----- Original Message ----- From: "Cowles, Steve" <steve@xxxxxxxxxxxxxxx> To: "'For users of Fedora Core releases'" <fedora-list@xxxxxxxxxx> Sent: Thursday, July 29, 2004 8:52 PM Subject: RE: Email question > Jake McHenry wrote: > > I'm not running iptables ... on the old setup I had mailscanner > > running and another utility that gave me stats on email that could > > add spammers to the access db, maybe I'll just configure all that > > again. The only problem was some addresses entered into the access db > > were legitimate people. Can anyone recommend a better solution? > > Jake, > > I no longer use sendmail (I now use postfix), but I had a similar problem > with dictionary attacks because my sendmail MTA was a frontend for an > exchange server. To insure that sendmail "only" accepted/relayed e-mail for > valid accounts on the exchange server, I used the following approach (trick) > in /etc/mail/access. Maybe it will work for you. I have copy/pasted a backup > copy of my previous sendmail access file configuration (with a few edits). > > As always, you milage may vary based on how sendmail is configured at your > end, so be sure to make a backup of your current access file -and- be sure > to run an open relay checker against any changes you make. I've always used > the following site for testing: > http://www.abuse.net/relay.html > > > <copy/paste /etc/mail/access> > > # If this is both an inbound and outbound MTA, then add the systems that > # are allowed to relay e-mail through this system. > 192.168.1 RELAY > > # Reject both envelope sender (mail from) and recipients (rcpt to) > # that contain mydomain.com > mydomain.com REJECT > > # To negate the above reject, add only "valid" recipients for mydomain.com > scowles@xxxxxxxxxxxx OK > postmaster@xxxxxxxxxxxx OK > etc... > > Note 1: The above implementation was based on reading: > http://www.sendmail.org/m4/anti_spam.html#access_db > > The really confusing part about sendmail (versus postfix) is understanding > in which context the access file is consulted. i.e. is the test done against > the envelope sender or recipient or both. What a PITA. Postfix does a lot > better job at implementing these types of tests. > > Note 2: Maintaining a valid list of exchange recipients (mailboxes) on the > sendmail server was accomplished by writing a shell script that did an LDAP > query against the exchange server to build an access formatted list of valid > mailboxes. This script was run as an hourly cronjob. This way, when I made a > change (add/delete) on the exchange server, it was replicated to the > sendmail frontend. In fact, I still do this with postfix as a frontend. > > Note 3: When an invalid recipient was specifed (like during a dictionary > attack), it was rejected after the "rcpt to"; thus no DSN/bounce was > generated by sendmail. i.e. The rejection occurs before the inbound e-mail > is submitted to the queue for delivery. Nice!!! > > Hope the above solution at least points you in the right direction for > achieving your goal. > > Steve Cowles > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > Can I put just the username after the rejects or do I need the entire domain name? I am hosting 6 domain names.. I would need to put each username at each domain... :-( Jake
