Enforce check_relay ruleset
in [Sendmail]
|
From: Shidony on 19 Sep 2006 19:43 Hi all, I know that Sendmail 8.12.11 has built-in rulesets that kick in by default. In particular, check_relay should activate every time an (e)SMTP connection is made to the mail server. My issue currently is that check_relay fires in some situations and not in others. Cases where it doesn't, the relay server is allowed to carry out a dictionary attack. I have specifically flagged mail from these relays to be DISCARDed within /etc/mail/access. I thought check_relay was the first ruleset to be called and if a match is found in access.db access is denied. If this is not correct and I'm mistaken in my logic please educate me :) IMO check_rcpt or check_mail should never be called if a relay is explicitly denied SMTP access within /etc/mail/access. Below is an example access.db file resembling my setup. # Repeated offenders asahi-net.or.jp 550 Your domain/host is not allowed to relay to our network brasiltelecom.net.br DISCARD # 10/09/2006 221.202.220.201 550 Your domain/host is not allowed to relay to our network # 11/09/2006 124.121.18.37 550 Your domain/host is not allowed to relay to our network # Allow relay from local network localhost.localdomain RELAY localhost RELAY 127.0.0.1 RELAY myserver.domain RELAY subnet.1 RELAY subnet.2 RELAY # Local Users To:user1(a)domain RELAY To:user2(a)domain RELAY To:user1(a)domain2 RELAY To:user2(a)domain2 RELAY # Catch all other users To:domain error:5.1.1:"550 User unknown" To:domain2 error:5.1.1:"550 User unknown" The dated rejection lists are only kept for 4 days and are temporary so as to not affect genuine mailers. If further information is required I will be more than happy to provide what's necessary. Thanks all!
From: René Berber on 19 Sep 2006 22:08 Shidony wrote: > I know that Sendmail 8.12.11 has built-in rulesets that kick in by > default. In particular, check_relay should activate every time an > (e)SMTP connection is made to the mail server. I'm not sure about that version since I'm using 8.13.8 but... > My issue currently is that check_relay fires in some situations and not > in others. Cases where it doesn't, the relay server is allowed to > carry out a dictionary attack. A dictionary attack is against your server, not against relaying (which means sending mail through your server). > I have specifically flagged mail from > these relays to be DISCARDed within /etc/mail/access. I thought > check_relay was the first ruleset to be called and if a match is found > in access.db access is denied. If this is not correct and I'm mistaken > in my logic please educate me :) You are using a combination of old and new syntax, which is valid but will not do what you want to do. > IMO check_rcpt or check_mail should never be called if a relay is > explicitly denied SMTP access within /etc/mail/access. Below is an > example access.db file resembling my setup. > > # Repeated offenders > asahi-net.or.jp 550 Your domain/host is not allowed to > relay to our network > brasiltelecom.net.br DISCARD Change this to: Connect:brasiltelecom.net.br REJECT Connect:asahi-net.or.jp 550 Your domain/host is not allowed... > # 10/09/2006 > 221.202.220.201 550 Your domain/host is not allowed to > relay to our network Same here. > # 11/09/2006 > 124.121.18.37 550 Your domain/host is not allowed to > relay to our network > > # Allow relay from local network > localhost.localdomain RELAY > localhost RELAY > 127.0.0.1 RELAY > myserver.domain RELAY > subnet.1 RELAY > subnet.2 RELAY Same here, but you don't need all those alias. > # Local Users > To:user1(a)domain RELAY > To:user2(a)domain RELAY > To:user1(a)domain2 RELAY > To:user2(a)domain2 RELAY > > # Catch all other users > To:domain error:5.1.1:"550 User unknown" > To:domain2 error:5.1.1:"550 User unknown" User unknown? why not REJECT? > The dated rejection lists are only kept for 4 days and are temporary so > as to not affect genuine mailers. If further information is required I > will be more than happy to provide what's necessary. You could also add the connection throthling rules (if sendmail was compiled with that feature), that option was meant exactly for the dictionary attacks (but a graylist milter is way more effective). GreetPause is another option that spammers hate. HTH -- René Berber
