Date: Thu, 19 Mar 1998 15:30:29 -0500 From: "Mark Segal" <mark@club-web.com> To: "Steve Hovey" <shovey@buffnet.net> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: spam blocking in sendmail Message-ID: <01bd5375$dbca7700$0201010a@elmo>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_004A_01BD534B.F2F46F00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit > >Ive found what looks like a good way to block inbound spam by domain - but >am not up on sendmail enough - it mentions making a hash table If your really interested in ant-spam, Sendmail 8.9.0 is out for beta testing.. and has quite a few anti-spam improvements, or so I'm told :). BTW, I have attached the release from the sendmail-announce listserv, it is just a beta but hopefully most of the security holes are gone.. :) mark ------=_NextPart_000_004A_01BD534B.F2F46F00 Content-Type: message/rfc822; name="sendmail 8.9.0.Beta3 available for testing.eml" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="sendmail 8.9.0.Beta3 available for testing.eml" Received: from vix.com (pub1.pa.vix.com [204.152.184.33]) by bsd.megaworks.com (8.8.5/8.8.5) with ESMTP id VAA11633 for <mark@club-web.com>; Tue, 17 Mar 1998 21:43:12 -0500 (EST) Received: by pub1.pa.vix.com id HAA20326; Tue, 17 Mar 1998 07:27:05 -0800 (PST) Received: by pub1.pa.vix.com id HAA20321; Tue, 17 Mar 1998 07:26:55 -0800 (PST) Received: from knecht.Sendmail.ORG (eric@localhost [127.0.0.1]) by knecht.Sendmail.ORG (8.9.0.Beta1/8.9.0.Alpha3) with ESMTP id HAA25987 for <sendmail-announce@sendmail.org>; Tue, 17 Mar 1998 07:26:50 -0800 (PST) Message-Id: <199803171526.HAA25987@knecht.Sendmail.ORG> To: sendmail-announce@Sendmail.ORG From: Eric Allman <not-for-spam@Sendmail.ORG> Subject: sendmail 8.9.0.Beta3 available for testing Date: Tue, 17 Mar 1998 07:26:49 -0800 Sender: owner-sendmail-announce@vix.com Precedence: bulk X-UIDL: 56ec6729538ffe7ecd6186a8f8c46ee4 -----BEGIN PGP SIGNED MESSAGE----- I am pleased to announce the availability of sendmail 8.9.0.Beta3 for testing. Access information follows: FTP://ftp.sendmail.org/pub/sendmail/sendmail.8.9.0.Beta3.tar.gz MD5 = b2abb360dc6ea591b8522eaec1c81722 (sendmail.8.9.0.Beta3.tar.gz) MD5 = e427bcf84570837bc119916015981a8c (sendmail.8.9.0.Beta3.tar) The focus of this release is on spam control. Major changes include: * SMTP relaying is turned off by default. * SMTP Messages are rejected by default if the sender domain cannot be resolved. * Messages can be rejected on the basis of the contents of headers. * A new Build script that works in all directories for compiling. * More security checks on files being opened. People who have included anti-spam rulesets in their configurations will probably have to remove or modify their old rules. In particular, the check_* rulesets are defined by default. Also, people who use SMTP relaying (e.g., for PC mailers) will have to configure sendmail to allow relaying as needed in their domain. I realize this will be painful for many, but it seems necessary to avoid spam. This is just another example of how spammers hurt us all. Lastly, the checks on file modes have been tightened up considerably -- for example, by default sendmail will refuse to read .forward files that are group writable or are in group writable directories. This behaviour can be turned down using the DontBlameSendmail option. Refer to the README file in the distribution for more information. The complete release notes are attached. Please note that there is a new sendmail signing key for 1998. It is available on the public key servers, and should be signed by the 1997 key as well as many individuals. As usual, please send bug reports and comments to sendmail@Sendmail.ORG. eric - ---------------------------------------------------------------------- SECURITY: To prevent users from reading files not normally readable, sendmail will no longer open forward, :include:, sendmail.cf, class, ErrorHeader, or HelpFile files located in unsafe (i.e. group or world writable) directory paths. Sites which need the ability to override security can use the DontBlameSendmail option. See the README file for more information. SECURITY: Problems can occur on poorly managed systems, specifically, if maps or alias files are in world writable directories. This fixes the change added to 8.8.6 to prevent links in these world writable directories. SECURITY: Make sure ServiceSwitchFile option file is not a link if it is in a world writable directory. SECURITY: Never pass a tty to a mailer -- if a mailer can get at the tty it may be able to push bytes back to the senders input. Unfortunately this breaks -v mode. Problem noted by Wietse Venema of the Global Security Analysis Lab at IBM T.J. Watson Research. SECURITY: Empty group list if DontInitGroups is set to true to prevent program deliveries from picking up extra group privileges. Problem reported by Wolfgang Ley of DFN-CERT. SECURITY: The default value for DefaultUser is now set to the uid and gid of the first existing user mailnull, nobody, or daemon. If none of these three exist, sendmail reverts back to the old behavior of using uid 1 and gid 1. This is a security problem for Linux which has chosen that uid and gid for user bin instead of daemon. If DefaultUser is set in the configuration file, that value overrides this default. Add support