i have solved one problem that was 1st example in my previous mail. means now no unknow user from my domain can send mail to my real users of mydomain but still there is 2nd problem means anyone can telnet to my server and can forge real domain address to sendmail to my domain users like telnet mail.domain.com 25 ............ ..... .... ............. mail from: abhi@gmail.com sender ok abhi@gmail.com sender ok rcpt to: abhisingh@domain.com abhisingh@domain.com recpient ok data kjkdjdkfjkdjf ldfjkljf . quit
in this we can see anyone can user real mail id of anyone to send mail to real user of domain.com user.
plz check ur mail servers also for this and tell me how we can block this.
Feizhou feizhou@graffiti.net wrote: Feizhou wrote:
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
plz help me.
abhishek singh,
The simplest way that I can think of is to create a database of your addresses and then check the mail from against that database and reject if not found.
The problem is how to maintain that database.
You could add a table lookup for this database and then add rules in Local_check_mail to check mail from: addresses against the database.
in /etc/mail, create a file realuser eg: cat realuser root OK chris OK
makemap hash realuser.db < realuser
Make a copy of sendmail.cf (eg: test-sendmail.cf) and add a lookup for realuser.db:
Krealuser hash -o /etc/mail/realuser.db
Add some rulesets to check the mail from against this database:
SLocal_check_mail R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > R< $- @ $* > tabspace OK R< OK > tabspace OK R tabspace $#error $@ 5.7.1 $: "550 Access denied"
NB: REPLACE domain.com with your real domain. sendmail rulesets have left and right hand sides separated by tabs. Please make sure you have them when you copy for testing. If you have more than one domain, then add more R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > rules BEFORE the R< $- @ $* > tabspace OK line. Sorry for this as this is just a quick hack.
You can test offline by:
'sendmail -bt -C test-sendmail.cf'
Some likely output below:
==run check on external address==
check_mail
check_mail input: < dunno @ yahoo . com > Local_check_mail input: < dunno @ yahoo . com > Local_check_mail returns: OK Basic_check_mail input: < dunno @ yahoo . com > tls_client input: $| MAIL D input: < > < ? > < ! "TLS_Clt" > < > D returns: < ? > < > < ? > < ! "TLS_Clt" > < > A input: < > < ? > < ! "TLS_Clt" > < > A returns: < > < ? > < ! "TLS_Clt" > < > TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < > TLS_connection returns: OK tls_client returns: OK CanonAddr input: < dunno @ yahoo . com > canonify input: < dunno @ yahoo . com > Canonify2 input: dunno < @ yahoo . com > Canonify2 returns: dunno < @ yahoo . com . > canonify returns: dunno < @ yahoo . com . > Parse0 input: dunno < @ yahoo . com . > Parse0 returns: dunno < @ yahoo . com . > CanonAddr returns: dunno < @ yahoo . com . > SearchList input: < + From > $| < F : dunno @ yahoo . com > < U : dunno @ > < D : yahoo . com > < > F input: < dunno @ yahoo . com > < ? > < + From > < > F returns: < ? > < > SearchList input: < + From > $| < U : dunno @ > < D : yahoo . com > < > U input: < dunno @ > < ? > < + From > < > U returns: < ? > < > SearchList input: < + From > $| < D : yahoo . com > < > D input: < yahoo . com > < ? > < + From > < > D input: < com > < ? > < + From > < > D returns: < ? > < > D returns: < ? > < > SearchList returns: < ? > SearchList returns: < ? > SearchList returns: < ? > Basic_check_mail returns: < OKR > check_mail returns: < OKR >
==run check on existing address==
check_mail
check_mail input: < chris @ domain . com > Local_check_mail input: < chris @ domain . com > Local_check_mail returns: OK Basic_check_mail input: < chris @ domain . com > tls_client input: $| MAIL D input: < > < ? > < ! "TLS_Clt" > < > D returns: < ? > < > < ? > < ! "TLS_Clt" > < > A input: < > < ? > < ! "TLS_Clt" > < > A returns: < > < ? > < ! "TLS_Clt" > < > TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < > TLS_connection returns: OK tls_client returns: OK CanonAddr input: < chris @ domain . com > canonify input: < chris @ domain . com > Canonify2 input: chris < @ domain . com > Canonify2 returns: chris < @ domain . com . > canonify returns: chris < @ domain . com . > Parse0 input: chris < @ domain . com . > Parse0 returns: chris < @ domain . com . > CanonAddr returns: chris < @ domain . com . > SearchList input: < + From > $| < F : chris @ domain . com > < U : chris @ > < D : domain . com > < > F input: < chris @ domain . com > < ? > < + From > < > F returns: < ? > < > SearchList input: < + From > $| < U : chris @ > < D : domain . com > < > U input: < chris @ > < ? > < + From > < > U returns: < ? > < > SearchList input: < + From > $| < D : domain . com > < > D input: < domain . com > < ? > < + From > < > D input: < com > < ? > < + From > < > D returns: < ? > < > D returns: < ? > < > SearchList returns: < ? > SearchList returns: < ? > SearchList returns: < ? > Basic_check_mail returns: < OKR > check_mail returns: < OKR >
==run check on fake local address==
check_mail
check_mail input: < dunno @ domain . com > Local_check_mail input: < dunno @ domain . com > Local_check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied" check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"
==hit CTRL-D to leave sendmail ruleset debugging mode== _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Abhishek Kr. Singh System Administrator DSC. LTD. Mob.No. +91-9871563248 --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW