HPlogo Installing and Administering Internet Services: HP 9000 Networking > Chapter 4 Installing and Administering sendmail

Configuring sendmail to Reject Unsolicited Mail

» 

Technical documentation

Complete book in PDF

 » Table of Contents

 » Index

You can set up sendmail so that unsolicited or spam mail (unsolicited mail sent to large numbers of users) is not transmitted through or received by users on the network.

The first step in configuration is to enable the anti-spamming rulesets. You then edit other configuration files to control mail transmission. This section describes how you can:

  • Accept or reject mail from particular senders

  • Prevent your machine from being used as a relay machine

  • Accept or reject connections from specific users hostnames based on domains, or IP addresses

  • Enable or disable mail transfers from specific senders and recipient pairs

Enabling "Anti-Spamming" Capability

  1. Open the sendmail configuration file, sendmail.cf.

  2. Uncommenting the following rulesets located between #Begin Anti-Spamming and #End Anti-Spamming in the sendmail.cf file.

    • check_mail

    • check_rcpt

    • check_relay

    • check_compat

Accepting and Rejecting Mail From Particular Senders

By default sendmail accepts mail from all users and all domains. You can set up sendmail to filter mail using the sender's address in the SMTP MAIL FROM command. You can use the check_mail ruleset to refuse or reject mail messages from specific users or domains. To specify users and domains from whom you do not want to receive mail messages, edit the /etc/Mail/Spammer and /etc/Mail/SpamDomains files.

Rejecting Mail from Specific Users

Enter the user's complete mail address into the /etc/Mail/Spammer file.

sally@cup.hp.com
john@rose.hp.com

All messages from Sally and John will be rejected.

Rejecting Mail from All Users in a Specific Domain

Enter the domain address into the /etc/Mail/SpamDomain file.

pests.com 
rose.hp.com

Mail messages received from all users in the pests domain and all users in the rose.hp.com domain, not just John, will be rejected.

Rejecting Messages from a Specific Host

Enter the name of the host from which you do not want to receive messages into the /etc/Mail/SpamDomain file.

bobcat.rose.hp.com
cheetah.india.hp.com

Mail from any user on the host bobcat in the rose.hp.com domain and from the host cheetah in the india.hp.com domain will be rejected. You will not receive messages from this host.

Preventing Unauthorized Mail Relay Usage

You can allow your machine to be used as a relay agent to other machines. By specifying who you wish to be a relay for, you eliminate the indiscriminate use of your machine as a relay for spammers, who may pass unsolicited mail from and to other networks through your machine.

You can use the ruleset check_rcpt to validate the sender-envelope address given to the SMTP RCPT command (the address in the "To" field of the SMTP RCPT command)

Because this ruleset is employed, when a message is sent, it checks that either the connecting SMTP client is "local" or the recipient is a host for which the mailhost acts as a relay or both. Local refers to any domain listed in /etc/mail/LocalIP or /etc/Mail/LocalNames.

Specifying Local Hosts that can Use Your Machine as a Host

You can identify hosts for which you are willing to receive and forward mail messages either by IP address or hostname.

NOTE: You cannot specify domain names here.
  • Enter the IP address of the local hosts for which you are willing to act as a relay host in the file /etc/Mail/LocalIP.

    199.28.9.20
    199.32.7.15

    Mail messages sent from or to the local host whose IP address you enter in the file will be accepted.

  • Enter the hostname of the local host for which you will act as a relay host for in the file /etc/mail/LocalNames.

    For example, if you enter the following, mail sent to or from these hosts will be sent accepted for relaying through the mail server.

    bobcat
    tulip.india.hp.com
    rose.hp.com

Accepting and Delivering Messages for External Hosts or Domains

You can allow external mail messages to be routed through your machine or you can set it so external messages are not relayed through your machine. By default, external messages are not allowed to pass through your machine.

  • Enter the external domain you will accept and deliver messages for in the /etc/Mail/RelayTo file.

    For example, enter hp.com to relay messages for the domain, hp.com. By specifying hp.com, if a user from aol.com tries to send a mail message to a user in another external domain like hotmail.com, through your mail hub, then the hub will reject the mail message.

Screening Incoming Network Connection Requests

The check_relay ruleset allows you to examine incoming network connections and accept or reject them based on hostnames, domain, or IP addresses.

To reject relay access to specific hosts, specify the IP address of the host in the /etc/Mail/DeniedIP file.

15.10.43.248
15.10.43.245

You can also specify the name of the host you want to deny access in the file /etc/Mail/DeniedNames. You must enter the Fully Qualified Domain name, for example, bobcat.rose.hp.com.

Sendmail Validation

The check_compat ruleset compares all senders and receiver pairs before mail is delivered. It validates the mail based on the results of the comparison. It checks to see if host A can legally send a message to host B. check_compat is called for all mail deliveries, not just SMTP transactions.

