- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Limiting outbound sendmail users
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 12:15 AM
тАО04-25-2006 12:15 AM
Limiting outbound sendmail users
genericstable can be used to help form senders, but its always been possible to do this:
telnet
helo domain.com
mail from:billybob@hpux.ws
rcpt to:spamlist@aol.com
data
lots of html spam
.
Off goes themail even though billybob is not a valid user at hpux.ws or a valid local user on the system.
This in fact is how lots of spam is relayed.
I seem to have stumbled onto a solution. I want to know if its been tried or if I'm crazy. I may be.
I add entries to the access database
myusername@hpux.ws OK
from:hpux.ws REJECT 550 Invalid sender or domain
I compile hash databases for sendmail.
Now spammer connects to sendmail and tries to send from:billybob@hpux.ws
Gets this response:
550 Invalid sender or domain.
I know this is a problem if someone outside the domain tries to send an envelope with from myuser@hpux.ws. I have no problem with this being rejected.
This configuration limits outbound senders very nicely.
Questions:
1) Have I invented something? Unlikely.
2) Anyone else doing it?
3) Have I missed anything. I can easily generate the access file with a simple script that reads genericstables, which I always felt SHOULD limit outbound senders.
I'm a generous point giver.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 01:04 AM
тАО04-25-2006 01:04 AM
Re: Limiting outbound sendmail users
But does it also require this line:
from :public_IP_address REJECT 550 Invalid sendor or domain
In other words can people still relay if they mail from billybob@your_IP ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 01:13 AM
тАО04-25-2006 01:13 AM
Re: Limiting outbound sendmail users
Someone must have done this before right?
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 01:57 AM
тАО04-25-2006 01:57 AM
Re: Limiting outbound sendmail users
Check
http://www.sendmail.org/m4/anti_spam.html
It seems to point out your example. For S&G test the local user who uses your MTA as a RELAY (e.g. try to relay an e-mail from valid@hpux.ws to someone@hotmail.com).
2) Yes. Especially when you separate inbound and outbound MXes, you can make the strong argument that a valid internal user should never directly connect to the inbound MX; you can prevent that connection w/ the access db.
3) Just to make sure the logic is right, test the relay as suggested in 1), but you're on the right track.
check
local to local
local to remote (relay)
remote to local
If you haven't, you might use the virtusertable or similar to make sure mail is receivable by addressees; if not, you can reject the e-mail outright before SMTP delivers the mail payload.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 02:03 AM
тАО04-25-2006 02:03 AM
Re: Limiting outbound sendmail users
With your access configuration, make sure an external SMTP connection (meaning mx.spammer.com) can't relay using a valid from address.
Some spammers sift through the web for valid e-mail addresses, and you don't want them to be able to use your MX to relay spam.
It might be necessary to separate inbound and outbound MXs for this technique to be valid in your environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 02:11 AM
тАО04-25-2006 02:11 AM
Re: Limiting outbound sendmail users
Normal relay is shut down by normal access file.
port 25 scripting is how spammers get around the open relay. That and sendmail form abuse.
I have a port 25 scripting problem on a server with outbound mail. Its not relay because its from localhost.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 02:24 AM
тАО04-25-2006 02:24 AM
Re: Limiting outbound sendmail users
This should be accomplished by relay-domains.
The telnet session orginiates off the server
and this is what should be verified in
relay domains. Using the domian on the
helo message is a serious open-relay problem.
I use Exim in preference to sendmail as
it is much simpler to implement.
Don't relay for any connections where the
helo domain does not pass reverse lookup
tests. For now you will have to accept
mail which doesn't as some major mailers
do not pass.
Consider implementing inbound SPF and reject
mail where SPF is implemented on the sending
domain and the sender doesn't pass.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 02:50 AM
тАО04-25-2006 02:50 AM
Re: Limiting outbound sendmail users
It also ends sessions if there is a discrepency between the sending server and the MX.
Wondering how this is done:
The telnet session orginiates off the server
and this is what should be verified in
relay domains. Using the domian on the
helo message is a serious open-relay problem.
sendmail.mc ?? Bunny op!
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-25-2006 02:51 AM
тАО04-25-2006 02:51 AM
Re: Limiting outbound sendmail users
2) Many systems implemente sender
authentication. Usually, it involves a password.
3) Standard authentication is as follows:
- Outside servers can send to any addresses
for which the server is an MX (as configured
in the server. (Relay-to addresses.) May
also restrict the originating addess to
external addresses only.
If verify is enabled, only accept for
known addresses. (Users in /etc/passwd,
aliases in /etc/aliases, other lists.)
Some users in /etc/passwd such as root may
be restricted from receiving mail.
- Inside servers can send to any address.
May restrict sending addresses based on
/etc/passwd or other user list. May
require authorization form some or all
inside addresses.
- Authorized users. Can send to inside or
outside addresses. May be allowed to send
from outside addresses. Sender address
may be restriced to authorized user if
only workstations require authorization.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-26-2006 08:53 AM
тАО04-26-2006 08:53 AM
Re: Limiting outbound sendmail users
I've got it working on a cluster based formation.
Only authorized users can send outbound. No impact as yet noticed on authorized users.
Didn't cost me a dime. Just some time.
Points inbound....
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com