam-friendly sites. Incoming mail from # IP addresses listed in the MAPS RBL will bounce with a permanent # failure, and an explanation of why. You can get more information at # http://maps.vix.com/rbl/ define(`_MAPS_RBL_',1)dnl # The next five lines you should include # The first 4 do the relay checking HACK(use_ip) HACK(use_names) HACK(use_relayto) HACK(check_rcpt4) # This last one does the MAPS RBL stuff. It can also block known spammers #(that you know) in the database /etc/mail/junk.db . I've included a blank #database in the mailconfig.tar.gz file -- why use a blank database? I #don't bother to maintain such a thing (and there's little point, since #most spam has invalid and random MAIL FROM: envelope info anyway), and #rely on the MAPS RBL anyway. The HACK just expects a database, so I give #it an empty one. HACK(check_mail2,`hash /etc/mail/junk.db') (Note: the format of the database file will change when you upgrade to hamm when it becomes stable -- I didn't bother to recompile the HACKs to use the debian standard database format, but the sendmail maintainer did. Just a heads-up for when this occurs...) OK, now the last step is to allow people to relay who should have the privilige. This is done by IP address or hostname: /etc/mail/LocalIP contains IP addresses of the form: a.b.c.d a.b.c a.b a ie, to allow a class b 129.133.0.0 access, include the line: 129.133 or for a class c 204.242.85.0: 204.242.85 Don't forget to leave 127.0.0.1 in there! ;) You should also leave the IP address(es) of the localhost in there too (ie, for my machine, I have 209.109.31.9 and 209.109.31.10 -- two IP addresses of my host) otherwise some things won't work. This is useful if you have contiguous netblocks to grant access... otherwise, try: /etc/mail/LocalNames if you have reverse name resolution set up for your subdomain hosts (ie, your host can resolve a name from their IP address), then include domains that should be able to relay in this file, one per line. There's also another file /etc/mail/RelayTo , in which you can put host IP addresses (I think -- I've never used it) which your machine will always relay to, no matter where the mail came from. I think this is needed in mailhub-type configurations, where the host receives mail destined for other hosts and forwards it. OK -- almost there. With all this done, you now run 'sendmailconfig' as root. Answer 'Y' to the question "Configure sendmail with the existing /etc/mail/sendmail.mc? [Y]", say yes again to "Reload the running sendmail now with the new configuration? [Y]" and then try sending some mail to see if everything's in order. If it's not, move the /etc/mail/sendmail.mc to /etc/mail/sendmail.mc.new and restore /etc/mail/sendmail.backup to /etc/mail/sendmail.mc, and rerun sendmailconfig to restore your original configuration. If it works, now try checking to see if relaying is allowed through the box at this URL: http://maps.vix.com/tsi/ar-test.html Phew, that was quite a marathon, but I think I might wrap it up into somekind of a HOWTO document for using the HACKs, since the documentation it comes with is pretty cryptic. ;) Tell me how it goes, Thomas Lakofski. On Mon, 29 Dec 1997, Anthony Landreneau wrote: > From: Anthony Landreneau <landrena@adam.idsno.com> > To: Thomas Lakofski <tommy@88.net> > Date: Mon, 29 Dec 1997 11:21:07 -0600 > Subject: Re: sendmail relay against spam on debian > > Debian version 1.3. Right now I am running from bo, but if it is easier I > can download the updated software. > > Anthony > > > >OK, first off, what version of Debian are you running? bo or hamm? hamm > >has the hacks already added to sendmail, so it'll only take a little > >configuration. If you're running bo, you'll have to download a file and > >extract it, then do the configuration. I'll detail the next steps when you > >give me the answer to this question... > > > >> Greetings Thomas, > >> Any help that you would be willing to offer would be appreciated. Right > >> now sendmail is off, as in not running. I looked into HACKs but for some > >> reason it wasn't making a whole lot of sense to me. If you could shed some > >> light, I will be in your debt! (c: > >> > >> > >> > > >> >I have my box set up with Claus Assman's HACKs for using the check_* > >> >features in sendmail 8.8.x -- what tool did you use to disable relaying? > >> >If you're using the tools I am, I should be able to give you a few > >> >pointers, as well as some hints for overcoming the problem of incoming > >> >spam as well as relaying issues. > >> > >> >> Greetings, > >> >> I have two Debian boxes that sit on my Network. The network is host to > >> >> about 100 domains. Along with acting as the DNS for the network, the > two > >> >> boxes also act as MX relay for all of the domains. The problem is > someone > >> >> out there found my boxes and used them to dump spam. > >> >> Have disabled the relay feature, but this is causing problems for my > >> >> domain users. I would like to reinstate this feature, but want to limit > >> >> who these boxes sendmail to. I want to me able to relay mail to all > of my > >> >> domains, but not to relay mail to anyone else. But I do wish to accept > >> >> mail from the universe, to relay to my domains. > >> >> I have read the information about configuring sendmail, spam and all > that > >> >> other stuff. I must say that my head is spinning. Has anyone else out > >> >> there resolved this problem, and would be willing to hold my hand > while I > >> >> institute it on my two debian boxes? Thanks, > >> >>
Attachment:
mailconfig.tar.gz
Description: sendmail config files