[Mimedefang] Blocking Dictionary Attacks

Les Mikesell les at futuresource.com
Fri Jun 5 09:13:59 EDT 2009

Andrzej Adam Filip wrote:
>>> That's a great idea!  I tried it but no matter what I do, sendmail is
>>> letting everything through.  Virtusertable is configured correctly in
>>> sendmail.mc, also did the appropriate makemap.  I think something has
>>> changed in sendmail (I have 8.13.8).  I've searched the world over 10
>>> times and tried many different combinations in virtusertable &
>>> mailertable and no matter what it relays everything.  I know it is
>>> looking at the virtusertable because sendmail lets me know if I put an
>>> error in the file.  The closest I can come is to use the access table
>>> in a similar fashion.  That does work but I can't find a way NOT to
>>> send a reject message.  That's one thing I don't want to do is to tie
>>> up my server sending 10,000 rejects to a zombie somewhere.  If I use
>>> the DISCARD command, then it tosses the whole email and nobody gets
>>> it, even valid users.
>>> Is there some trick to making your suggestion work?
>> In my case the MX server relaying in from the internet is not itself
>> the delivery host.  It has the domains it receives for listed in
>> local-host-names and the actual delivery destination is mapped in
>> mailertable like:
>> domain.com esmtp:[host.domain.com]
>> (the []'s let you go to a name with an A  record or an IP instead of
>> the default MX lookup)
> mailertable is *NOT* consulted for domains listed in list of local email
> domains ($=w, local-host-names).

Hmmm, I guess my virtuser table maps user at domain to user at host.domain and 
it is actually the host.domain mailertable entries that work - or they 
work without special lookups.

>> Maybe you don't have the domain listed in local-host-names so sendmail
>> thinks it must relay.  Virtual users and aliases are only checked for
>> the domains it process as local - but you can still relay for
>> delivery.
> virtusertable is consulted for local email domains ($=w) and
> (non local) domains listed in $={VirtHost}.
> Read carefully about side effects before using macros porviced by
> sendmail.org for filling $={VirtHost}.
> You can fill $={VirtHost} "directly":
> C{VirtHost}example.net
> P.S.
> The topic has been discussed a few times plus in news:comp.mail.sendmail
> Search for the threads with _VIRTUSER_STOP_ONE_LEVEL_RECURSION_
> [it marks one recipe but you will find references to other by the way]

I set everything up with the macros in sendmail.mc on a CentOS system. 
I used to use MAIL_HUB for what I considered the 'main' domain with 
mimedefang validating the recipients via smtp, but a virtuser table 
lookup is much faster (at the expense of having to maintain the mapping 

    Les Mikesell
     lesmikesell at gmail.com

More information about the MIMEDefang mailing list