FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-04-2010, 12:28 PM
"Simon Billis"
 
Default sendmail mail relay backscatter issue.

Hi Folks,

I have a couple of questions which I hope that you will be able to assist
with, first some background.

I run a few sendmail servers that run MailScanner/Spamassassin/sendmail
(current versions) on Centos 5.4 and Centos 4.8 These boxes accept mail for
a large number of domains (6000+) scan the mail removing spam and then
forward the ham to another server for delivery. I am attempting to stop any
backscatter that these servers cause by only accepting mail for specific
users@domain or for domains with a catch-all account.

I currently use /etc/mail/access.db as the access map for the domains, but
this allows all mail to be accepted for the domain before the attempting to
send it on for final delivery which causes NDR and backscatter for those
domains which do not have a catch-all account.

I have looked at adding "To:user@domain RELAY" to the access map and also
adding "define(`_RELAY_FULL_ADDR_', `1') " in the sendmail.mc and running
make -C /etc/mail but this has no effect on the sendmail.cf file. My
understanding is that if I can get sendmail to accept this undocumented
feature then all will be fine as I will be able to use the access map to
allow mail to those specific users as well as entries of the type "domain
RELAY".

My first question is: Does anyone have any ideas as to why I wouldn't be
able to have this change reflected in sendmail.cf?

My second question is: Does anyone have any ideas on how to utilise access
map and relay-domains to achieve the same thing?

Thanks for your time and assistance.

Simon.




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 01:16 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

Simon Billis wrote:
> Hi Folks,
>
> I have a couple of questions which I hope that you will be able to assist
> with, first some background.
>
> I run a few sendmail servers that run MailScanner/Spamassassin/sendmail
> (current versions) on Centos 5.4 and Centos 4.8 These boxes accept mail for
> a large number of domains (6000+) scan the mail removing spam and then
> forward the ham to another server for delivery. I am attempting to stop any
> backscatter that these servers cause by only accepting mail for specific
> users@domain or for domains with a catch-all account.
>
> I currently use /etc/mail/access.db as the access map for the domains, but
> this allows all mail to be accepted for the domain before the attempting to
> send it on for final delivery which causes NDR and backscatter for those
> domains which do not have a catch-all account.
>
> I have looked at adding "To:user@domain RELAY" to the access map and also
> adding "define(`_RELAY_FULL_ADDR_', `1') " in the sendmail.mc and running
> make -C /etc/mail but this has no effect on the sendmail.cf file. My
> understanding is that if I can get sendmail to accept this undocumented
> feature then all will be fine as I will be able to use the access map to
> allow mail to those specific users as well as entries of the type "domain
> RELAY".
>
> My first question is: Does anyone have any ideas as to why I wouldn't be
> able to have this change reflected in sendmail.cf?
>
> My second question is: Does anyone have any ideas on how to utilise access
> map and relay-domains to achieve the same thing?
>
> Thanks for your time and assistance.
>

One approach here if it is practical to collect/maintain all of the valid
recipient addresses is to build a virtuser table with a default reject for each
domain the relay handles plus the list of all valid addresses. This is very
efficient if you can automate the table updates or the user base is stable.

Another would be to use MimeDefang as the framework instead of mailscanner. It
has an option to check recipient addresses via smtp to the delivery servers
before accepting. You may have to write a snippet of perl to get that right for
multiple domains (that's a feature...). This is less efficient but works in
real time against the addresses that will be accepted for delivery.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 01:24 PM
 
Default sendmail mail relay backscatter issue.

Mike wrote:
> Simon Billis wrote:
<snip>>
>> I run a few sendmail servers that run MailScanner/Spamassassin/sendmail
>> (current versions) on Centos 5.4 and Centos 4.8 These boxes accept mail
>> for a large number of domains (6000+) scan the mail removing spam and
>> then forward the ham to another server for delivery. I am attempting to
>> stop any backscatter that these servers cause by only accepting mail for
>> specific users@domain or for domains with a catch-all account.
>>
>> running
>> make -C /etc/mail but this has no effect on the sendmail.cf file. My

Does it not give output? Have you tried adding -d?
<snip>
> Another would be to use MimeDefang as the framework instead of
> mailscanner. It has an option to check recipient addresses via smtp to
> the delivery servers before accepting. You may have to write a snippet
> of perl to get that right for multiple domains (that's a feature...).
> This is less efficient but works in real time against the addresses that
> will be accepted for delivery.

