Configuring sendmail to drop invalid users
Pentland G.
G.Pentland at SOTON.AC.UK
Tue Sep 28 09:58:40 IST 2004
I may be slightly off the mark here but...
In the ruleset SLocal_check_rcpt you need something like...
R$* $: $>3 $1
R$* < @ $=w . > $* $@ $>user_unknown $1 # Is in
@ class=w do passwd lookup
Suser_unknown
R$* $: $>3 $1
R$* <@ $+ > $* $: $1 # Dicard
host part of address
R$+ $: $(diskalias $1 $: $1 $) # call
diskalias for stuff with a . in
R$+ @ $* $: $>check_rcpt $1 @ $2 . # If
diskalias returns a full email address, jump through loop again
RRELAY $#RELAY
R$+ $: $(usermap $1 $: notfound $) # call
passwd lookup for whats left
Rnotfound $#error $@ 5.1.3 $: "User does not exist
at this site"
Where usermap is a file with all of your users in...
Kusermap hash -T<TMPF> /etc/mail/usermap
and diskalias can be replaced with NIS etc. alias maps...
This will not accept and hence not queue mails eg...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mailscan1.iss.soton.ac.uk ESMTP Sendmail 8.12.10/8.12.10; Tue, 28
Sep 2004 09:54:24 +0100
ehlo local
250-mailscan1.iss.soton.ac.uk Hello localhost.localdomain [127.0.0.1],
pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250-DSN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
mail from:postmaster at soton.ac.uk
250 2.1.0 postmaster at soton.ac.uk... Sender ok
rcpt to:fake_bloke at soton.ac.uk
553 5.3.0 fake_bloke at soton.ac.uk... User does not exist at this site
Then a script like...
#!/bin/sh
UNIQID=tmp.$$
ypcat passwd | awk -F: '{print $1i"\t"$1}' > /etc/mail/usermap.${UNIQID}
2>/dev/null
if [ -s /etc/mail/usermap.${UNIQID} ] ; then
cp /etc/mail/usermap.${UNIQID} /etc/mail/generatingusermap
(cd /etc/mail && makemap -C /etc/mail/sendmail.cf hash
generatingusermap < generatingusermap)
mv /etc/mail/generatingusermap.db /etc/mail/usermap.db
mv /etc/mail/generatingusermap /etc/mail/usermap
fi
rm -f /etc/mail/usermap.${UNIQID}
Which is a bit clunky so can probably be improved... but does mv files
into place rather than making then in place so sendmail has a far
smaller time where the file is not there (or complete).
This is a simplified version of what we use here but do remember to test
this thoroughly before you use it! I haven't checked this will work!
Hope that is of some use.
Gary
kfliong wrote:
> Hi all,
>
> As you know, i was having "joe-job" attack yesterday. I have since
> fixed it by adding the script provided by Steve to sendmail.cf file.
>
> I now want to refine script by allowing only mails sent to valid
> users. Those mails send to invalid users currently goes to catchall
> account. And I have configured catchall to go to /dev/null. But this
> is not good enough as these mails are still keep in queues and then
> processed by mailscanner. Is there a way to drop these mails directly
> from MTA level?
>
> I have looked in the link in mailscanner.info that teaches how to
> check for valid users but that uses windows active directory users. I
> am using ensim pro on the same box with sendmail. Any solution to
> this?
>
> Thanks in advance.
>
> ------------------------ MailScanner list ------------------------ To
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
> mailscanner' in the body of the email. Before posting, read the MAQ
> (http://www.mailscanner.biz/maq/) and the archives
> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
More information about the MailScanner
mailing list