Per User Relaying

James Gray james_gray at OCS.COM
Thu Jun 17 04:06:11 IST 2004


Lance wrote:
> Hi Folks,
>
> I know this isn't the best place for this question, but I'm banging my head
> against the wall.
>
> We use MailScanner + SpamAssasin and I'm still trying to switch one of our
> problem domains over (200+ spams inbound per minute).
>
> What I'm trying to do is use sendmail to reject unknown users - so I've
> populated /etc/mail/access with:
>
> To:validuser at somedomain.com             RELAY
> To:validuser2 at somedomain.com            RELAY
> Etc.....
>
> Then I've added:
>
> To:somedomain.com                       ERROR:"User Unknown"
>
> I found this on a number of sites, so I thought it would work, but no luck
> so far.
>
> The error I get is: PERM_FAILURE: SMTP Error (state 9): 550 5.7.1
> <validuser at somedomain.com>... Relaying denied
>
> So it's not hitting the Unknown User (which gets lots of hits) but for some
> reason is getting denied.
>
> Any thoughts?

Hi Lance,

I'm doing a similar thing for my employer.  We even have a few scripts
that pull all the addresses out of Active Directory, copy them to our
mail gateway, then the gateway picks up the address list and remakes the
/etc/mail/access.db before HUP-ing all the sendmail processes.  Works
well :)

Here's the sanitized config files in our /etc/mail directory, I've added
any explanatory comments below each file (BACKUP! your existing
/etc/mail directory BEFORE you touch anything!!!):

*** /etc/mail/sendmail.mc ***
divert(0)
VERSIONID(`$FreeBSD: src/etc/sendmail/freebsd.mc,v 1.10.2.16 2002/05/22
            16:39:14 gshapiro Exp $')
OSTYPE(freebsd4)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confMAX_MIME_HEADER_LENGTH', `256/128')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
*** END ***

VERSIONID() should all be on the same line - I manually indented it for
clarity ONLY because it wraps.

*** /etc/mail/mailertable ***
somdomain.com           smtp:[10.0.0.25]
otherdomain.com         smtp:[10.0.0.25]
snafu.com               smtp:[10.0.0.25]
.foolocal.com           local:
*** END ***

10.0.0.25 is the IP of our Exchange server
.foolocal.com is a domain that is handled by a local (same host) IMAP
server.  In other words, our MailScanner box also runs an IMAP server
for one domain.  This domain is NOT forwarded to the exchange server.

*** /etc/mail/virtusertable ***root at ocsmalog.ocs.com
        root at anothermachine.somedomain.com       validaccount at somedomain.com
departed_admin at somedomain.com            current_admin at somedomain.com
*** END ***

*** /etc/mail/relay-domains ***
somedomain.com
otherdomain.com
snafu.com
foolocal.com
*** END ***

*** /etc/mail/access ***
To:valid_user01 at somedomain.com         RELAY
To:valid_user02 at somedomain.com         RELAY
To:departed_admin at somedomain.com       RELAY
To:root at anothermachine.somedomain.com  RELAY
To:valid_user03 at otherdomain.com        RELAY
To:local_user at foolocal.com             RELAY
To:somedomain.com                      ERROR:"User Unknown"
To:otherdomain.com                     ERROR:"User Unknown"
To:foolocal.com                        ERROR:"User Unknown"
spammer.com                            550 Blocked for spamming
blackhole.com                          550 Blocked because you smell
*** END ***

The access file needs all valid addresses for domains you add the
"To:foo.com  ERROR:..." domain otherwise users wont get mail.  Any
domains you leave out of the list will simply relay everything through.
  Notice there's a "snafu.com" domain in relay-domains and mailertable,
but NOT in access?  This means the box will relay ANYTHING addressed to
"snafu.com" and do NO user validation.

I threw in a few black-hole type stuff lines at the end just to show you
it's possible :)  Might be handy when one particular domain decides
you're a good candidate for several thousand messages!

Once you've created the files, create the hashes and restart sendmail.
That should be all that's required.  I can't think of anything else I
did to our gateway to get all this working....but it was a while ago.

Cheers,

James

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list