Problem with Sendmail smf-sav Milter

Brendan Pirie bpirie at rma.edu
Thu Apr 3 17:32:50 IST 2008


Johnny Stork wrote:
> Here are those files and thanks for offering to take a look. My 
> MailScanner machine has only an internal non-routable ip in a DMZ 
> (192.168.10.2) which accepts external SMTP connection routed from the 
> firewall. The Scalix server is also internal with the ip 192.168.1.3. I 
> also changed the "MailStore    johnnystork.ca " settings to 
> "MailStore    192.168.1.3"  but this did not make any difference.
> 
> 
> sendmail.mc (last line is smf rule)
> 
> divert(-1)dnl
> dnl #
> dnl # This is the sendmail macro config file for m4. If you make changes to
> dnl # /etc/mail/sendmail.mc, you will need to regenerate the
> dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf 
> package is
> dnl # installed and then performing a
> dnl #
> dnl #     make -C /etc/mail
> dnl #
> include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
> VERSIONID(`setup for linux')dnl
> OSTYPE(`linux')dnl
> dnl #
> dnl # Do not advertize sendmail version.
> dnl #
> dnl define(`confSMTP_LOGIN_MSG', `$j Sendmail; $b')dnl
> dnl #
> dnl # default logging level is 9, you might want to set it higher to
> dnl # debug the configuration
> dnl #
> dnl define(`confLOG_LEVEL', `9')dnl
> dnl #
> dnl # Uncomment and edit the following line if your outgoing mail needs to
> dnl # be sent out through an external mail server:
> dnl #
> dnl define(`SMART_HOST', `smtp.your.provider')dnl
> dnl #
> define(`confDEF_USER_ID', ``8:12'')dnl
> dnl define(`confAUTO_REBUILD')dnl
> define(`confTO_CONNECT', `1m')dnl
> define(`confTRY_NULL_MX_LIST', `True')dnl
> define(`confDONT_PROBE_INTERFACES', `True')dnl
> define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
> define(`ALIAS_FILE', `/etc/aliases')dnl
> define(`STATUS_FILE', `/var/log/mail/statistics')dnl
> define(`UUCP_MAILER_MAX', `2000000')dnl
> define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
> define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
> define(`confAUTH_OPTIONS', `A')dnl
> dnl #
> dnl # The following allows relaying if the user authenticates, and 
> disallows
> dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
> dnl #
> dnl define(`confAUTH_OPTIONS', `A p')dnl
> dnl #
> dnl # PLAIN is the preferred plaintext authentication method and used by
> dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
> dnl # use LOGIN. Other mechanisms should be used if the connection is not
> dnl # guaranteed secure.
> dnl # Please remember that saslauthd needs to be running for AUTH.
> dnl #
> dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 
> LOGIN PLAIN')dnl
> dnl #
> dnl # Rudimentary information on creating certificates for sendmail TLS:
> dnl #     cd /usr/share/ssl/certs; make sendmail.pem
> dnl # Complete usage:
> dnl #     make -C /usr/share/ssl/certs usage
> dnl #
> dnl define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
> dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
> dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
> dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
> dnl #
> dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
> dnl # slapd, which requires the file to be readble by group ldap
> dnl #
> dnl define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
> dnl #
> dnl define(`confTO_QUEUEWARN', `4h')dnl
> dnl define(`confTO_QUEUERETURN', `5d')dnl
> dnl define(`confQUEUE_LA', `12')dnl
> dnl define(`confREFUSE_LA', `18')dnl
> define(`confTO_IDENT', `0')dnl
> dnl FEATURE(delay_checks)dnl
> FEATURE(`no_default_msa', `dnl')dnl
> FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
> FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
> FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
> FEATURE(redirect)dnl
> FEATURE(always_add_domain)dnl
> FEATURE(use_cw_file)dnl
> FEATURE(use_ct_file)dnl
> dnl #
> dnl # The following limits the number of processes sendmail can fork to 
> accept
> dnl # incoming messages or process its message queues to 20.) sendmail 
> refuses
> dnl # to accept connections once it has reached its quota of child 
> processes.
> dnl #
> dnl define(`confMAX_DAEMON_CHILDREN', `20')dnl
> dnl #
> dnl # Limits the number of new connections per second. This caps the 
> overhead
> dnl # incurred due to forking new sendmail processes. May be useful against
> dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP 
> address
> dnl # limit would be useful but is not available as an option at this 
> writing.)
> dnl #
> dnl define(`confCONNECTION_RATE_THROTTLE', `3')dnl
> dnl #
> dnl # The -t option will retry delivery if e.g. the user runs over his 
> quota.
> dnl #
> FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
> FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
> FEATURE(`blacklist_recipients')dnl