It is used in the following situations:

  • A set of users who are restricted from sending mail messages to external domains need to send mail messages to internal; domains. Both the sender and recipient addresses are checked to ensure that they are in the local domain.

  • A particular user needs to ensure that he or she does not receive mail messages from a specific source.

  • A particular host needs to ensure that external senders do not use that host as a a mail relay. The mail messages are screened based on the sender's hostname.

Sendmail Anti-Spamming Security

The anti-spamming features enable you to control which users can send, receive, or relay mail messages on the network. Sendmail provides the following features:

  • Using the Access Database to allow or reject mail from specific domains

  • Relaying Capability

  • Validating Senders

  • Checking Headers

Enabling Sendmail Anti-Spamming Security Features

You must run the gen_cf script to turn on relaying, validating, and checking features.

The access database also allows you to control the message flow. See the section “Using the Access Database to Allow or Reject Mail Messages” for more information.

Running the gen_cf Script

  1. Become user root.

  2. Go to the directory that contains the script:
    cd /usr/newconfig/etc/mail/cf/cf/gen_cf

  3. Run gen_cf.

  4. Follow the prompts in the script. A message will be displayed to inform you when the file has been successfully built.

Using the Access Database to Allow or Reject Mail Messages

You can control the flow of mail messages coming in from certain domains. The Access Database gives you the ability to allow or reject mail from specific domains. By default, names listed in the database as "OK" are domain names, not host names.

The primary steps to allow or reject messages include:

Step 1. Creating an Access Database text fileStep 2. Creating a Database map You should understand a few basic facts about the Access Database format and structure before creating the Access Database file or database map.

Access Database Format

This section includes a few key points about the database and describes the format of the database.

The key can be an IP address, a domain name, a hostname or an e-mail address.

Table 4-4 Access Database Format

Value

Description

OK

Accepts mail even if other rules if the running ruleset rejects it. For example, if the domain name is unresolvable.

RELAY

Accepts mail addressed to the specified domain or received from the specified domain for relaying through your SMTP server. RELAY also serves as an implicit OK for the other checks.

REJECT

Rejects the sender or recipient with a general purpose message.

DISCARD

Discards the message completely using the $#discard mailer delivery agent. This only works for sender addresses. That is, it indicates that you should discard anything received from the specified domain.

### "any text"

Where ### is an RFC 821 compliant error code and "any text" is a message to return for the command.

 

Creating the Access Database Text File

You must edit the Access Database file manually. The default Access Database file is /etc/mail/access. However, you can specify another file in the sendmail.cf file.

Below is a sample access database file, /etc/mail/access.

Table 4-5 Access Database Text File Example

cyberspammer.com550 We don't accept mail from spammers

okay.cyberspammer.com

OK

128.32

RELAY

spammer@aol.com

REJECT

192.168.212

DISCARD

 

In the above Access Database file, all mail messages from the cyberspammer.com domain are rejected and the error message "550 We don't accept mail from spammers" is displayed. All mail messages from the okay.cyberspammer.com domain are accepted. Messages can be relayed through 128.32. All mail messages from spammer@aol.com are rejected. All mail messages from the 192.168.212 domain are discarded.

Creating the Database Map

After creating the text file, you must use makemap to create the database map. Type the following command to make the database:

makemap hash /etc/mail/access < /etc/mail/access

The makemap utility takes /etc/mail/access file as input. It then stores the results back into the /etc/mail/access.db file.

Relaying Capability

The gen_cf shell script distributed with Sendmail allows you to turn on one or more of the relay anti-spamming features listed below. These capabilities are described in this section.

Promiscuous Relay: Relaying from Any Host to Any Host

Promiscuous relay allows you to configure your site to allow mail relaying from any one site to any other site. This feature is not enabled by default.

You can enable promiscuous relay by selecting it as an option when running the gen_cf script distributed with this release. By enabling this option Sendmail does not check for relaying. Spammers may then relay mail through your site.

Relay Entire Domain: Relaying from Any Host in the Domain

By default only hosts listed as RELAY in the Access Database are allowed to relay messages. The hosts must be defined in the m class ($=m) macro to relay. However, this feature allows any host in your domain to relay mail messages.

Relay Hosts Only: Relaying From Hosts Only

By default, host names that are listed as RELAY in both the Access Database and the class 'R' ($=R) macro can relay messages. When using this feature, specify hostnames. This feature enables Sendmail to look up individual host names and relay messages to the host.

Relaying Based on MX Records

This feature allows relaying based on the MX records of the host portion of an incoming recipient. If a MX record for host foo.com points to your site, you will accept and relay mail addressed to foo.com.

Relay From Local

With this feature, a sender, who is a valid user on a particular host, can relay messages to other users on different hosts.

Caution: Use caution when using this feature. Using it opens a window for spammers. Specifically, spammers can send mail to your mail server that claims to be from your domain (either directly or via a routed address), and your machine will relay it out to any hosts on the Internet.

