Sendmail provides anti-spam features that enable you to control which users can send, receive, or relay mail messages on the network. Sendmail 8.9.3 extends your control by providing the following features:
Using the Access Database to allow or reject mail from specific domains
You must run the gen_cf script (located in /usr/newconfig/etc/mail/cf/cf) to turn on relaying, validating, and checking features. For more information, see the section, “Turning on the Anti-Spamming Features.”
Using the Access Database to Allow or Reject Mail Messages
You can control the flow of mail messages coming in from certain domains. The Access Database gives you the ability to allow or reject mail from specific domains. By default, names listed in the database as “OK” are domain names, not host names.
The primary steps to allow or reject messages include:
Step 1. Creating an Access Database text file
Step 2. Creating a Database map
You should understand a few basic facts about the Access Database format and structure before creating the Access Database file or database map.
Access Database Format
This section includes a few key points about the database and describes the format of the database.
Every line of the access database file has a key and a value pair.
The key can be an IP address, a domain name, a hostname or an e-mail address.
The value part of the database can be any of the following:
OK Accepts mail even if other rules in the running ruleset rejects it. For example, if the domain name is unresolvable.
RELAY Accepts mail addressed to the specified domain or received from the specified domain for relaying through your SMTP server. RELAY also serves as an implicit OK for the other checks.
REJECT Rejects the sender or recipient with a general purpose message.
DISCARD Discards the message completely using the $#discard mailer delivery agent. This only works for sender addresses. That is, it indicates that you should discard anything received from the specified domain. ### “any text” where ### is an RFC 821 compliant error code and “any text” is a message to return for the command.
Creating the Access Database Text File
You must edit the Access Database file manually. The default Access Database file is /etc/mail/access. However, you can specify another file in the sendmail.cf file.
A sample access database file, /etc/mail/access, is shown below:
cyberspammer.com 550 We don’t accept mail from spammers
In the above Access Database file, all mail messages from the cyberspammer.com domain are rejected and the error message “550 We don’t accept mail from spammers” is displayed. All mail messages from the okay.cyberspammer.com domain are accepted. Messages can be relayed through 128.32. All mail messages from firstname.lastname@example.org are rejected. All mail messages from the 192.168.212 domain are discarded.
Creating the Database Map
After creating the text file, you must use makemap to create the database map. Type the following command to make the database:
makemap hash /etc/mail/access < /etc/mail/access The makemap utility takes /etc/mail/access file as input. It then stores the results back into the /etc/mail/access.db file. Turning on Anti-Spamming Features A shell script called gen_cf is distributed with the Sendmail 8.9.3 release. This script allows you to turn on one or more of the anti-spamming features listed below. These features are described later in this section. Relay_entire_domain Relay_basedon_mx Relay_hosts_only Access_db Relay_local_from Blacklist_recipients Accept_unresolvable_domains Accept_unqualified_senders Realtime_Blackhole_List Loose_Relay_check Promiscuous_Relay Running the gen_cf Script 1. Become user root. 2. cd to: /usr/newconfig/etc/mail/cf/cf/gen_cf 3. Run gen_cf. 4. Follow the prompts in the script. A message will be displayed to inform you when the file has been successfully built. Relaying Capability In Sendmail 8.9.3 by default, messages cannot be transmitted from a site outside your domain through your site, to another site outside your domain. This is message relaying. In previous versions of Sendmail, relaying was enabled by default. However, the configuration file can be modified to enable partial or full relay capability. Enabling Relay Capability To enable one or all relay features described in the sections below, run the script gen_cf, which is distributed with this Sendmail release. The relay features discussed in this section include: Promiscuous Relay Relay Entire Domain Relay Hosts Only Relay Based on MX Record Relay Local From Check Loose Relay Access Database Promiscuous Relay: Relaying from Any Host To Any Host Promiscuous relay allows you to configure your site to allow mail relaying from any one site to any other site. This feature is not enabled by default. You can enable promiscuous relay by selecting it as an