FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-04-2010, 04:47 PM
"Simon Billis"
 
Default sendmail mail relay backscatter issue.

Hi,

> Simon Billis wrote on Thu, 4 Feb 2010 13:28:04 -0000:
>
> > I am attempting to stop any
> > backscatter that these servers cause by only accepting mail for
> specific
> > users@domain or for domains with a catch-all account.
>
> I believe milter-ahead or smf-sav can be used for this.
>
> Kai

Indeed as can Scam-backscatter, but I'm attempting to not load the backend
mailserver with connections if at all possible, due to the number of emails
that are received on the antispam machines... (I know that they cache the
results of the lookups, but spammers like to send to dictionaries ;-) )

Thanks for the suggestion though :-)

Simon.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 06:31 PM
Kai Schaetzl
 
Default sendmail mail relay backscatter issue.

Simon Billis wrote on Thu, 4 Feb 2010 17:47:55 -0000:

> Indeed as can Scam-backscatter, but I'm attempting to not load the backend
> mailserver with connections if at all possible,

Yeah, I see. If you fill virtusertable with the valid addresses then you
have to give explicit forwards for each existing address, too. If that is
fine, then this is surely going to work. It won't work if you want to queue
and deliver.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 06:52 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

On 2/4/2010 1:31 PM, Kai Schaetzl wrote:
> Simon Billis wrote on Thu, 4 Feb 2010 17:47:55 -0000:
>
>> Indeed as can Scam-backscatter, but I'm attempting to not load the backend
>> mailserver with connections if at all possible,
>
> Yeah, I see. If you fill virtusertable with the valid addresses then you
> have to give explicit forwards for each existing address, too. If that is
> fine, then this is surely going to work. It won't work if you want to queue
> and deliver.

What do you mean? Forwarding to the virtuser expansion address should
work just like any other address.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 08:31 PM
Kai Schaetzl
 
Default sendmail mail relay backscatter issue.

Les Mikesell wrote on Thu, 04 Feb 2010 13:52:08 -0600:

> What do you mean? Forwarding to the virtuser expansion address should
> work just like any other address.

It sounds like he didn't forward before, but queue and deliver (e.g. he's
the only available MX and queues for a firewalled MX or uses mailertable
to get the mail delivered). If he goes to virtusertable he has to fill the
table with valid forwards.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 09:17 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

On 2/4/2010 3:31 PM, Kai Schaetzl wrote:

>> What do you mean? Forwarding to the virtuser expansion address should
>> work just like any other address.
>
> It sounds like he didn't forward before, but queue and deliver (e.g. he's
> the only available MX and queues for a firewalled MX or uses mailertable
> to get the mail delivered). If he goes to virtusertable he has to fill the
> table with valid forwards.

The point would be able to include a default reject rule for each
domain, which means that you have to supply valid forwards for all
addresses you don't want to reject at the relay. (You could default to
forwarding, but that doesn't help with the backscatter issue). But that
doesn't change the ability to queue/deliver except that the relay has to
accept the domains as local to do the virtuser lookup so the new target
has to have a different name for the delivery host. I'm not sure how
that relates to your distinction between forwarding and queuing.
Sendmail has local and remote addresses, but remote ones all go through
the same steps.

--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-05-2010, 10:06 AM
"Simon Billis"
 
Default sendmail mail relay backscatter issue.

Hi,

> On 2/4/2010 3:31 PM, Kai Schaetzl wrote:
>
> >> What do you mean? Forwarding to the virtuser expansion address
> should
> >> work just like any other address.
> >
> > It sounds like he didn't forward before, but queue and deliver (e.g.
> he's
> > the only available MX and queues for a firewalled MX or uses
> mailertable
> > to get the mail delivered). If he goes to virtusertable he has to
> fill the
> > table with valid forwards.
>
> The point would be able to include a default reject rule for each
> domain, which means that you have to supply valid forwards for all
> addresses you don't want to reject at the relay. (You could default to
> forwarding, but that doesn't help with the backscatter issue). But
> that
> doesn't change the ability to queue/deliver except that the relay has
> to
> accept the domains as local to do the virtuser lookup so the new target
> has to have a different name for the delivery host. I'm not sure how
> that relates to your distinction between forwarding and queuing.
> Sendmail has local and remote addresses, but remote ones all go through
> the same steps.

I am queuing and delivering using mailertable currently - hence the issue
with backscatter as some of the domains do not have catch-all accounts. I am
able to produce a list of valid email accounts and domains without a
catch-all account so I should be able to create a virtusertable with the
required entries to either accept all mail for a domain and then forward it
to a specific account (the catch-all account) or to only accept mail for a
specific account and then forward it to the same address (is this valid?) by
again using mailertable(?). I think that using access.db and relay-domains
may also work as needed.

