From owner-freebsd-isp Sun Dec 13 03:36:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA18347 for freebsd-isp-outgoing; Sun, 13 Dec 1998 03:36:18 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: (from jmb@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA18328; Sun, 13 Dec 1998 03:36:07 -0800 (PST) (envelope-from jmb) Date: Sun, 13 Dec 1998 03:36:07 -0800 (PST) Message-Id: <199812131136.DAA18328@hub.freebsd.org> From: "Jonathan M. Bresler" To: dean@odyssey.apana.org.au CC: toasty@home.dragondata.com, freebsd-isp@FreeBSD.ORG In-reply-to: (message from Dean Hollister on Sun, 13 Dec 1998 14:41:35 +0800 (WST)) Subject: Re: sendmail morons References: Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Sun, 13 Dec 1998 14:41:35 +0800 (WST) > From: Dean Hollister > cc: freebsd-isp@FreeBSD.ORG > Content-Type: TEXT/PLAIN; charset=US-ASCII > Sender: owner-freebsd-isp@FreeBSD.ORG > X-Loop: FreeBSD.org > > On Sun, 13 Dec 1998, Kevin Day wrote: > > > Somehow, we're on some spam software's list of open relays, I think. We > > aren't open to relaying, but people sure try. > > > > I'm guessing this is a bug in the software, but... when it can't relay, it > > leaves the connection open, then goes and tries again, and again..... > > [snippity] > > > I'll end up with hundreds of these sometimes.. They timeout in 15-20 mins, > > but my server is thrashing so badly at that point, it's unusable. > > > > Anyone see this? Anyone know what I can do? > > Yes, I added the IP to our local database of blocked ip's. The server > returns a permission denied error (550). > > > Sendmail is almost always sitting in 'cmd read' or 'child wait'. > > Eventually, it will timeout. you can refuse connections from any IP or domain that you choose. thisis one way that we keep spam out of the mailing lists. checkout the files in /etc/mail. or add these to your sendmail.cf [beware of converting tabs to spaces using cut-n-paste] jmb Kdenyip hash -o -a.REJECT /etc/mail/denyip.db Kfakenames hash -o -a.REJECT /etc/mail/fakenames.db Kspamsites hash -o -a.REJECT /etc/mail/spamsites.db # helper rulsesets; useful for debugging sendmail configurations # # Scheck_rbl # lookup up an ip address in the Realtime Blackhole List. R$-.$-.$-.$- $: $(host $4.$3.$2.$1.rbl.maps.vix.com. $:OK $) Scheck_dul R$-.$-.$-.$- $: $(host $4.$3.$2.$1.dul.orca.bc.ca. $:OK $) Sxlat # for sendmail -bt # sendmail treats "$" and "|" as two distinct tokens # this rule "pastes" them together into one token # and then calls check_relay. R$* $$| $* $: $1 $| $2 R$* $| $* $@ $>check_relay $1 $| $2 Scheck_relay # called with "hostname.tld $| IP address" of connecting host. # hostname.tld is the fully-qualified domain name # IP address is dotted-quad with surrounding "[]" brackets. # # each group of rules in this ruleset is independent. # each accepts and return "hostname.tld $| IP address" # use the ones that you want comment out the rest # you may rearrange the groups but not the rules in each group. # each group is preceded and followed by a comment # # host must NOT be in the "spamsites" database--BEGIN R$* $| $* $: <$1 $| $2> $1 R<$*> $+.$+.$+ $: <$1> $(spamsites $2.$3.$4 $) R<$*> $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG" R<$*> $+.$+.$+ <$1> $3.$4 R<$*> $+.$+ $: <$1> $(spamsites $2.$3 $) R<$*> $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG" R<$*> $* $: $1 # host must NOT be in the "spamsites" database--END # ip address must NOT be in the "denyip" database--BEGIN R$* $| $* $: $1 $| $(denyip $2 $) R$* $| $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG" # ip address must NOT be in the "denyip" database--END # ip address must NOT be in Paul Vixie's RBL--BEGIN R$* $| $* $: <$1 $| $2> $>check_rbl $2 R$*.com. $#error $: "550 Mail refused, see http://maps.vix.com/rbl" R<$*> $* $: $1 # ip address must NOT be in Paul Vixie's RBL--END # ip address must NOT be in the Dialup Users List--BEGIN R$* $| $* $: <$1 $| $2> $>check_dul $2 R$*.com. $#error $: "550 Mail refused, see http://www.orca.bc.ca/dul/dul.htm R<$*> $* $: $1 # ip address must NOT be in the Dialup Users List--END R$* $@ OK Scheck_mail # called with envelope sender (everything after ":") in # "Mail From: xxx", of SMTP conversation # may or may not have "<" ">" # the groups of rules in this ruleset ARE NOT independent. # "remove all RFC-822 comments" must come first # "Connecting Host" and "Paul Vixie's RBL" must be last # # use the ones that you want comment out the rest # each group is preceded and followed by a comment # # remove all RFC-822 comments--BEGIN # MUST be first rule in check_mail rulseset. R$* $: $>3 $1 # remove all RFC-822 comments--END # mail must come from a DNS resolvable host--BEGIN R$* < @ $+ . > $: $1 @ $2 R$* < @ $+ > $#error $: "451 Domain does not resolve" # mail must come from a DNS resolvable host--END # mail must NOT come from a known source of spam--BEGIN # resolved. second check: one of the know spam sources? R$+ @$+ $: <$1@$2> $2 R<$*> $+.$+.$+ $: <$1> $(spamsites $2.$3.$4 $) R<$*> $*.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG" R<$*> $+.$+.$+ <$1> $3.$4 R<$*> $* $: $(spamsites $2 $: OK $) R$+.REJECT $#error $: "521 blocked. contact postmaster@FreeBSD.ORG" R<$*> $* $: $1 # mail must NOT come from a known source of spam--END # Connecting Host must resolve--BEGIN R$* $: $1 $: $(dequote "" $&{client_name} $) R$* $: $>3 foo@$1 R<$*> $*<@$*> $#error $: "451 Domain does not resolve" # Connecting Host must resolve--END R$* $@ OK Scheck_rcpt # called with envelope recipient (everything after ":") in # "Rcpt To: xxx", of SMTP conversation # may or may not have "<" ">" and or RFC-822 comments. # let ruleset 3 clean this up for us. # # mail must NOT be addressed "fakenames"--BEGIN R$* $: <$1> $>3 $1 R<$*> $+ < @ $+ > $: <$1> $(fakenames $2 $: OK $) R$+.REJECT $#error $: 521 $1 R<$*> $* $: $1 # mail must NOT be addressed "fakenames"--END # # mail must come from or go to this machine or machines we allow to relay--BEGIN R$+ $: $(dequote "" $&{client_addr} $) $| $1 R0 $| $* $@ ok R$={LocalIP}$* $| $* $@ ok # not local, check rcpt R$* $| $* $: $>3 $2 # remove local part, maybe repeatedly R$+ $:$>removelocal $1 # still something left? R$*<@$+>$* $#error $@ 5.7.1 $: 550 we do not relay # Sremovelocal # remove RelayTo part (maybe repeatedly) # R$*<@$*$={RelayTo}.>$* $>3 $1 $4 R$*<@$=w.>$* $: $>removelocal $>3 $1 $3 R$*<@$*>$* $@ $1<@$2>$3 # dequote local part R$- $: $>3 $(dequote $1 $) R$*<@$*>$* $: $>removelocal $1<@$2>$3 # mail must come from or go to this machine or machines we allow to relay--END To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message