Search

Monday, January 07, 2013

Use DNSBL with Sendmail

It is imperative that we implement some kind of anti-spam controls in
the mail server that receives internet email traffic. One of the
controls is to check the connecting smtp server's ip address against a
blacklist of known spammers, zombie pc, open relays, ip addresses range
that should not send out email (eg the subscriber ip address ranges of
ISP) etc. What is more, many of these blacklists are free to use.

In this example, we use the blacklists provided by zen.spamhaus.org and
cbl.abuseat.org.

In the /etc/mail/sendmail.mc, we add below two lines:

FEATURE(`dnsbl',`zen.spamhaus.org',`"Rejected due to Spamhaus listing
see http://www.abuse.net/sbl.phtml?IP=" $&{clientaddr} " for more
information"')dnl
FEATURE(`dnsbl',`cbl.abuseat.org',`"Rejected due to cbl listing see
http://www.abuse.net/sbl.phtml?IP=" $&{clientaddr} " for more
information"')dnl

Note the use of backquote here (` vs '). The third parameter provides
the customized message that should be returned to the sending mail
server in case it hits the blacklist. Multiple dnsbl can be used
together to enhance the anti spam strength.

To make the changes effective:

m4 sendmail.mc > sendmail.cf
service sendmail restart


To verify whether the anti spam checking is in use, we can look for
something like 'Rejected due to Spamhaus' in the /var/log/maillog.

Wednesday, January 02, 2013

Prepare sendmail as MX and forward all incoming emails to another server

Our client has two sendmail boxes, one for receiving emails from
internet (ie as MX record), another one as the SMTP, POP3 and IMAP
server for internal users to send out emails and retrieve mail boxes.
By separating incoming and outgoing email traffic, he could reduce
impact of email bomb attack.

The followings apply to Sendmail 8.14.4.

1. First of all, in /etc/mailertable, we instruct sendmail to route
all incoming emails for our-domain.com.hk to another server.

our-domain.com.hk esmtp:[hostname-or-ip-of-another-server]

The [ ] will turn off MX lookup for this domain. Otherwise, there will
a MX loop.

After making changes, we have to rebuild the mailertable.db as below.

makemap hash mailertable.db < mailertable

2. Note that our sendmail.mc has to enable the 'mailertable' feature.

FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl

The sendmail.mc is a macro-based file for us to specify configuration
parameters easily. It has to be converted by the 'm4' utility to become
the ultimately required sendmail.cf.
m4 sendmail.mc > sendmail.cf
service sendmail restart


3. At the same time, we have to comment the DAEMON_OPTIONS such that
our sendmail will listen to internet smtp traffic.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl


4. We have the option to reject emails if the sender domain is not
resolvable. Note that it might block some legitimate emails (eg users
on computers that do not have 7x24 DNS)

To turn it on/off, we use FEATURE(`accept_unresolvable_domains')dnl in
/etc/sendmail.mc

5. /etc/mail/local-host-names should be empty as incoming emails
should just be forwarded as said in mailertable.

6. Relaying is by default disabled in sendmail. We need to specify
the domains that we want to serve in the /etc/mail/access.

The example below permits emails sent to our-domain.com.hk and
specifically blacklist all emails coming spammer.com.

# By default we allow relaying from localhost...
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
To:our-domain.com.hk RELAY
From:spammer.com REJECT

After making changes to access, we have to rebuild it by:

makemap hash access.db < access