Per User Relaying

Alex Neuman alex at nkpanama.com
Thu Jun 17 15:12:40 IST 2004 

Quick question, to verify if I got it right before I implement it:

If I don't want to use LDAP, I can always:

1. add...

domain.com

... to the list of domains at /etc/mail/local-host-names

2. add...

user1 at domain.com OK
user2 at domain.com OK
user3 at domain.com OK
domain.com 550 User unknown

... to /etc/mail/access, make -C /etc/mail, killall -HUP sendmail

This way, for a small setup (10-20 users), I can divert mail
post-mailscanner to an internal server running any MTA, while stopping mail
for users that don't exist.

Would this (at least in theory) work?

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Stephen Swaney
Sent: Thursday, June 17, 2004 8:35 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: Per User Relaying

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of James Gray
> Sent: Wednesday, June 16, 2004 11:06 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Per User Relaying
>
> Lance wrote:
> > Hi Folks,
> >
> > I know this isn't the best place for this question, but I'm banging my
> head
> > against the wall.
> >
> > We use MailScanner + SpamAssasin and I'm still trying to switch one of
> our
> > problem domains over (200+ spams inbound per minute).
> >
> > What I'm trying to do is use sendmail to reject unknown users

If you are using sendmail, try the method well described by Kevin Spicer at:

http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/270.html

We have successfully used this method to block email for unknown users at
the gateways of many sites with various types of backend mail hubs, i.e.
Exchange, Domino, POP & IMAP.

All you need to do is:

1. Modify sendmail as described in the URL

2. Create the /etc/mail/mailhost file in the form;

user at domain1.com                mail.domain1.com
user2 at doamin1.com               mail.domain1.com
user at doami2.com         mail.domain2.com
user2 at domain2.com               mail.domain2.com

This file can be created any way you are able to:

        Using scripts that create a list from password and aliases files
        on the mail hub.

        LDAP queries against MS Active Directory servers

        LDAP queries against Domino servers

        By hand

For example, one site has about 400 users with forty domains and they didn't
know which users are valid users at which domains. We simply created the
mailhost map on the gateway by running a script (ssh with keychains) on the
mailhub that:

1. Gets the information needed from the password and aliases file on the
mailhub.

2. Gets a list of the valid domains from the local-host-names file on the
gateway

3. Excludes "system users" (bin, apache, etc) from the user list

4. Builds the mailhost file with entries for each user for every domain.
(they are all "valid email addresses" on the mail hub)

5. runs `make -C /etc/mail` to rebuild the mailhost.db file

6. Then rsyncs (again, rsync over ssh using keychains) the file to the
second gateway.

The whole thing runs from a cron job and they are quite pleased with the
results. While the map is quite large, it's still very quick and works
perfectly.

5. The only thing that might be added to the directions in the URL is to
modify /etc/mail/Makefile to make the mailhost.db file

Since this question keeps popping up about once a week, I'll work with Ugo
to put this into the MAQ.

As an aside, at one site where we are keeping statistics, blocking unknown
users at the gateway has cut down traffic on the Exchange server by over
25%.

Steve

Stephen Swaney
President
Fortress Systems Ltd.
Steve.Swaney at FSL.com


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Fortress Systems Ltd.
www.fsl.com

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list