[Mimedefang] Re: Sendmail config (slightly OT) (Jan Pieter Cornet)

[Jan Pieter Cornet]

On Wed, Jan 12, 2005 at 04:07:59PM -0500, Dirk the Daring wrote:
>   Global RBLs are fine, and the sooner I drop the spammer's connection,

Not everything that's on an RBL is necessarily spam :) You might want
to protect "ceo at yourcompany" with l2.spews, but not abuse at yourcompany...
But it's OK to start with central blacklists, and step up to doing it
in MD later of course, if or when it becomes necessary...

> >You do not have to use VIRTUSER_DOMAIN_FILE. That is just a macro
> >that fills class {VirtHost}. You simply put all domains that you
> >wish to relay for in /etc/mail/virtuser.domains, and put this in your
> >sendmail.mc:
> >
> >LOCAL_CONFIG
> >F{VirtHost}/etc/mail/virtuser.domains
> 
>    I'm unclear on how that is different. Won't the contents of Class
> {VirtHost} get added to Class {R}? Or is this a way to bypass that?
> Since this is a pure relay, with NO local accounts, should I even use
> Class {VirtHost}?

It's different precisely because it DOES NOT add class {VirtHost} to
class {R}. The default VIRTUSER_DOMAIN_FILE macro will do that for you,
in a misguided attempt to be user-friendly, but you don't have to use
that macro.

> >You don't want Class {w}, that will make userX at domain1 equivalent
> >to userX at domain2, which is not necessarily what you want.
> 
>    I tend to agree, but then how do accomplish the things I want to do
> such as having an /etc/mail/access entry like
> 
> 	to:someaddr@		REJECT
> 
>    and having that applied to ALL Domains I host? So that
> SMTP RCPT TO: someaddr at domain1.com results in a REJECT, as does SMTP
> RCPT TO: someaddr at domain2.com

You can't. You can't have it both ways. Once use put the domains in
class {w}, recipients will ALWAYS be treated the same, you cannot split
them up later.

As I said... either list all domains manually, build some extension
to the Makefile that will autogenerate the list by doing a carthesian
product of (list-of-invalid-recipients) x (list-of-domains-you-host),
or do the blocking in MIMEDefang as I previously described.

>    That's probably going to be my long-term route. I was just trying to
> get some basic blocking working before I started on implementing MD and
> SA. And yes, blocking the addresses in CC is fine by me.

You might consider "blocking some list of aliases in every domain"
is not basic filtering anymore, and delay that until you have MD
running :)

Oh... one more thing. From your questions I take it that your "IO"
host will simply accept every address on all domains that you host,
and then bounce the stuff that's rejected on the target machines.

This is generally considered a bad idea these days. We (unfortunately)
have this setup for some clients in a batched-SMTP setup, and I regularly
see spammers drop thousands upon thousands of dictionary spam on those
domains. We end up scattering out if we cannot check the recipient against
a list of valid recipients.

Fortunately, MD to the rescue again. MD has a function
md_check_against_smtp_server(), that allows you to check a recipient
against a remote SMTP server, while the recipient is being offered to us.

You will very probably want to use it. And it's dead easy because your
sendmail setup will already provide MIMEDefang with the correct remote
host to check against (in $rcpt_host, given that $rcpt_mailer =~ /smtp/).

Hope this helps,

-- 
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf at fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig;                                # Jan-Pieter Cornet