[CentOS] sendmail security-with example

Thu Sep 21 12:25:02 UTC 2006
abhishek singh <abhishek.rhce at yahoo.co.in>

i have solved one problem that was 1st example in my previous mail. means now no unknow user from my domain can send mail to my real users of mydomain but still there is 2nd problem means anyone can telnet to my server and can forge real domain address to sendmail to my domain users like 
  telnet mail.domain.com 25
  ............
  .....
  ....
  .............
  mail from: abhi at gmail.com sender ok
  abhi at gmail.com sender ok
  rcpt to: abhisingh at domain.com 
  abhisingh at domain.com recpient ok
  data
  kjkdjdkfjkdjf
  ldfjkljf
  .
  quit
   
  in this we can see anyone can user real mail id of anyone to send mail to real user of domain.com user.
   
  plz check ur mail servers also for this and tell me how we can block this.
   
   
   
  

Feizhou <feizhou at graffiti.net> wrote:
  Feizhou wrote:
> 
>> In above example u can see in the 1st example the
>> sender(xyz) is not real user of my domain , still he
>> is able to sendmail to my real users (abhi).
> 
>>
>> plz help me.
> 
> abhishek singh,
> 
> The simplest way that I can think of is to create a database of your 
> addresses and then check the mail from against that database and reject 
> if not found.
> 
> The problem is how to maintain that database.
> 
> You could add a table lookup for this database and then add rules in 
> Local_check_mail to check mail from: addresses against the database.

in /etc/mail, create a file realuser
eg:
cat realuser
root OK
chris OK

makemap hash realuser.db < realuser

Make a copy of sendmail.cf (eg: test-sendmail.cf) and add a lookup for 
realuser.db:

Krealuser hash -o /etc/mail/realuser.db


Add some rulesets to check the mail from against this database:

SLocal_check_mail
R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) >
R< $- @ $* > tabspace OK
R< OK > tabspace OK
R tabspace $#error $@ 5.7.1 $: "550 Access denied"

NB: REPLACE domain.com with your real domain. sendmail rulesets have 
left and right hand sides separated by tabs. Please make sure you have 
them when you copy for testing. If you have more than one domain, then 
add more R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > 
rules BEFORE the R< $- @ $* > tabspace OK line. Sorry for this as 
this is just a quick hack.

You can test offline by:

'sendmail -bt -C test-sendmail.cf'

Some likely output below:

==run check on external address==
> check_mail 
check_mail input: < dunno @ yahoo . com >
Local_check_mail input: < dunno @ yahoo . com >
Local_check_mail returns: OK
Basic_check_mail input: < dunno @ yahoo . com >
tls_client input: $| MAIL
D input: < > < ? > < ! "TLS_Clt" > < >
D returns: < ? > < > < ? > < ! "TLS_Clt" > < >
A input: < > < ? > < ! "TLS_Clt" > < >
A returns: < > < ? > < ! "TLS_Clt" > < >
TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < >
TLS_connection returns: OK
tls_client returns: OK
CanonAddr input: < dunno @ yahoo . com >
canonify input: < dunno @ yahoo . com >
Canonify2 input: dunno < @ yahoo . com >
Canonify2 returns: dunno < @ yahoo . com . >
canonify returns: dunno < @ yahoo . com . >
Parse0 input: dunno < @ yahoo . com . >
Parse0 returns: dunno < @ yahoo . com . >
CanonAddr returns: dunno < @ yahoo . com . >
SearchList input: < + From > $| < F : dunno @ yahoo . com > < U 
: dunno @ > < D : yahoo . com > < >
F input: < dunno @ yahoo . com > < ? > < + From > < >
F returns: < ? > < >
SearchList input: < + From > $| < U : dunno @ > < D : yahoo . 
com > < >
U input: < dunno @ > < ? > < + From > < >
U returns: < ? > < >
SearchList input: < + From > $| < D : yahoo . com > < >
D input: < yahoo . com > < ? > < + From > < >
D input: < com > < ? > < + From > < >
D returns: < ? > < >
D returns: < ? > < >
SearchList returns: < ? >
SearchList returns: < ? >
SearchList returns: < ? >
Basic_check_mail returns: < OKR >
check_mail returns: < OKR >

==run check on existing address==
> check_mail 
check_mail input: < chris @ domain . com >
Local_check_mail input: < chris @ domain . com >
Local_check_mail returns: OK
Basic_check_mail input: < chris @ domain . com >
tls_client input: $| MAIL
D input: < > < ? > < ! "TLS_Clt" > < >
D returns: < ? > < > < ? > < ! "TLS_Clt" > < >
A input: < > < ? > < ! "TLS_Clt" > < >
A returns: < > < ? > < ! "TLS_Clt" > < >
TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < >
TLS_connection returns: OK
tls_client returns: OK
CanonAddr input: < chris @ domain . com >
canonify input: < chris @ domain . com >
Canonify2 input: chris < @ domain . com >
Canonify2 returns: chris < @ domain . com . >
canonify returns: chris < @ domain . com . >
Parse0 input: chris < @ domain . com . >
Parse0 returns: chris < @ domain . com . >
CanonAddr returns: chris < @ domain . com . >
SearchList input: < + From > $| < F : chris @ domain . com > < U 
: chris @ > < D : domain . com > < >
F input: < chris @ domain . com > < ? > < + From > < >
F returns: < ? > < >
SearchList input: < + From > $| < U : chris @ > < D : domain . 
com > < >
U input: < chris @ > < ? > < + From > < >
U returns: < ? > < >
SearchList input: < + From > $| < D : domain . com > < >
D input: < domain . com > < ? > < + From > < >
D input: < com > < ? > < + From > < >
D returns: < ? > < >
D returns: < ? > < >
SearchList returns: < ? >
SearchList returns: < ? >
SearchList returns: < ? >
Basic_check_mail returns: < OKR >
check_mail returns: < OKR >

==run check on fake local address==
>check_mail 
check_mail input: < dunno @ domain . com >
Local_check_mail input: < dunno @ domain . com >
Local_check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"
check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"

==hit CTRL-D to leave sendmail ruleset debugging mode==
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos



Abhishek Kr. Singh
System Administrator
DSC. LTD.
Mob.No. +91-9871563248
 				
---------------------------------
 Find out what India is talking about on  - Yahoo! Answers India 
 Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20060921/f656cd7c/attachment-0005.html>