Problem with Sendmail smf-sav Milter
Johnny Stork
lists at openenterprise.ca
Thu Apr 3 16:45:19 IST 2008
Here are those files and thanks for offering to take a look. My
MailScanner machine has only an internal non-routable ip in a DMZ
(192.168.10.2) which accepts external SMTP connection routed from the
firewall. The Scalix server is also internal with the ip 192.168.1.3. I
also changed the "MailStore johnnystork.ca " settings to
"MailStore 192.168.1.3" but this did not make any difference.
sendmail.mc (last line is smf rule)
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf
package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # Do not advertize sendmail version.
dnl #
dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST', `smtp.your.provider')dnl
dnl #
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to
accept
dnl # incoming messages or process its message queues to 20.) sendmail
refuses
dnl # to accept connections once it has reached its quota of child
processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
dnl #
dnl # Limits the number of new connections per second. This caps the
overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP
address
dnl # limit would be useful but is not available as an option at this
writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his
quota.
dnl #
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery
uncomment
dnl # the following 2 definitions and activate below in the MAILER
section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback
address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or
redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587
followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook
Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6
loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you
want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`openenterprise.ca')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com
as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
dnl # START ADDED BY JPS FROM
http://www.leap-cf.org/presentations/MailScanner/MailScanner.html
define(`confDOUBLE_BOUNCE_ADDRESS', `')dnl
dnl #
define(`confBAD_RCPT_THROTTLE', `1')dnl
dnl #
define(`confCONNECTION_RATE_THROTTLE', `100')dnl
dnl #
define(`confMAX_DAEMON_CHILDREN', `500')dnl
dnl #
define(`confQUEUE_LA', `5')dnl
define(`confREFUSE_LA', `10')dnl
dnl #
define(`confTO_ICONNECT', `15s')dnl
define(`confTO_CONNECT', `3m')dnl
define(`confTO_HELO', `2m')dnl
define(`confTO_MAIL', `1m')dnl
define(`confTO_RCPT', `1m')dnl
define(`confTO_DATAINIT', `1m')dnl
define(`confTO_DATABLOCK', `1m')dnl
define(`confTO_DATAFINAL', `1m')dnl
define(`confTO_RSET', `1m')dnl
define(`confTO_QUIT', `1m')dnl
define(`confTO_MISC', `1m')dnl
define(`confTO_COMMAND', `1m')dnl
define(`confTO_STARTTLS', `2m')dnl
dnl #
FEATURE(access_db)dnl
FEATURE(`greet_pause',10000)
dnl #
dnl #
dnl# FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr}
" found in dnsbl.sorbs.net"')dnl
dnl# FEATURE(`dnsbl', `dnsbl.njabl.org', `"554 Rejected "
$&{client_addr} " - see http://dnsbl.njabl.org/method.html"')dnl
dnl# FEATURE(`dnsbl', `bl.spamcop.net', `"554 Rejected "
$&{client_addr} " found in bl.spamcop.net"')dnl
dnl# FEATURE(`dnsbl', `chinanet.blackholes.us', `"554 Rejected "
$&{client_addr} " found in chinanet.blackholes.us"')dnl
dnl# FEATURE(`dnsbl',`zen.spamhaus.org', `"554 Rejected "
$&{client_addr} " - see http://www.spamhaus.org/SBL/"')dnl
DAEMON_OPTIONS(`Addr=192.168.10.2')dnl
dnl # END ADDED BY JPS FROM
http://www.leap-cf.org/presentations/MailScanner/MailScanner.html
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl
INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock,
T=S:30s;R:4m')dnl
smf-sav.conf:
# /etc/mail/smfs/smf-sav.conf
#
# smf-sav configuration file v1.4.0 (it's read at start)
#
# Whitelist by a sender IP address
#
# The syntax is an IP address followed by a slash
# and a CIDR netmask (if the netmask is omitted, /32 is assumed)
#
WhitelistIP 127.0.0.0/8
WhitelistIP 10.0.0.0/8
WhitelistIP 172.16.0.0/12
WhitelistIP 192.168.0.0/16
# Whitelist by a sender PTR (reverse DNS) record
#
# Performs a case insensitive substring match
#
#WhitelistPTR .friendlydomain.tld
