[Mimedefang] Sendmail config (slightly OT)

Jan Pieter Cornet johnpc at xs4all.nl
Tue Jan 11 15:57:39 EST 2005


Just a few points in response to your longish post.

On Tue, Jan 11, 2005 at 10:59:42AM -0500, Dirk the Daring wrote:
>    The main purpose IO has in life is to be a mail relay for multiple
> Domains that I host - there is NO need for local delivery (i.e. there
>    Servers A, B and C all relay OUT thru IO (that is, they are all
> configured to regard IO as their "Smart" mailhost). Only IO sends E-Mail
> out from my network.

Note that it saves hassles and confusion if you split the I and O
functionality here, ie. have one dedicated incoming MX server, and
one dedicated outgoing smarthost.

You can combine them, of course, this is just what I'd recommend.
Hardware cost should be peanuts compared to the ease of maintenance
and configuration.

>    IO is configured to use RBLs with the FEATURE(`dnsbl') and
> FEATURE(`enhdnsbl') entries in sendmail.cf. It does this successfully.

You could move that to mimedefang, with some added flexibility (eg,
we do that to allow per-recipient selectable DNSbls). But it works well
with the sendmail FEATUREs too.
 
>    So far, so good.
> 
>    The problem arises in how to properly route E-Mail. I can't use
> RELAY_DOMAINS (Class {R}), as that bypasses the access db for the listed
> Domains. If I use RELAY_DOMAINS, it becomes impossible to blacklist
> recipients.

Class {R} is evil. And a downright security risk if you do not control
the DNS of one of the domains in it. Do not use it.
 
>    I can use FEATURE(`virtusertable') to translate addresses to the
> 
>    The problem being that I cannot use VIRTUSER_DOMAIN_FILE because
> those entries get added to Class {R} and again break the access db.

You do not have to use VIRTUSER_DOMAIN_FILE. That is just a macro
that fills class {VirtHost}. You simply put all domains that you
wish to relay for in /etc/mail/virtuser.domains, and put this in your
sendmail.mc:

LOCAL_CONFIG
F{VirtHost}/etc/mail/virtuser.domains

>    As a final complication, I also can't use /etc/mail/local-host-names
> (Class {w}), because that breaks mailertable (i.e. mailertable is not
> consulted for Domains in Class {w}). Besides, as I noted, there is no
> local delivery at all.

You don't want Class {w}, that will make userX at domain1 equivalent
to userX at domain2, which is not necessarily what you want.

> 	1) Is there any definitive listing of what tables are
> 		consulted in what order and when during the
> 		sendmail mail-handling process?

Well, cf.README (or the README in the cf/ subdirectory) does
something, but it doesn't really do it very well. Look for the
section marked
+---------------------------------+
| ANTI-SPAM CONFIGURATION CONTROL |
+---------------------------------+

There is an in-depth description of what sendmail does during
processing, but unfortunately it's called sendmail.cf. Not
recommended reading, unless really needed. And it changes every
time you change the sendmail.mc file. (So you really need
cf/*/*.m4... urgh).

> 	2) How can I host multiple Domains on a relay without
> 		being forced to add the Domains to /etc/access

See above.
 
> 	3) Does anyone know, for sure, how sendmail looks up
> 		entries in its tables? That is, does it stop once
> 		it find the first matching key (which is the way
> 		I'd do it), or does it have some sort of resolution
> 		mechanism for when multiple keys in, say,
> 		/etc/mail/access, match? I can't find a definitive
> 		answer to this question in any online or printed docs.

It stops at the first match, but it searches from most specific
to less specific. Eg, it tries "From:user at example.com", then
"user at example.com", then "From:@example.com", then "@example.com"
and if matching a table that allows domain wildcards (like mailertable),
it'll gradually strip away leading hostname parts to find a match.

Again, it's documented in sendmail.cf... but you'll have to know
how to look for it :)

> 	4) I'd like to blacklist certain TO: addresses for ALL
> 		Domains I host, without having to make an entry
> 		in /etc/mail/access for each address in each Domain
> 		(e.g. BLAddrX at Domain1.com, BLAddrY at Domain2.com,
> 		BLAddrZ at Domain, etc). However, it seems that I can't
> 		do that without listing all the Domains in
> 		/etc/mail/local-host-names (Class {w}), which breaks
> 		mailertable. Also, since there is NO local delivery,
> 		I shouldn't be using /etc/mail/local-host-names at
> 		all, should I?

Define a macro or use a script to autogenerate the entries in the
access database. Put those in access.generated, and cat access
access.generated in the Makefile.

Or, easier and better configurable, do it within MIMEDefang:

sub filter_end {
    if ( grep { /foulword|badlanguage|deity/ } @Recipients ) {
	return action_bounce("No swearing");
    }
}

This has the side-effect of blocking messages completely that
are even Cc-ed to those with the illegal usernames. Which can be
construed as a feature.

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet



More information about the MIMEDefang mailing list