Jake McHenry wrote: > Can I put just the username after the rejects or do I need the entire > domain name? I am hosting 6 domain names.. I would need to put each > username at each domain... :-( Jake, With any solution, there are always the pros/cons. You've just discovered the con. But stopping the dictionary attacks far outwighed having to maintain a list of valid users in my access file. In fact, that's why I developed the shell script to automate the task of keeping sendmail (now postfix) in sync with my exchange server. You might have to develop your own methodology if you decide to implement my solution. FWIW: I host three domains at this end. I have to add each "valid" recipient (per domain)to the access file. i.e. mydomain1.com REJECT scowles@xxxxxxxxxxxxx OK mydomain2.com REJECT scowles@xxxxxxxxxxxxx OK Why? If I remember sendmail correctly - by using the access file test in the manner I described, you are testing accepting/rejecting the inbound e-mail after the "rcpt to", but "prior" to the inbound e-mail being submitted to the designated mailer queue. i.e. procmail or relay (in my case). So, in the case of local delivery, procmail does not ever get called. So it doesn't have a chance to issue an "Unknown User" back to sendmail for the bounce message. Which is a good thing for dictionary type of attacks. Finally, I hope you're not trying to implement such a drastic change to sendmail on a production server. Setup a test server. That's what I did. The thought of adding a REJECT for mydomain.com scared the hell out of me at first. Again, you milage may vary based on your requirements on how sendmail must be configured at your end. Steve Cowles