#WhitelistPTR friendlyhost.friendlydomain.tld
# Whitelist by an envelope sender e-Mail address
#
# Performs a case insensitive substring match
#
#WhitelistFrom friend@
#WhitelistFrom @friendlydomain.tld
#WhitelistFrom friend at friendlydomain.tld
# Whitelist by an envelope recipient e-Mail address
#
# Performs a case insensitive substring match
#
#WhitelistTo postmaster@
#WhitelistTo abuse@
#WhitelistTo spamlover at yourdomain.tld
#WhitelistTo @yourspamloverdomain.tld
# FQDN of the publicly visible IP address of the interface
# of an outgoing connection of your Sendmail daemon
# It will be used with the SMTP HELO command for SAV and RAV
#
PublicName johnnystork.ca # it *MUST* be corrected properly
# Any valid e-Mail address of your local domain for the safe call-out
purposes
#
SafeCallBack stork at johnnystork.ca # it *MUST* be corrected properly
# Sender e-Mail Address Verification
#
# Default: on
#
#SAV on # (on|off)
# Ignore tempfailed results of SAV
#
# Default: off
#
#IgnoreTempFail off # (on|off)
# Refuse e-Mail messages from systems that don't accept the null
reverse-path <>
#
# Default: off
#
#BlockIgnorants off # (on|off)
# Recipient e-Mail Address Verification
#
# Primary authoritative e-Mail store hostname (IP address) or
# the hostname (IP address) associated with the interface
# of an incoming connection of your Sendmail daemon
# In most cases it will be equal to the PublicName value
# Do not set to 'localhost' or 127.0.0.1
#
MailStore johnnystork.ca # uncomment and set it properly
# In-memory cache engine TTL settings
#
# The time is given in seconds, except if a unit is given:
# m for minutes, h for hours, and d for days
# Specify zero to disable caching of particular items
#
# Defaults:
#
#FromPassTTL 1d # senders that successfully pass the MX callback test
#
#FromTFailTTL 5m # senders that pass the MX callback test with
tempfail results
#
#FromFailTTL 1h # senders that did not successfully pass the MX
callback test
#
#ToPassTTL 1h # recipients that successfully pass the call ahead test
#
#ToTFailTTL 5m # recipients that pass the call ahead test with
tempfail results
#
#ToFailTTL 1h # recipients that did not successfully pass the call
ahead test
# Run as a selected user (smf-sav must be started by root)
#
# Default: smfs
#
#User smfs
# Socket used to communicate with a Sendmail daemon
#
# Default: unix:/var/run/smfs/smf-sav.sock
#
#Socket unix:/var/run/smfs/smf-sav.sock
# Facility for logging via a Syslog daemon
#
# Default: mail
#
#Syslog mail # (daemon|mail|local0...local7)
Brendan Pirie wrote:
> Johnny Stork wrote:
>> I recently installed the sendmail smf-sav mitler to do sender and
>> recipient address verification on my MailScanner gateway running the
>> latest release on Centos5. However, the recipient checks dont appear
>> to be working since I still get all the spam coming in to
>> non-existent addresses. I beleive I know where the problem might be.
>> The MailScanner gateway accepts mail for the mydomain.ca domain, but
>> after processing simply forwards to an internal Scalix server through
>> a sendmail mailertable entry. For instance, the email address below,
>> or username, does not exist on the MailScanner gateway running
>> smf-sav. Nor does that email address or account exist on the internal
>> Scalix server, but the message passed recpient verification.
>>
>> recipient check succeeded: <bonny.german at mydomain.ca>
>>
>> Would I need to setup checks through ldap or something to have the
>> smf-sav milter. I know I should be checking the smf-sav forums and so
>> will also check there.
>>
>> Thanks
>
> Johnny,
>
> I'm using smf-sav milter with sendmail 8.13.8 and it works
> wonderfully, without the use of ldap anywhere. My MailStore is
> running sendmail 8.12.11 (soon to be upgraded). smf-sav uses
> call-ahead to verify addresses, so ldap isn't necessary, and it should
> work with any RFC compliant MTA. If you can post your configs for
> sendmail and smf-sav I/we can take a look. I do recall running into
> an issue where the documentation on adding smf-sav milter to
> sendmail.mc was outdated for recent sendmail versions.
>
> Brendan
>
More information about the MailScanner
mailing list