I know this is a little off topic but I figured there are some Linux gurus on here running Sendmail as an MTA that might be able to assist.
I have (2) Red Hat 9 boxes that I am running various services on. One of these boxes is running Sendmail as an MTA. I have the box setup to query about 10 DNS Blacklists upon each incoming e-mail.
A friend of mine just signed up with Yahoo to do their e-mail hosting. Now everytime he sends me a message, one of the blacklists reject the message because Yahoo’s business mail servers are on the particular black list. There are also some other important people that cannot email anyone on our domain because their e-mail servers (AOL, Yahoo, etc) are blacklisted.
I am not willing to take the particular BlackLists out of the picture because they are well known ones and block probably about 75% of the “real spam” that attempts to make its way through.
I did some research and found out I could modify the /etc/mail/access file to enter permissible domains, IP blocks, and individual e-mail addresses. I tried adding the individual e-mail addresses that I would like to allow e-mail from, but this is not working. Here are the formats I have tried:
friend@friend.com OK
friend@friend.com RELAY
From:friend@friend.com OK
Neither of these allow the message to come through. The /etc/mail/sendmail.mc file seems to be taking precedence over the /etc/mail/access file. Through troubleshooting I was able to determine that the /etc/mail/access file IS indeed being looked at. I added my yahoo email address as a rejected sender and Sendmail did block it, specifically stating in the logs that it was because I had it set to do so in the access file.
Is there some setting in the sendmail.mc file that I am missing? Everytime I change the settings I issue “make all” followed by “service sendmail restart. Below is a copy of my sendmail.mc file:
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl # make -C /etc/mail
dnl #
include(/usr/share/sendmail-cf/m4/cf.m4')dnl<br>VERSIONID(setup for Red Hat Linux’)dnl
OSTYPE(linux')dnl<br>dnl #<br>dnl # Uncomment and edit the following line if your outgoing mail needs to<br>dnl # be sent out through an external mail server:<br>dnl #<br>dnl define(SMART_HOST’,smtp.your.provider')<br>dnl #<br>define(confDEF_USER_ID’,``8:12’’)dnl
define(confTRUSTED_USER', smmsp’)dnl
dnl define(confAUTO_REBUILD')dnl<br>define(confTO_CONNECT’, 1m')dnl<br>define(confTRY_NULL_MX_LIST’,true)dnl
define(confDONT_PROBE_INTERFACES',true)dnl<br>define(PROCMAIL_MAILER_PATH’,/usr/bin/procmail')dnl<br>define(ALIAS_FILE’, /etc/aliases')dnl<br>dnl define(STATUS_FILE’, /etc/mail/statistics')dnl<br>define(UUCP_MAILER_MAX’, 2000000')dnl<br>define(confUSERDB_SPEC’, /etc/mail/userdb.db')dnl<br>define(confPRIVACY_FLAGS’, authwarnings,novrfy,noexpn,restrictqrun')dnl<br>define(confAUTH_OPTIONS’, A')dnl<br>dnl #<br>dnl # The following allows relaying if the user authenticates, and disallows<br>dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links<br>dnl #<br>dnl define(confAUTH_OPTIONS’, A p')dnl<br>dnl # <br>dnl # PLAIN is the preferred plaintext authentication method and used by<br>dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do<br>dnl # use LOGIN. Other mechanisms should be used if the connection is not<br>dnl # guaranteed secure.<br>dnl #<br>dnl TRUST_AUTH_MECH(EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl define(confAUTH_MECHANISMS', EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl # make -C /usr/share/ssl/certs usage
dnl #
dnl define(confCACERT_PATH',/usr/share/ssl/certs’)
dnl define(confCACERT',/usr/share/ssl/certs/ca-bundle.crt’)
dnl define(confSERVER_CERT',/usr/share/ssl/certs/sendmail.pem’)
dnl define(confSERVER_KEY',/usr/share/ssl/certs/sendmail.pem’)
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP’s
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(confDONT_BLAME_SENDMAIL',groupreadablekeyfile’)dnl
dnl #
dnl define(confTO_QUEUEWARN', 4h’)dnl
dnl define(confTO_QUEUERETURN', 5d’)dnl
dnl define(confQUEUE_LA', 12’)dnl
dnl define(confREFUSE_LA', 18’)dnl
define(confTO_IDENT', 0’)dnl
dnl FEATURE(delay_checks)dnl
FEATURE(no_default_msa',dnl’)dnl
FEATURE(smrsh',/usr/sbin/smrsh’)dnl
FEATURE(mailertable',hash -o /etc/mail/mailertable.db’)dnl