option when running the gen_cf script distributed with this release. By enabling this option Sendmail does not check for relaying. Spammers may then relay mail through your site. Relay Entire Domain: Relaying from Any Host in the Domain By default only hosts listed as RELAY in the Access Database are allowed to relay messages. The hosts must be defined in the m class ($=m) macro to relay. However, this feature allows any host in your domain to relay mail messages. Relay Hosts Only: Relaying From Hosts Only By default, host names that are listed as RELAY in both the Access Database and the class 'R' ($=R) macro can relay messages. When using this feature, specify hostnames. This feature enables Sendmail to look up individual host names and relay messages to the host. Relaying Based on MX Records This feature allows relaying based on the MX records of the host portion of an incoming recipient. If a MX record for host foo.com points to your site, you will accept and relay mail addressed to foo.com. Relay From Local With this feature, a sender, who is a valid user on a particular host, can relay messages to other users on different hosts. Caution: Use caution when using this feature. Using it opens a window for spammers. Specifically, spammers can send mail to your mail server that claims to be from your domain (either directly or via a routed address), and your machine will relay it out to any hosts on the Internet. Check Loose Relay This feature will turn off the default behavior, which rechecks all recipients using "%" addressing. For example, if the recipient address is user%site@othersite, and othersite is in class 'R' macro, the @othersite portion is stripped and re- checks user@site for relaying. Access Database In the newly created sendmail.cf, perform the following change: # Access list database (for spam stomping) Kaccess dbm -o /etc/mail/access to # Access list database (for spam stomping) Kaccess hash -o /etc/mail/access Validating Senders Sendmail 8.9.3 provides a stricter check of mail message senders to ensure they are legitimate. Sendmail 8.9.3 will refuse mail if the MAIL FROM: parameter has an unresolvable domain. You can work around this. If you want to continue accepting mail from such domains, use the features described in this section. Any of these features can be enabled when you run the gen_cf script, which is distributed with this sendmail release. Accept Unresolvable Domains Accept Unqualified Senders Black list Recipients Realtime Blackhole List Accept Unresolvable Domains This feature enables sendmail to accept all MAIL FROM: parameters that are not fully qualified. For example, a mail message whose host part of the argument to the MAIL FROM: parameter cannot be located in the host name service, such as DNS. Accept Unqualified Senders This feature allows you to accept all mail where the sender's mail address does not include a domain name. Normally, the MAIL FROM: commands in the SMTP session will be refused if the connectionis a network connection and the sender address does not include a domain name. Black List Recipients This feature enables sendmail to block incoming mail messages destined for certain recipient usernames, hostnames, or addresses. This feature also restricts you from sending mail messages to addresses with an error message or REJECT value in the Access Database file. For example, given the following entries in the Access Database file: badlocaluser 550 Mailbox disabled for this username host.mydomain.com 550 That host does not accept mail email@example.com 550 Mailbox disabled for this recipient Recipient of firstname.lastname@example.org , any user at host.mydomain.com, and the single address email@example.com will not receive mail. Another example firstname.lastname@example.org REJECT cyberspammer.com REJECT Mail can't be sent to email@example.com or anyone at cyberspammer.com. Realtime Blackhole List This feature will reject hosts listed in the Realtime Blackhole List, which is found in the Realtime Blackhole List server. The server is rbl.maps.vix.com. To use this feature, you must add the following to the DNS database: 22.214.171.124.rbl.maps.vix.com. IN A 127.0.0.2 You can specify the Realtime Blackhole List servers in the sendmail.cf file. Header Checking Sendmail 8.9.3 provides new syntax for limited header syntax checking. A config line of the form: HHeader: $>Ruleset causes the specified ruleset to be invoked on the Header when read. With header checking, mail messages can be rejected based on the contents of their mail headers.
Validity of a Message-ID: header
R< $+ @ $+ > $@ OK
R$* $#error $: 553 Header Error
If the above lines are included in the sendmail.cf file then, all header messages of the form “Message-Id:” will call the ruleset SCheckMessageID, which checks the validity of the Message-Id header