Thanks very much for your help with this and the suggestions it is much
appreciated.

Simon.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-05-2010, 11:31 AM
Kai Schaetzl
 
Default sendmail mail relay backscatter issue.

Simon Billis wrote on Fri, 5 Feb 2010 11:06:36 -0000:

> I am queuing and delivering using mailertable currently

I figured something along this line.

- hence the issue
> with backscatter as some of the domains do not have catch-all accounts.

Not to mention the extra stress on your system for scanning mails that won't
get delivered, anyway. I very much encourage moving away from catch-alls at
all. Sometimes it's impossible, but I found that most clients use only a few
addresses and can go easily without catch-all. This can reduce the number of
mails you have to process dramatically.

I am
> able to produce a list of valid email accounts and domains without a
> catch-all account so I should be able to create a virtusertable with the
> required entries to either accept all mail for a domain and then forward it
> to a specific account (the catch-all account) or to only accept mail for a
> specific account and then forward it to the same address (is this valid?) by
> again using mailertable(?).

If you go to virtusertable you don't need mailertable at all, it may even be
counterproductive/not usable I guess (I'm now mostly using postfix, so my ad-
hoc experience with sendmail and mailertable is somewhat dated). But you have
to explicitly list all target addresses. Something you didn't need to do
before. That is what I wanted to point out earlier.
You specify the forwarding address and that's it. You can then either specify
a catch-all (just the domain) with an error code or don't specify any. Unless
it matches a local alias/user there's then no way to deliver it, so it will
get rejected.

I think that using access.db and relay-domains
> may also work as needed.

I've never used access.db for relaying/local domains, I always relied on
relay-domains. I'm not sure, but I think sendmail takes the first match and
then stops scanning access.db. So you might be able to use something like
this:
To:user1@domain OK (or RELAY)
To:user2@domain OK
domain REJECT

and then keep your current mailertable method (no need for virtusertable) or
use virtusertable expandable forwarding addresses. It's possible, though, that
the order gets changed in the compiled map file. Maybe Les knows that better.
If that works it might be the best method as it rejects at the first possible
processing step.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-05-2010, 12:43 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

Simon Billis wrote:
>
>> The point would be able to include a default reject rule for each
>> domain, which means that you have to supply valid forwards for all
>> addresses you don't want to reject at the relay. (You could default to
>> forwarding, but that doesn't help with the backscatter issue). But
>> that
>> doesn't change the ability to queue/deliver except that the relay has
>> to
>> accept the domains as local to do the virtuser lookup so the new target
>> has to have a different name for the delivery host. I'm not sure how
>> that relates to your distinction between forwarding and queuing.
>> Sendmail has local and remote addresses, but remote ones all go through
>> the same steps.
>
> I am queuing and delivering using mailertable currently - hence the issue
> with backscatter as some of the domains do not have catch-all accounts. I am
> able to produce a list of valid email accounts and domains without a
> catch-all account so I should be able to create a virtusertable with the
> required entries to either accept all mail for a domain and then forward it
> to a specific account (the catch-all account) or to only accept mail for a
> specific account and then forward it to the same address (is this valid?) by
> again using mailertable(?). I think that using access.db and relay-domains
> may also work as needed.

Sendmail will only look in virtusertable if it considers the address local (i.e.
you've added the target domain to local-host-names). That means you'll have to
use some other name for the delivery target in the virtusertable expansion side
to get it to forward on. Probably whatever you are using in mailertable will
work. You might be able to use user@[host.domain] notation or user@[IP_address]
there to avoid another MX lookup that would come back to the relay - I'm not
sure about that. You'll probably have to do some testing with this part since
it is a fairly drastic change to make the targets local - but you can do it one
domain at a time.

--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-05-2010, 01:22 PM
"Simon Billis"
 
Default sendmail mail relay backscatter issue.

