[CentOS] sendmail mail relay backscatter issue.

Thu Feb 4 14:16:23 UTC 2010
Les Mikesell <lesmikesell at gmail.com>

Simon Billis wrote:
> Hi Folks,
> 
> I have a couple of questions which I hope that you will be able to assist
> with, first some background.
> 
> I run a few sendmail servers that run MailScanner/Spamassassin/sendmail
> (current versions) on Centos 5.4 and Centos 4.8 These boxes accept mail for
> a large number of domains (6000+) scan the mail removing spam and then
> forward the ham to another server for delivery. I am attempting to stop any
> backscatter that these servers cause by only accepting mail for specific
> users at domain or for domains with a catch-all account.
> 
> I currently use /etc/mail/access.db as the access map for the domains, but
> this allows all mail to be accepted for the domain before the attempting to
> send it on for final delivery which causes NDR and backscatter for those
> domains which do not have a catch-all account.
> 
> I have looked at adding "To:user at domain RELAY" to the access map and also
> adding "define(`_RELAY_FULL_ADDR_', `1') " in the sendmail.mc and running
> make -C /etc/mail but this has no effect on the sendmail.cf file. My
> understanding is that if I can get sendmail to accept this undocumented
> feature then all will be fine as I will be able to use the access map to
> allow mail to those specific users as well as entries of the type "domain
> RELAY".
> 
> My first question is: Does anyone have any ideas as to why I wouldn't be
> able to have this change reflected in sendmail.cf?
> 
> My second question is: Does anyone have any ideas on how to utilise access
> map and relay-domains to achieve the same thing?
> 
> Thanks for your time and assistance.
> 

One approach here if it is practical to collect/maintain all of the valid 
recipient addresses is to build a virtuser table with a default reject for each 
domain the relay handles plus the list of all valid addresses.  This is very 
efficient if you can automate the table updates or the user base is stable.

Another would be to use MimeDefang as the framework instead of mailscanner.  It 
has an option to check recipient addresses via smtp to the delivery servers 
before accepting.  You may have to write a snippet of perl to get that right for 
multiple domains (that's a feature...).  This is less efficient but works in 
real time against the addresses that will be accepted for delivery.

-- 
   Les Mikesell
    lesmikesell at gmail.com