I would question how "real time" that would be for every email for 6k+
domains. If a few have a large client base, or are expecting responses
from a mass emailing, it might start to take a *while*, unless you've got
pretty heavy duty equipment and networking.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 01:56 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

m.roth@5-cent.us wrote:
> Mike wrote:
>> Simon Billis wrote:
> <snip>>
>>> I run a few sendmail servers that run MailScanner/Spamassassin/sendmail
>>> (current versions) on Centos 5.4 and Centos 4.8 These boxes accept mail
>>> for a large number of domains (6000+) scan the mail removing spam and
>>> then forward the ham to another server for delivery. I am attempting to
>>> stop any backscatter that these servers cause by only accepting mail for
>>> specific users@domain or for domains with a catch-all account.
>>>
>>> running
>>> make -C /etc/mail but this has no effect on the sendmail.cf file. My
>
> Does it not give output? Have you tried adding -d?
> <snip>
>> Another would be to use MimeDefang as the framework instead of
>> mailscanner. It has an option to check recipient addresses via smtp to
>> the delivery servers before accepting. You may have to write a snippet
>> of perl to get that right for multiple domains (that's a feature...).
>> This is less efficient but works in real time against the addresses that
>> will be accepted for delivery.
>
> I would question how "real time" that would be for every email for 6k+
> domains. If a few have a large client base, or are expecting responses
> from a mass emailing, it might start to take a *while*, unless you've got
> pretty heavy duty equipment and networking.

It's the same thing the downstream server is going to have to repeat in just a
moment anyway, but this time it doesn't have to do the other steps. If you are
close to capacity already it might push you over the edge - and be worth
scripting a way to maintain that frontend virtuser table that makes it a
near-instant hash lookup for the relay sendmail. But for the relay it will be a
win either way to avoid the much heavier load of spam-scanning stuff to invalid
recipients and making the downstream servers construct bounces.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 02:02 PM
"Simon Billis"
 
Default sendmail mail relay backscatter issue.

Hi,

> One approach here if it is practical to collect/maintain all of the
> valid
> recipient addresses is to build a virtuser table with a default reject
> for each
> domain the relay handles plus the list of all valid addresses. This is
> very
> efficient if you can automate the table updates or the user base is
> stable.

I have already written the code that updates the access file and the
relay-domains file from the final delivery mail server so I think that to
create a virtusertable should be simple enough, I'll check the documentation
to see how to use the virtusertable in this manner - thanks for the pointer.


> Another would be to use MimeDefang as the framework instead of
> mailscanner. It
> has an option to check recipient addresses via smtp to the delivery
> servers
> before accepting. You may have to write a snippet of perl to get that
> right for
> multiple domains (that's a feature...). This is less efficient but
> works in
> real time against the addresses that will be accepted for delivery.

I'm not so sure that this is an acceptable overhead - the mail scanners
process 2,000,000 messages a day.

Thanks

S.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 02:05 PM
"Simon Billis"
 
Default sendmail mail relay backscatter issue.

Hi,
> >>running
> >> make -C /etc/mail but this has no effect on the sendmail.cf file. My
>
> Does it not give output? Have you tried adding -d?
I get an updated sendmail.cf file but the only diff is the header telling me
when it was complied.

Adding -d give the following (I've removed the non relevant lines):

No implicit rule found for `sendmail.mc'.
Finished prerequisites of target file `sendmail.mc'.
No need to remake target `sendmail.mc'.
Finished prerequisites of target file `sendmail.cf'.
Prerequisite `sendmail.mc' is newer than target `sendmail.cf'.
Must remake target `sendmail.cf'.
make: Entering directory `/etc/mail'
Putting child 0x05474670 (sendmail.cf) PID 10927 on the chain.
Live child 0x05474670 (sendmail.cf) PID 10927
Reaping winning child 0x05474670 PID 10927
Removing child 0x05474670 PID 10927 from chain.
Successfully remade target file `sendmail.cf'.


> > Another would be to use MimeDefang as the framework instead of
> > mailscanner. It has an option to check recipient addresses via smtp
> to
> > the delivery servers before accepting. You may have to write a
> snippet
> > of perl to get that right for multiple domains (that's a feature...).
> > This is less efficient but works in real time against the addresses
> that
> > will be accepted for delivery.
>
> I would question how "real time" that would be for every email for 6k+
> domains. If a few have a large client base, or are expecting responses
> from a mass emailing, it might start to take a *while*, unless you've
> got
> pretty heavy duty equipment and networking.

I agree - I think that the overhead that perl would impose is too high for
this application.

Thanks

S.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 02:09 PM
"Simon Billis"
 
Default sendmail mail relay backscatter issue.