> EXPOSED_USER(`root')dnl
> dnl #
> dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery 
> uncomment
> dnl # the following 2 definitions and activate below in the MAILER 
> section the
> dnl # cyrusv2 mailer.
> dnl #
> dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
> dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
> dnl #
> dnl # The following causes sendmail to only listen on the IPv4 loopback 
> address
> dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
> dnl # address restriction to accept email from the internet or intranet.
> dnl #
> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
> dnl #
> dnl # The following causes sendmail to additionally listen to port 587 for
> dnl # mail from MUAs that authenticate. Roaming users who can't reach their
> dnl # preferred sendmail daemon due to port 25 being blocked or 
> redirected find
> dnl # this useful.
> dnl #
> dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
> dnl #
> dnl # The following causes sendmail to additionally listen to port 465, but
> dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 
> followed
> dnl # by STARTTLS is preferred, but roaming clients using Outlook 
> Express can't
> dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use 
> STARTTLS
> dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
> dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
> dnl #
> dnl # For this to work your OpenSSL certificates must be configured.
> dnl #
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> dnl #
> dnl # The following causes sendmail to additionally listen on the IPv6 
> loopback
> dnl # device. Remove the loopback address restriction listen to the 
> network.
> dnl #
> dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
> dnl #
> dnl # enable both ipv6 and ipv4 in sendmail:
> dnl #
> dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
> dnl #
> dnl # We strongly recommend not accepting unresolvable domains if you 
> want to
> dnl # protect yourself from spam. However, the laptop and users on 
> computers
> dnl # that do not have 24x7 DNS do need this.
> dnl #
> FEATURE(`accept_unresolvable_domains')dnl
> dnl #
> dnl FEATURE(`relay_based_on_MX')dnl
> dnl #
> dnl # Also accept email sent to "localhost.localdomain" as local email.
> dnl #
> LOCAL_DOMAIN(`localhost.localdomain')dnl
> dnl #
> dnl # The following example makes mail from this host and any additional
> dnl # specified domains appear to be sent from mydomain.com
> dnl #
> dnl MASQUERADE_AS(`openenterprise.ca')dnl
> dnl #
> dnl # masquerade not just the headers, but the envelope as well
> dnl #
> dnl FEATURE(masquerade_envelope)dnl
> dnl #
> dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com 
> as well
> dnl #
> dnl FEATURE(masquerade_entire_domain)dnl
> dnl #
> dnl MASQUERADE_DOMAIN(localhost)dnl
> dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
> dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
> dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
> dnl # START ADDED BY JPS FROM 
> http://www.leap-cf.org/presentations/MailScanner/MailScanner.html
> define(`confDOUBLE_BOUNCE_ADDRESS', `')dnl
> dnl #
> define(`confBAD_RCPT_THROTTLE', `1')dnl
> dnl #
> define(`confCONNECTION_RATE_THROTTLE', `100')dnl
> dnl #
> define(`confMAX_DAEMON_CHILDREN', `500')dnl
> dnl #
> define(`confQUEUE_LA', `5')dnl
> define(`confREFUSE_LA', `10')dnl
> dnl #
> define(`confTO_ICONNECT', `15s')dnl
> define(`confTO_CONNECT', `3m')dnl
> define(`confTO_HELO', `2m')dnl
> define(`confTO_MAIL', `1m')dnl
> define(`confTO_RCPT', `1m')dnl
> define(`confTO_DATAINIT', `1m')dnl
> define(`confTO_DATABLOCK', `1m')dnl
> define(`confTO_DATAFINAL', `1m')dnl
> define(`confTO_RSET', `1m')dnl
> define(`confTO_QUIT', `1m')dnl
> define(`confTO_MISC', `1m')dnl
> define(`confTO_COMMAND', `1m')dnl
> define(`confTO_STARTTLS', `2m')dnl
> dnl #
> FEATURE(access_db)dnl
> FEATURE(`greet_pause',10000)
> dnl #
> dnl #
> dnl# FEATURE(`dnsbl',`dnsbl.sorbs.net',`"554 Rejected " $&{client_addr} 
> " found in dnsbl.sorbs.net"')dnl
> dnl# FEATURE(`dnsbl', `dnsbl.njabl.org', `"554 Rejected " 
> $&{client_addr} " - see http://dnsbl.njabl.org/method.html"')dnl
> dnl# FEATURE(`dnsbl', `bl.spamcop.net',         `"554 Rejected " 
> $&{client_addr} " found in bl.spamcop.net"')dnl
> dnl# FEATURE(`dnsbl', `chinanet.blackholes.us', `"554 Rejected " 
> $&{client_addr} " found in chinanet.blackholes.us"')dnl
> dnl# FEATURE(`dnsbl',`zen.spamhaus.org', `"554 Rejected " 
> $&{client_addr} " - see http://www.spamhaus.org/SBL/"')dnl
> DAEMON_OPTIONS(`Addr=192.168.10.2')dnl
> dnl # END ADDED BY JPS FROM 
> http://www.leap-cf.org/presentations/MailScanner/MailScanner.html
> MAILER(smtp)dnl
> MAILER(procmail)dnl
> dnl MAILER(cyrusv2)dnl
> define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl

The above line needs to be commented out (or removed), unless you're 
using a fairly outdated version of sendmail.  This is where the 
documentation is outdated.

dnl define(`confMILTER_MACROS_HELO', confMILTER_MACROS_HELO`, {verify}')dnl

> INPUT_MAIL_FILTER(`smf-sav', `S=unix:/var/run/smfs/smf-sav.sock, 
> T=S:30s;R:4m')dnl
> 
> 
> smf-sav.conf:
> 
> # /etc/mail/smfs/smf-sav.conf
> #
> # smf-sav configuration file v1.4.0 (it's read at start)
> #
> 
> # Whitelist by a sender IP address
> #
> # The syntax is an IP address followed by a slash
> # and a CIDR netmask (if the netmask is omitted, /32 is assumed)
> #
> WhitelistIP    127.0.0.0/8
> WhitelistIP    10.0.0.0/8
> WhitelistIP    172.16.0.0/12
> WhitelistIP    192.168.0.0/16
> 
> # Whitelist by a sender PTR (reverse DNS) record
> #
> # Performs a case insensitive substring match
> #
> #WhitelistPTR    .friendlydomain.tld
> #WhitelistPTR    friendlyhost.friendlydomain.tld
> 
> # Whitelist by an envelope sender e-Mail address
> #
> # Performs a case insensitive substring match
> #
> #WhitelistFrom    friend@
> #WhitelistFrom    @friendlydomain.tld
> #WhitelistFrom    friend at friendlydomain.tld
> 
> # Whitelist by an envelope recipient e-Mail address
> #
> # Performs a case insensitive substring match
> #
> #WhitelistTo    postmaster@
> #WhitelistTo    abuse@
> #WhitelistTo    spamlover at yourdomain.tld
> #WhitelistTo    @yourspamloverdomain.tld
> 
> # FQDN of the publicly visible IP address of the interface
> # of an outgoing connection of your Sendmail daemon
> # It will be used with the SMTP HELO command for SAV and RAV
> #
> PublicName    johnnystork.ca        # it *MUST* be corrected properly

PublicName should be the FQDN of the box smf-sav is running on, e.g. 
smpthost.johnnystork.ca

> 
> # Any valid e-Mail address of your local domain for the safe call-out 
> purposes
> #
> SafeCallBack    stork at johnnystork.ca    # it *MUST* be corrected properly
> 
> # Sender e-Mail Address Verification
> #
> # Default: on
> #
> #SAV        on    # (on|off)
> 
> # Ignore tempfailed results of SAV
> #
> # Default: off
> #
> #IgnoreTempFail    off    # (on|off)
> 
> # Refuse e-Mail messages from systems that don't accept the null 
> reverse-path <>
> #
> # Default: off
> #
> #BlockIgnorants    off    # (on|off)
> 
> # Recipient e-Mail Address Verification
> #
> # Primary authoritative e-Mail store hostname (IP address) or
> # the hostname (IP address) associated with the interface
> # of an incoming connection of your Sendmail daemon
> # In most cases it will be equal to the PublicName value
> # Do not set to 'localhost' or 127.0.0.1
> #
> 
> MailStore    johnnystork.ca        # uncomment and set it properly

This also should be a FQDN, e.g. scalixhost.johnnystork.ca
> 
> # In-memory cache engine TTL settings
> #
> # The time is given in seconds, except if a unit is given:
> # m for minutes, h for hours, and d for days
> # Specify zero to disable caching of particular items
> #
> # Defaults:
> #
> #FromPassTTL    1d    # senders that successfully pass the MX callback test
> #
> #FromTFailTTL    5m    # senders that pass the MX callback test with 
> tempfail results
> #
> #FromFailTTL    1h    # senders that did not successfully pass the MX 
> callback test
> #
> #ToPassTTL    1h    # recipients that successfully pass the call ahead test
> #
> #ToTFailTTL    5m    # recipients that pass the call ahead test with 
> tempfail results
> #
> #ToFailTTL    1h    # recipients that did not successfully pass the call 
> ahead test
> 
> # Run as a selected user (smf-sav must be started by root)
> #
> # Default: smfs
> #
> #User        smfs
> 
> # Socket used to communicate with a Sendmail daemon
> #
> # Default: unix:/var/run/smfs/smf-sav.sock
> #
> #Socket        unix:/var/run/smfs/smf-sav.sock
> 
> # Facility for logging via a Syslog daemon
> #
> # Default: mail
> #
> #Syslog        mail    # (daemon|mail|local0...local7)
> 

Make the suggested changes and let us know how it behaves.

Brendan



More information about the MailScanner mailing list