Check Loose Relay

This feature will turn off the default behavior, which rechecks all recipients using "%" addressing. For example, if the recipient address is user%site@othersite, and othersite is in class 'R' macro, the @othersite portion is stripped and re-checks user@site for relaying.

Validating Senders

Sendmail provides a stricter check of mail message senders to ensure they are legitimate. Sendmail will refuse mail if the MAIL FROM: parameter has an unresolvable domain. You can work around this. If you want to continue accepting mail from such domains, use the features described in this section. Any of these features can be enabled when you run the gen_cf script, which is distributed with Sendmail.

  • Accept Unresolvable Domain

  • Accept Unqualified Senders

  • Black list Recipients

  • Real-time Blackhole List

Accept Unresolvable Domains

This feature enables sendmail to accept all MAIL FROM: parameters that are not fully qualified. For example, a mail message whose host part of the argument to the MAIL FROM: parameter cannot be located in the host name service, such as DNS.

Accept Unqualified Senders

This feature allows you to accept all mail where the sender's mail address does not include a domain name.

Normally, the MAIL FROM: commands in the SMTP session will be refused if the connection is a network connection and the sender address does not include a domain name.

Blacklist Recipients

This feature enables sendmail to block incoming mail messages destined for certain recipient user names, hostnames, or addresses. This feature also restricts you from sending mail messages to addresses with an error message or REJECT value in the Access Database file.

Example 1For example, given the following entries in the Access Database file:

badlocaluser                 550 Mailbox disabled for this 
username
host.mydomain.com 550 That host does not accept mail
user@otherhost.mydomain.com 550 Mailbox disabled for this
recipient

Recipient of badlocaluser@mydomain.com, any user at host.mydomain.com, and the single address user@otherhost.mydomain.com will not receive mail.

Example 2

spammer@aol.com REJECT

cyberspammer.com REJECT

Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com.

Real-time Blackhole List

This feature will reject hosts listed in the Real-time Blackhole List, which is found in the Real-time Blackhole List server. The server is rbl.maps.vix.com.To use this feature, you must add the following to the DNS database:

1.5.5.192.rbl.maps.vix.com. IN A 127.0.0.2

You can specify the Real-time Blackhole List servers in the sendmail.cf file.

Header Checking

With header checking, mail messages can be rejected based on the contents of their mail headers. Sendmail provides the syntax for limited header syntax checking. A config line of the form: HHeader: $>Ruleset causes the specified ruleset to be invoked on the Header when read. Below is an example of header checking:

Validity of a Message-ID: header

#LOCAL_RULESETS

HMessage-Id: $>CheckMessageId
SCheckMessageId
R< $+ @ $+ > $@ OK

R$* $#error $: 553 Header Error

If the above lines are included in the sendmail.cf file then, all header messages of the form "Message-Id:" will call the ruleset SCheckMessageID, which checks the validity of the Message-Id header.

Discard Mailer

Sendmail has defined a special internal delivery agent called discard. This agent can be used with the header checking ruleset and "check" rulesets: check_mail, check_rcpt, check_relay, or check_compat.

If any of the "check" rulesets (check_mail, check_rcpt, check_relay, or check_compat) or the header checking ruleset resolves a mail address to the $#discard mailer, then all the SMTP commands will be accepted, but the message will be discarded. If only one of message recipients address resolves to the $#discard mailer, none of the recipients will receive the mail message.

Regular Expressions

You can use regular expressions with the new map class "regex." The regex map can be used to see if an address matches a certain regular expression. By using such a map in a "check" rulesets (check_mail, check_rcpt, check_relay, or check_compat), you can block a certain range of addresses that would otherwise be considered valid.

For example, if you want to block all senders with all numeric user names, such as 2312343@bigisp.com, you would use SLocal_check_mail and the new regex map:

#LOCAL_CONFIG
Kallnumbers regex -a@MATCH ^[0-9]+$
LOCAL_RULESETS

SLocal_check_mail # check address against\
various regex checks
R$* $: $>Parse0 $>3 $1
R$+ < @ bigisp.com. >48 $: $(allnumbers $1 $)
R@MATCH $#error $:553 Header Error

Defining Hosts Allowed to Relay: Class R

You can use the $=R macro to define the hosts that are allowed to relay. The default file sendmail uses to read values for the $=R macro is /etc/mail/relay-domains.

Queue Changes

This section describes miscellaneous enhancements to the queue option:

  • Allow multiple -qI, -qR, or -qS queue run limiters
    For example, using sendmail -qRfoo -qRbar will deliver mail to recipients with foo or bar in their address.

  • There is a new map flag "-Tx" appends "x" to lookups that return temporary failure. This is similar to "-ax" flag which appends "x" to lookups that return success.

  • The "QueueSortOrder" option is case sensitive.

© 2000 Hewlett-Packard Development Company, L.P.