Hi,
> > I would question how "real time" that would be for every email for
> 6k+
> > domains. If a few have a large client base, or are expecting
> responses
> > from a mass emailing, it might start to take a *while*, unless you've
> got
> > pretty heavy duty equipment and networking.
>
> It's the same thing the downstream server is going to have to repeat in
> just a
> moment anyway, but this time it doesn't have to do the other steps. If
> you are
> close to capacity already it might push you over the edge - and be
> worth
> scripting a way to maintain that frontend virtuser table that makes it
> a
> near-instant hash lookup for the relay sendmail. But for the relay it
> will be a
> win either way to avoid the much heavier load of spam-scanning stuff to
> invalid
> recipients and making the downstream servers construct bounces.

I hadn't looked at it like that, you may be right, the reduction in scanning
may provide enough capacity to handle the additional workload from perl. I
think that I would prefer to have sendmail do the "rcpt to:" rejection
utilising a map as this I think will be the fastest method, so I'll check
out the virtusertable approach.

Thanks

S.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 02:31 PM
Kai Schaetzl
 
Default sendmail mail relay backscatter issue.

Simon Billis wrote on Thu, 4 Feb 2010 13:28:04 -0000:

> I am attempting to stop any
> backscatter that these servers cause by only accepting mail for specific
> users@domain or for domains with a catch-all account.

I believe milter-ahead or smf-sav can be used for this.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 03:19 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

On 2/4/2010 9:09 AM, Simon Billis wrote:
> Hi,
>>> I would question how "real time" that would be for every email for
>> 6k+
>>> domains. If a few have a large client base, or are expecting
>> responses
>>> from a mass emailing, it might start to take a *while*, unless you've
>> got
>>> pretty heavy duty equipment and networking.
>>
>> It's the same thing the downstream server is going to have to repeat in
>> just a
>> moment anyway, but this time it doesn't have to do the other steps. If
>> you are
>> close to capacity already it might push you over the edge - and be
>> worth
>> scripting a way to maintain that frontend virtuser table that makes it
>> a
>> near-instant hash lookup for the relay sendmail. But for the relay it
>> will be a
>> win either way to avoid the much heavier load of spam-scanning stuff to
>> invalid
>> recipients and making the downstream servers construct bounces.
>
> I hadn't looked at it like that, you may be right, the reduction in scanning
> may provide enough capacity to handle the additional workload from perl. I
> think that I would prefer to have sendmail do the "rcpt to:" rejection
> utilising a map as this I think will be the fastest method, so I'll check
> out the virtusertable approach.

I recommend MimeDefang in any case because it uses a very efficient
multiplexing technique to let sendmail interleave fast/slow operations
with a minimum of long-running perl processes doing the milter
operations - and since spamassassin is perl it runs it internally. See
page 31 of this pdf:
http://www.mimedefang.org/static/mimedefang-lisa04.pdf. And, it lets you
control most things in a small chunk of perl instead of fighting with
sendmail. There are RPMs for it and clamav at rpmforge.

But, even with MimeDefang it will help to reject everything you can up
front. To use virtusertable you have to add the domains you accept for
to the local_host_names - which may then require some tweaking to
arrange actual delivery, perhaps through mailertable if you aren't
already mapping to some other internal host's A record name. Then you
can do things like:

# make domain2.com equivalent to domain1.com
@domain2.com %1%3@domain1.com
# reject domain3.com (might be a CNAME that inherits the MX)
@domain3.com error:nouser No such user here

# accept known addresses for domain1.com and set internal target
realuser1@domain1.com realuser1@deliveryhost.com
realuser2@domain1.com realuser2@deliveryhost.com
# reject anything else for domain1.com
@domain3.com error:nouser No such user here

--
Les Mikesell
lesmikesell@gmail.com




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-04-2010, 03:28 PM
Les Mikesell
 
Default sendmail mail relay backscatter issue.

On 2/4/2010 9:05 AM, Simon Billis wrote:
> > Another would be to use MimeDefang as the framework instead of
>>> mailscanner. It has an option to check recipient addresses via smtp
>> to
>>> the delivery servers before accepting. You may have to write a
>> snippet
>>> of perl to get that right for multiple domains (that's a feature...).
>>> This is less efficient but works in real time against the addresses
>> that
>>> will be accepted for delivery.
>>
>> I would question how "real time" that would be for every email for 6k+
>> domains. If a few have a large client base, or are expecting responses
>> from a mass emailing, it might start to take a *while*, unless you've
>> got
>> pretty heavy duty equipment and networking.
>
> I agree - I think that the overhead that perl would impose is too high for
> this application.

MimeDefang doesn't start a perl process for each operation, it
multiplexes the milter requests from many sendmail processes to a few
long-running perl daemons. This is done separately for each milter
operation so fast things don't end up waiting for slow things like the
spam scans. It doesn't take long for an already-running perl to send a
few network packets to verify an address via snmp, but it does add load
to the downstream server to do the lookup.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org