FEATURE(virtusertable',hash -o /etc/mail/virtusertable.db’)dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,',procmail -t -Y -a $h -d $u’)dnl
FEATURE(access_db',hash -T<TMPF> -o /etc/mail/access.db’)dnl
FEATURE(blacklist_recipients')dnl<br>EXPOSED_USER(root’)dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(Port=smtp,Addr=127.0.0.1, Name=MTA')dnl<br>dnl #<br>dnl # The following causes sendmail to additionally listen to port 587 for<br>dnl # mail from MUAs that authenticate. Roaming users who can't reach their<br>dnl # preferred sendmail daemon due to port 25 being blocked or redirected find<br>dnl # this useful.<br>dnl #<br>dnl DAEMON_OPTIONS(Port=submission, Name=MSA, M=Ea’)dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can’t
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn’t support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(Port=smtps, Name=TLSMTA, M=s')dnl<br>dnl #<br>dnl # The following causes sendmail to additionally listen on the IPv6 loopback<br>dnl # device. Remove the loopback address restriction listen to the network.<br>dnl #<br>dnl # NOTE: binding both IPv4 and IPv6 daemon to the same port requires<br>dnl # a kernel patch<br>dnl #<br>dnl DAEMON_OPTIONS(port=smtp,Addr=::1, Name=MTA-v6, Family=inet6’)dnl
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl FEATURE(relay_based_on_MX')dnl<br>dnl # <br>dnl # Also accept email sent to "localhost.localdomain" as local email.<br>dnl # <br>LOCAL_DOMAIN(localhost.localdomain’)dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(mydomain.com')dnl<br>dnl #<br>dnl # masquerade not just the headers, but the envelope as well<br>dnl #<br>dnl FEATURE(masquerade_envelope)dnl<br>dnl #<br>dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well<br>dnl #<br>dnl FEATURE(masquerade_entire_domain)dnl<br>dnl #<br>dnl MASQUERADE_DOMAIN(localhost)dnl<br>dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl<br>dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl<br>dnl MASQUERADE_DOMAIN(mydomain.lan)dnl<br>FEATURE(dnsbl’, sbl.spamhaus.org', “Rejected: sbl.spamhaus.org”’)dnl
FEATURE(dnsbl', relays.ordb.org’, "Rejected: relays.ordb.org"')dnl<br>FEATURE(dnsbl’, opm.blitzed.org', “Rejected: opm.blitzed.org”’)dnl
FEATURE(dnsbl', dialups.visi.com’, "Rejected: dialups.visi.com"')dnl<br>FEATURE(dnsbl’, relays.visi.com', “Rejected: relays.visi.com”’)dnl
FEATURE(dnsbl', xbl.spamhaus.org’, "Rejected: xbl.spamhaus.org"')dnl<br>FEATURE(dnsbl’, bl.spamcop.net', “Rejected: bl.spamcop.net”’)dnl
FEATURE(dnsbl', list.dsbl.org’, "Rejected: list.dsbl.org"')dnl<br>FEATURE(dnsbl’, multihop.dsbl.org', “Rejected: multihop.dsbl.org”’)dnl
FEATURE(dnsbl', blackholes.mail-abuse.org’, "Rejected: blackholes.mail-abuse.org"')dnl<br>FEATURE(dnsbl’, relays.mail-abuse.org', “Rejected: relays.mail-abuse.org”’)dnl
FEATURE(dnsbl',dnsbl.sorbs.net’,"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl<br>FEATURE(dnsbl,combined.njabl.org’,Message from $&{client_addr} rejected - see <!-- m --><a class="postlink" href="http://njabl.org/lookup?$&" target="_blank" rel="nofollow noopener noreferrer">http://njabl.org/lookup?$&</a><!-- m -->{client_addr}')dnl<br>FEATURE(dnsbl, dnsbl.ahbl.org’,`550 Host is on the AHBL - Please see http://www.ahbl.org/tools/lookup.php?ip=”$&{client_addr}"’)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
-----
Thanks guys,
Matt
Strange I suppose. I’m not too familiar with sendmail…
I’m assuming ‘make all’ does “makemap hash /etc/etc/mail/access.db < /etc/mail/access”, right?
Since access is a database it needs made, but your test runs were working so that is why I assume it is indeed making the db.
Yes, make all is the same as that command.
I just did some reading that states the access file looks at info in the “envelope” of the message, and not the “header”.
Is that the difference between:
Matthew R. Smith
and
my-address@mydomain.com
Header Lines “From” and “From:”
Notice the differences between "From" and "From:" Header lines are not required to be the same, although they often are. The "From:" header line is part of the message content, not part of the SMTP envelope. If a discrepancy exists between the "From" address and the "From:" address, use the "From" address as your value for inclusion in the /etc/mail/access file.
Can you send me the link for that?