[Mimedefang] Sendmail config (slightly OT)

Dirk the Daring dirk at psicorps.org
Tue Jan 11 10:59:42 EST 2005 

   Hello, MIMEdefang gurus. I'm setting up a mail relay to which I'll be
adding MIMEdefang, SpamAssassin and ClamAV. However, I'm running into
some problems with the sendmail config, and I hope someone on here can
help me iron this out, so I can progress on to the other installs and
get MD and SA running. Obviously, I want to have sendmail 100%
configured before progressing on.

   Documentation at hand includes the Bat Book (_Sendmail_3rd_edition_),
Hunt's _Sendmail_Cookbook_, and the online sendmail docs. I've consulted
the list Archives and been unable to find the answers I need.

   I'm running sendmail v8.12.11 under Solaris v8 on a SparcServer 20,
2x 200 MHz HyperSparc CPUs, 512 MB RAM. sendmail has been compiled with
support for Berkeley DB 4.1.25 as shown in its debug output:

 Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
                NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS
		NISPLUS PIPELINING SCANF USERDB XDEBUG

   Let's call this Host IO (as in I/O).

   The main purpose IO has in life is to be a mail relay for multiple
Domains that I host - there is NO need for local delivery (i.e. there
are no user accounts on IO). An E-Mail for a given Domain can go to any
one of several interior servers (let's call them A, B and C). So E-Mail
for UserX at Domain1.com might go to Server A, while E-Mail for
UserY at Domain1.com might go to Server B. However, all E-Mail to any
address @Domain2.com goes to Server C.

   Servers A, B and C all relay OUT thru IO (that is, they are all
configured to regard IO as their "Smart" mailhost). Only IO sends E-Mail
out from my network.

   IO is configured to use RBLs with the FEATURE(`dnsbl') and
FEATURE(`enhdnsbl') entries in sendmail.cf. It does this successfully.

   I wish to employ the sendmail access database (/etc/mail/access) to
selectively blacklist both senders and recipients. To this end, I have
added FEATURE(blacklist_recipients). Since I want a legit sender who has
been BLed to be able to reach me to request whitelisting, I also employ
FEATURE(`delay_checks') so I can put an entry in the access db to permit
otherwise blocked mail to reach one specific address. Finally, entries
in the access db allow Servers A, B and C to bypass RBL checks (using
the "connect:" keyword on the LHS). So the access db is important.

   So far, so good.

   The problem arises in how to properly route E-Mail. I can't use
RELAY_DOMAINS (Class {R}), as that bypasses the access db for the listed
Domains. If I use RELAY_DOMAINS, it becomes impossible to blacklist
recipients.

   I can use FEATURE(`virtusertable') to translate addresses to the
proper host, with entries like this:

	@Domain2.com		%1 at ServerC.mydomain.com
	UserX at Domain1.com	UserX at ServerA.mydomain.com
	UserY at Domain1.com	UserY at ServerB.mydomain.com

   However, as I understand it, I still need mailertable
(/etc/mail/mailertable) to route the E-Mail to the proper host, with
entries like this:

	serverA.mydomain.com	smtp:[servera.mydomain.com]
	serverB.mydomain.com	smtp:[serverb.mydomain.com]
	serverC.mydomain.com	smtp:[serverc.mydomain.com]

   The problem being that I cannot use VIRTUSER_DOMAIN_FILE because
those entries get added to Class {R} and again break the access db.

   As a final complication, I also can't use /etc/mail/local-host-names
(Class {w}), because that breaks mailertable (i.e. mailertable is not
consulted for Domains in Class {w}). Besides, as I noted, there is no
local delivery at all.

   So, my questions to the sendmail gurus in this forum are:

	1) Is there any definitive listing of what tables are
		consulted in what order and when during the
		sendmail mail-handling process?

	2) How can I host multiple Domains on a relay without
		being forced to add the Domains to /etc/access
		(thus bypassing some checks), or adding them
		to Class {R} (thus bypassing practically all
		checks aside from RBLs), or adding them
		to Class {w} (thus breaking mailertable); while
		still retaining the ability to selectively route
		E-Mail and selectively blacklist recipients and/or
		senders? Right now, I've added the Domains to
		/etc/mail/access with the RELAY action.

	3) Does anyone know, for sure, how sendmail looks up
		entries in its tables? That is, does it stop once
		it find the first matching key (which is the way
		I'd do it), or does it have some sort of resolution
		mechanism for when multiple keys in, say,
		/etc/mail/access, match? I can't find a definitive
		answer to this question in any online or printed docs.

	4) I'd like to blacklist certain TO: addresses for ALL
		Domains I host, without having to make an entry
		in /etc/mail/access for each address in each Domain
		(e.g. BLAddrX at Domain1.com, BLAddrY at Domain2.com,
		BLAddrZ at Domain, etc). However, it seems that I can't
		do that without listing all the Domains in
		/etc/mail/local-host-names (Class {w}), which breaks
		mailertable. Also, since there is NO local delivery,
		I shouldn't be using /etc/mail/local-host-names at
		all, should I?

   I'm looking forward to getting MD, SA and CLAM added to this server,
so any help folx can offer as far as nailing down the sendmail config
goes would be appreciated. Also, if anything I'm doing/planning to do is
going to cause me problems when I do implement MD/SA/CLAM, let me know
that as well.

   Thank you for sticking all the way thru this long E-Mail, and for any
assistance you might offer.

More information about the MIMEDefang mailing list