[CentOS] sendmail security-with example

Feizhou feizhou at graffiti.net
Thu Sep 21 08:04:03 UTC 2006 

Feizhou wrote:
> 
>> In above example u can see in the 1st example the
>> sender(xyz) is not real user of my domain , still he
>> is able to sendmail to my real users (abhi).
> 
>>
>> plz help me.
> 
> abhishek singh,
> 
> The simplest way that I can think of is to create a database of your 
> addresses and then check the mail from against that database and reject 
> if not found.
> 
> The problem is how to maintain that database.
> 
> You could add a table lookup for this database and then add rules in 
> Local_check_mail to check mail from: addresses against the database.

in /etc/mail, create a file realuser
eg:
cat realuser
root    OK
chris   OK

makemap hash realuser.db < realuser

Make a copy of sendmail.cf (eg: test-sendmail.cf) and add a lookup for 
realuser.db:

Krealuser hash -o /etc/mail/realuser.db


Add some rulesets to check the mail from against this database:

SLocal_check_mail
R< $- @ domain.com > tabspace   $: < $(realuser $1 $: ? $) >
R< $- @ $* >    tabspace	OK
R< OK >         tabspace	OK
R<?>		tabspace        $#error $@ 5.7.1 $: "550 Access denied"

NB: REPLACE domain.com with your real domain. sendmail rulesets have 
left and right hand sides separated by tabs. Please make sure you have 
them when you copy for testing. If you have more than one domain, then 
add more R< $- @ domain.com > tabspace   $: < $(realuser $1 $: ? $) > 
rules BEFORE the R< $- @ $* >    tabspace	OK line. Sorry for this  as 
this is just a quick hack.

You can test offline by:

'sendmail -bt -C test-sendmail.cf'

Some likely output below:

==run check on external address==
 > check_mail <dunno at yahoo.com>
check_mail         input: < dunno @ yahoo . com >
Local_check_mail   input: < dunno @ yahoo . com >
Local_check_mail returns: OK
Basic_check_mail   input: < dunno @ yahoo . com >
tls_client         input: $| MAIL
D                  input: < > < ? > < ! "TLS_Clt" > < >
D                returns: < ? > < > < ? > < ! "TLS_Clt" > < >
A                  input: < > < ? > < ! "TLS_Clt" > < >
A                returns: < > < ? > < ! "TLS_Clt" > < >
TLS_connection     input: $| < > < ? > < ! "TLS_Clt" > < >
TLS_connection   returns: OK
tls_client       returns: OK
CanonAddr          input: < dunno @ yahoo . com >
canonify           input: < dunno @ yahoo . com >
Canonify2          input: dunno < @ yahoo . com >
Canonify2        returns: dunno < @ yahoo . com . >
canonify         returns: dunno < @ yahoo . com . >
Parse0             input: dunno < @ yahoo . com . >
Parse0           returns: dunno < @ yahoo . com . >
CanonAddr        returns: dunno < @ yahoo . com . >
SearchList         input: < + From > $| < F : dunno @ yahoo . com > < U 
: dunno @ > < D : yahoo . com > < >
F                  input: < dunno @ yahoo . com > < ? > < + From > < >
F                returns: < ? > < >
SearchList         input: < + From > $| < U : dunno @ > < D : yahoo . 
com > < >
U                  input: < dunno @ > < ? > < + From > < >
U                returns: < ? > < >
SearchList         input: < + From > $| < D : yahoo . com > < >
D                  input: < yahoo . com > < ? > < + From > < >
D                  input: < com > < ? > < + From > < >
D                returns: < ? > < >
D                returns: < ? > < >
SearchList       returns: < ? >
SearchList       returns: < ? >
SearchList       returns: < ? >
Basic_check_mail returns: < OKR >
check_mail       returns: < OKR >

==run check on existing address==
 > check_mail <chris at domain.com>
check_mail         input: < chris @ domain . com >
Local_check_mail   input: < chris @ domain . com >
Local_check_mail returns: OK
Basic_check_mail   input: < chris @ domain . com >
tls_client         input: $| MAIL
D                  input: < > < ? > < ! "TLS_Clt" > < >
D                returns: < ? > < > < ? > < ! "TLS_Clt" > < >
A                  input: < > < ? > < ! "TLS_Clt" > < >
A                returns: < > < ? > < ! "TLS_Clt" > < >
TLS_connection     input: $| < > < ? > < ! "TLS_Clt" > < >
TLS_connection   returns: OK
tls_client       returns: OK
CanonAddr          input: < chris @ domain . com >
canonify           input: < chris @ domain . com >
Canonify2          input: chris < @ domain . com >
Canonify2        returns: chris < @ domain . com . >
canonify         returns: chris < @ domain . com . >
Parse0             input: chris < @ domain . com . >
Parse0           returns: chris < @ domain . com . >
CanonAddr        returns: chris < @ domain . com . >
SearchList         input: < + From > $| < F : chris @ domain . com > < U 
: chris @ > < D : domain . com > < >
F                  input: < chris @ domain . com > < ? > < + From > < >
F                returns: < ? > < >
SearchList         input: < + From > $| < U : chris @ > < D : domain . 
com > < >
U                  input: < chris @ > < ? > < + From > < >
U                returns: < ? > < >
SearchList         input: < + From > $| < D : domain . com > < >
D                  input: < domain . com > < ? > < + From > < >
D                  input: < com > < ? > < + From > < >
D                returns: < ? > < >
D                returns: < ? > < >
SearchList       returns: < ? >
SearchList       returns: < ? >
SearchList       returns: < ? >
Basic_check_mail returns: < OKR >
check_mail       returns: < OKR >

==run check on fake local address==
 >check_mail <dunno at domain.com>
check_mail         input: < dunno @ domain . com >
Local_check_mail   input: < dunno @ domain . com >
Local_check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"
check_mail       returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"

==hit CTRL-D to leave sendmail ruleset debugging mode==

More information about the CentOS mailing list