From: Shidony on 20 Sep 2006 18:42 > > > > # Repeated offenders > > asahi-net.or.jp 550 Your domain/host is not allowed to > > relay to our network > > brasiltelecom.net.br DISCARD > > Change this to: > > Connect:brasiltelecom.net.br REJECT > Connect:asahi-net.or.jp 550 Your domain/host is not > allowed... I wish to DISCARD all emails from brasiltelecom as it has been repeatedly spamming our network over the period of a few weeks. Will try your suggestion above with DISCARD. > > > > # Catch all other users > > To:domain error:5.1.1:"550 User unknown" > > To:domain2 error:5.1.1:"550 User unknown" > > User unknown? why not REJECT? > This is a rejection that displays a more specific error when incorrect addresses are provided. > > You could also add the connection throthling rules (if sendmail was > compiled with that feature), that option was meant exactly for the > dictionary attacks (but a graylist milter is way more effective). > > GreetPause is another option that spammers hate. I forgot to mention that I've already implemented connection throttling, which is enough to deter some spammers. Others just continue to attack even after being throttled. Those are the ones that end up in my permanent rejection list. That's why its even more important that the server catch these on an SMTP level during a check_relay. Will look into GreetPause. Thanks Shidony
From: René Berber on 20 Sep 2006 21:43 Shidony wrote: [snip] > I wish to DISCARD all emails from brasiltelecom as it has been > repeatedly spamming our network over the period of a few weeks. Will > try your suggestion above with DISCARD. I think you have not read the documentation, REJECT sends the 55x error code immediatly, at connection, DISCARD allows the other server to deliver its garbage (and be happy about it) before deleting (silently) the message. Quoting from the documentation: "The value part of the map can contain: OK Accept mail even if other rules in the running ruleset would reject it, for example, if the domain name is unresolvable. RELAY Accept mail addressed to the indicated domain or received from the indicated domain for relaying through your SMTP server. RELAY also serves as an implicit OK for the other checks. REJECT Reject the sender or recipient with a general purpose message. DISCARD Discard the message completely using the $#discard mailer. If it is used in check_compat, it affects only the designated recipient, not the whole message as it does in all other cases. This should only be used if really necessary. ### any text where ### is an RFC 821 compliant error code and "any text" is a message to return for the command. The string should be quoted to avoid surprises, e.g., sendmail may remove spaces otherwise. ERROR:### any text as above, but useful to mark error messages as such. ERROR:D.S.N:### any text where D.S.N is an RFC 1893 compliant error code and the rest as above." > > > # Catch all other users > > > To:domain error:5.1.1:"550 User unknown" > > > To:domain2 error:5.1.1:"550 User unknown" > > > > User unknown? why not REJECT? > > This is a rejection that displays a more specific error when incorrect > addresses are provided. The REJECT also sends an error code, and responding with an incorrect message like you are doing is not polite (the user may or may not be unknown). [snip] -- René Berber
From: Shidony on 21 Sep 2006 19:37
> I think you have not read the documentation, REJECT sends the 55x error > code immediatly, at connection, DISCARD allows the other server to > deliver its garbage (and be happy about it) before deleting (silently) > the message. Okay. That's a fair enough comment. I guess I was getting tired of reading log entries generated by open relays whose admins couldn't care less if their servers are being misused. I will make the necessary changes to REJECT offending servers. > > > > # Catch all other users > > > > To:domain error:5.1.1:"550 User unknown" > > > > To:domain2 error:5.1.1:"550 User unknown" > > > > The REJECT also sends an error code, and responding with an incorrect > message like you are doing is not polite (the user may or may not be > unknown). I don't understand. Which part of the error message is impolite. This method of rejection is derived straight from the documentation. OK Accept mail even if other rules in the running ruleset would reject it RELAY Accept mail addressed to the indicated domain or received from the indicated domain for relaying through your SMTP server. REJECT Reject the sender or recipient with a general purpose message. DISCARD Discard the message completely using the $#discard mailer. SKIP This can only be used for host/domain names and IP addresses/nets. It will abort the current search for this entry without accepting or rejecting it but causing the default action. ### any text where ### is an RFC 821 compliant error code and "any text" is a message to return for the command. The string should be quoted to avoid surprises, e.g., sendmail may remove spaces otherwise. This type is deprecated, use one the two ERROR: entries below instead. ERROR:### any text as above, but useful to mark error messages as such. ERROR:D.S.N:### any text where D.S.N is an RFC 1893 compliant error code and the rest as above. If the search reaches this far it has already searched through all valid email addresses that this server is responsible for, and therefore should generate a "User unknown" notification. Thanks again! Shidony |