Les Mikesell sent a missive on*2010-02-05:

> Simon Billis wrote:
>>
>>> The point would be able to include a default reject rule for each
>>> domain, which means that you have to supply valid forwards for all
>>> addresses you don't want to reject at the relay. (You could default
>>> to forwarding, but that doesn't help with the backscatter issue). But
>>> that doesn't change the ability to queue/deliver except that the relay
>>> has to accept the domains as local to do the virtuser lookup so the
>>> new target has to have a different name for the delivery host. I'm
>>> not sure how that relates to your distinction between forwarding and
>>> queuing. Sendmail has local and remote addresses, but remote ones all
>>> go through the same steps.
>>
>> I am queuing and delivering using mailertable currently - hence the
>> issue with backscatter as some of the domains do not have catch-all
>> accounts. I am able to produce a list of valid email accounts and
>> domains without a catch-all account so I should be able to create a
>> virtusertable with the required entries to either accept all mail
>> for a domain and then forward it to a specific account (the
>> catch-all
>> account) or to only accept mail for a specific account and then
>> forward it to the same address (is this valid?) by again using
>> mailertable(?). I think that using access.db and relay-domains may
> also work as needed.
>
> Sendmail will only look in virtusertable if it considers the address
> local (i.e.
> you've added the target domain to local-host-names). That means
> you'll have to use some other name for the delivery target in the
> virtusertable expansion side to get it to forward on. Probably
> whatever you are using in mailertable will work. You might be able to
> use user@[host.domain] notation or user@[IP_address] there to avoid
> another MX lookup that would come back to the relay - I'm not sure
> about that. You'll probably have to do some testing with this part
> since it is a fairly drastic change to make the targets local - but
> you can do it one domain at a time.
>

I don't think that this is going to work for me then... I'm not able to
change the envelope address for the onward delivery. The final mail server
will reject the mail if it is not the original email address that I'm
accepting the mail for on the mail scanners. Also I understand from the
documentation that mailertable is not used for class {w}, i.e. local host
names so I think that I'm stuck with the following choices...

1) getting access.db and relay-domains working correctly with:
(a) the _RELAY_FULL_ADDR_ feature
(b) without the above feature (which works but without the ability to
send mail from our networks from email addresses in the access.db map but I
think that this is because I need to add specific hosts to the access map.)

2) utilising a milter.

Is this a fair conclusion in your opinion?

Thanks

Simon.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-05-2010, 01:49 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

Simon Billis wrote:
> Les Mikesell sent a missive on 2010-02-05:
>
>> Simon Billis wrote:
>>>> The point would be able to include a default reject rule for each
>>>> domain, which means that you have to supply valid forwards for all
>>>> addresses you don't want to reject at the relay. (You could default
>>>> to forwarding, but that doesn't help with the backscatter issue). But
>>>> that doesn't change the ability to queue/deliver except that the relay
>>>> has to accept the domains as local to do the virtuser lookup so the
>>>> new target has to have a different name for the delivery host. I'm
>>>> not sure how that relates to your distinction between forwarding and
>>>> queuing. Sendmail has local and remote addresses, but remote ones all
>>>> go through the same steps.
>>> I am queuing and delivering using mailertable currently - hence the
>>> issue with backscatter as some of the domains do not have catch-all
>>> accounts. I am able to produce a list of valid email accounts and
>>> domains without a catch-all account so I should be able to create a
>>> virtusertable with the required entries to either accept all mail
>>> for a domain and then forward it to a specific account (the
>>> catch-all
>>> account) or to only accept mail for a specific account and then
>>> forward it to the same address (is this valid?) by again using
>>> mailertable(?). I think that using access.db and relay-domains may
>> also work as needed.
>>
>> Sendmail will only look in virtusertable if it considers the address
>> local (i.e.
>> you've added the target domain to local-host-names). That means
>> you'll have to use some other name for the delivery target in the
>> virtusertable expansion side to get it to forward on. Probably
>> whatever you are using in mailertable will work. You might be able to
>> use user@[host.domain] notation or user@[IP_address] there to avoid
>> another MX lookup that would come back to the relay - I'm not sure
>> about that. You'll probably have to do some testing with this part
>> since it is a fairly drastic change to make the targets local - but
>> you can do it one domain at a time.
>>
>
> I don't think that this is going to work for me then... I'm not able to
> change the envelope address for the onward delivery. The final mail server
> will reject the mail if it is not the original email address that I'm
> accepting the mail for on the mail scanners. Also I understand from the
> documentation that mailertable is not used for class {w}, i.e. local host
> names so I think that I'm stuck with the following choices...
>
> 1) getting access.db and relay-domains working correctly with:
> (a) the _RELAY_FULL_ADDR_ feature
> (b) without the above feature (which works but without the ability to
> send mail from our networks from email addresses in the access.db map but I
> think that this is because I need to add specific hosts to the access map.)
>
> 2) utilising a milter.
>
> Is this a fair conclusion in your opinion?

What are you currently using in mailertable to get there? If you use [domain]
and go to the A record of the same name it might be a problem - but that might
work if you try it. Where I've used it, the delivery hosts had their own names
that they'd accept in the envelope and the [IP.address] form would also work.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org