Simon Billis wrote:
Hi Folks,
I have a couple of questions which I hope that you will be able to assist with, first some background.
I run a few sendmail servers that run MailScanner/Spamassassin/sendmail (current versions) on Centos 5.4 and Centos 4.8 These boxes accept mail for a large number of domains (6000+) scan the mail removing spam and then forward the ham to another server for delivery. I am attempting to stop any backscatter that these servers cause by only accepting mail for specific users@domain or for domains with a catch-all account.
I currently use /etc/mail/access.db as the access map for the domains, but this allows all mail to be accepted for the domain before the attempting to send it on for final delivery which causes NDR and backscatter for those domains which do not have a catch-all account.
I have looked at adding "To:user@domain RELAY" to the access map and also adding "define(`_RELAY_FULL_ADDR_', `1') " in the sendmail.mc and running make -C /etc/mail but this has no effect on the sendmail.cf file. My understanding is that if I can get sendmail to accept this undocumented feature then all will be fine as I will be able to use the access map to allow mail to those specific users as well as entries of the type "domain RELAY".
My first question is: Does anyone have any ideas as to why I wouldn't be able to have this change reflected in sendmail.cf?
My second question is: Does anyone have any ideas on how to utilise access map and relay-domains to achieve the same thing?
Thanks for your time and assistance.
One approach here if it is practical to collect/maintain all of the valid recipient addresses is to build a virtuser table with a default reject for each domain the relay handles plus the list of all valid addresses. This is very efficient if you can automate the table updates or the user base is stable.
Another would be to use MimeDefang as the framework instead of mailscanner. It has an option to check recipient addresses via smtp to the delivery servers before accepting. You may have to write a snippet of perl to get that right for multiple domains (that's a feature...). This is less efficient but works in real time against the addresses that will be accepted for delivery.