for Berkeley DB 2.X. Based on patch from John Kennedy of Cal State University, Chico. Remove support for OLD_NEWDB (pre-1.5 version of Berkeley DB). Users which previously defined OLD_NEWDB=1 must now upgrade to the current version of Berkeley DB. Added support for regular expressions using the new map class regex. From Jan Krueger of Unix-AG of University of Hannover. Support for BIND 8.1.1's hesiod for hesiod maps and hesiod UserDatabases from Randall Winchester of the University of Maryland. Allow any shell for user shell on program deliveries on V1 configurations for backwards compatibility on machines which do not have getusershell(). Fix from John Beck of Sun Microsystems. On operating systems which change the process title by reusing the argument vector memory, sendmail could corrupt memory if the last argument was either "-q" or "-d". Problem noted by Frank Langbein of the University of Stuttgart. Support Local Mail Transfer Protocol (LMTP) between sendmail and mail.local on the F=z flag. Macro-expand the contents of the ErrMsgFile. Previously this was only done if you had magic characters (0x81) to indicate macro expansion. Now $x will be expanded. This means that real dollar signs have to be backslash escaped. TCP Wrappers expects "unknown" in the hostname argument if the reverse DNS lookup for the incoming connection fails. Problem noted by Randy Grimshaw of Syracuse University and Wietse Venema of the Global Security Analysis Lab at IBM T.J. Watson Research. DSN success bounces generated from an invocation of sendmail -t would be sent to both the sender and MAILER-DAEMON. Problem noted by Claus Assmann of Christian-Albrechts-University of Kiel. Avoid "Error 0" messages on delivery mailers which exit with a valid exit value such as EX_NOPERM. Fix from Andreas Luik of ISA Informationssysteme GmbH. Tokenize $&x expansions on right hand side of rules. This eliminates the need to use tricks like $(dequote "" $&{client_name} $) to cause the ${client_name} macro to be properly tokenized. Add the MaxRecipientsPerMessage option: this limits the number of recipients that will be accepted in a single SMTP transaction. After this number is reached, sendmail starts returning "452 Too many recipients" to all RCPT commands. This can be used to limit the number of recipients per envelope (in particular, to discourage use of the server for spamming). Note: a better approach is to restrict relaying entirely. Fixed pointer initialization for LDAP lmap struct, fixed -s option to ldapx map and added timeout for ldap_open call to avoid hanging sendmail in the event of hung LDAP servers. Patch from Booker Bense of Stanford University. Allow multiple -qI, -qR, or -qS queue run limiters. For example, '-qRfoo -qRbar' would deliver mail to recipients with foo or bar in their address. Patch from Allan E Johannesen of Worcester Polytechnic Institute. The bestmx map will now return a list of the MX servers for a host if passed a column delimiter via the -z map flag. This can be used to check if the server is an MX server for the recipient of a message. This can be used to help prevent relaying. Patch from Mitchell Blank Jr of Exec-PC. Mark failures for the *file* mailer and return bounce messages to the sender for those failures. Prevent bogus syslog timestamps on errors in sendmail.cf by preserving the TZ environment variable until TimeZoneSpec has been determined. Problem noted by Ralf Hildebrandt of Technical University of Braunschweig. Patch from Per Hedeland of Ericsson. Print test input in address test mode when input is not from the tty when the -v flag is given (i.e. sendmail -bt -v) to make output easier to decipher. Problem noted by Aidan Nichol of Procter & Gamble. The LDAP map -s flag was not properly parsed and the error message given included the remainder of the arguments instead of solely the argument in error. Problem noted by Aidan Nichol of Procter & Gamble. New DontBlameSendmail option. This option allows administrators to bypass some of sendmail's file security checks at the expense of system security. This should only be used if you are absolutely sure you know the consequences. The available DontBlameSendmail options are: safe assumesafechown classfileinunsafedirpath errorheaderinunsafedirpath groupwritabledirpathsafe groupwritableforwardfilesafe groupwritableincludefilesafe groupwritablealiasfile helpfileinunsafedirpath worldwritablealiasfile forwardfileingroupwritabledirpath includefileingroupwritabledirpath forwardfileinunsafedirpath includefileinunsafedirpath forwardfileinunsafedirpathsafe includefileinunsafedirpathsafe mapinunsafedirpath linkedaliasfileinwritabledir linkedclassfileinwritabledir linkedforwardfileinwritabledir linkedincludefileinwritabledir linkedmapinwritabledir linkedserviceswitchfileinwritabledir filedeliverytohardlink filedeliverytosymlink writemaptohardlink writemaptosymlink writestatstohardlink writestatstosymlink New DontProbeInterfaces option to turn off the inclusion of all the interface names in $=w on startup. In particular, if you have lots of virtual interfaces, this option will speed up startup. However, unless you make other arrangements, mail sent to those addresses will be bounced. Automatically create alias databases if they don't exist and AutoRebuildAliases is set. Add PrivacyOptions=noetrn flag to disable the ETRN command. Suggested by Christophe Wolfhugel of the Institut Pasteur. When determining the client host name ($&{client_name} macro), do a forward (A) DNS lookup on the result of the PTR lookup and compare results. If they differ or if the PTR lookup fails, &{client_name} will contain the IP address surrounded by square brackets (e.g. [127.0.0.1]). New map flag: -Tx appends "x" to lookups that return temporary failure (i.e, it is like -ax for the temporary failure case, in contrast to the success case). New syntax to do limited checking of header syntax. A config line of the form: HHeader: $>Ruleset causes the indicated Ruleset to be invoked on the Header when read. This ruleset works like the check_* rulesets -- that is, it can reject mail on the basis of the contents. Limit the size of the HELO/EHLO parameter to prevent spammers from hiding their connection information in Received: headers. When SingleThreadDelivery is active, deliveries to locked hosts are skipped. This will cause the delivering process to try the next MX host or queue the message if no other MX hosts are available. Suggested by Alexander Litvin. The [FILE] mailer type now delivers to the file specified in the A= equate of the mailer definition instead of $u. It also obeys all of the F= mailer flags such as the MIME 7/8 bit conversion flags. This is useful for defining a mailer which delivers to the same file regardless of the recipient (e.g. 'A=FILE /dev/null' to discard unwanted mail). Do not assume the identity of a remote connection is root@localhost if the remote connection closes the socket before the remote identity can be queried. Change semantics of the F=S mailer flag back to 8.7.5 behavior. Some mailers, including procmail, require that the real uid is left unchanged by sendmail. Problem noted by Per Hedeland of Ericsson. No longer is the src/obj*/Makefile selected from a large list -- it is now generated using the information in BuildTools/OS/ -- some of the details are determined dynamically via BuildTools/bin/configure.sh. The other programs in the sendmail distribution -- mail.local, mailstats, makemap, praliases, rmail, and smrsh -- now use the new Build method which creates an operating system specific Makefile using the information in BuildTools. Make 4xx reply codes to the SMTP MAIL command be non-sticky (i.e., a failure on one message won't affect future messages to the same host). This is necessary if the remote host sends a 451 error if the domain of the sender does not resolve as is common in anti-spam configurations. Problem noted by Mitchell Blank Jr of Exec-PC. New "discard" mailer for check_* rulesets and header checking rulesets. If one of the above rulesets resolves to the $#discard mailer, the commands will be accepted but the message will be completely discarded after it is accepting. This means that even if only one of the recipients resolves to the $#discard mailer, none of the recipients will receive the mail. Suggested by Brian Kantor. All but the last cloned envelope of a split envelope were queued instead of being delivered. Problem noted by John Caruso of CNET: The Computer Network. Syslog an error if a user forward file could not be read due to an error. Patch from John Beck of Sun Microsystems. Use the first name returned on machine lookups when canonifying a hostname via NetInfo. Patch from Timm Wetzel of GWDG. Clear the $&{client_addr}, $&{client_name}, and $&{client_port} macros when delivering a bounce message to prevent rejection by a check_compat ruleset which uses these macros. Problem noted by Jens Hamisch of AgiX Internetservices GmbH. If the check_relay ruleset resolves to the the error mailer, the error in the $: portion of the resolved triplet is used in the rejection message given to the remote machine. Suggested by Scott Gifford of The Internet Ramp. Set the $&{client_addr}, $&{client_name}, and $&{client_port} macros before calling the check_relay ruleset. Suggested by Scott Gifford of The Internet Ramp. Sendmail would get a segmentation fault if a mailer exited with an exit code of 79. Problem noted by Aaron Schrab of ExecPC Internet. Fix from Christophe Wolfhugel of the Pasteur Institute. Separate snprintf/vsnprintf routines into separate file for use by mail.local. Allow multiple map lookups on right hand side, e.g., R$* $( host $1 $) $| $( passwd $1 $). Patch from Christophe Wolfhugel of the Pasteur Institute. Properly generate success DSN messages if requested for aliases which have owner- aliases. Problem noted by Kari Hurtta of the Finnish Meteorological Institute. Properly display delayed-expansion macros ($&{macroname}) in address test mode (-bt). Problem noted by Bryan Costales of InfoBeat, Inc. -qR could sometimes match names incorrectly. Problem noted by Lutz Euler of Lavielle EDV Systemberatung GmbH & Co. Include a magic number and version in the StatusFile for the mailstats command. Record the number of rejected messages in the StatusFile for display by the mailstats command. Patch from Randall Winchester of the University of Maryland. Portability: AIX 4.1 uses int for SOCKADDR_LEN_T from Motonori Nakamura of Kyoto University. AIX 4.2 requires <userpw.h> before <usersec.h>. Patch from Randall S. Winchester of the University of Maryland. AIX 4.3 from Valdis Kletnieks of Virginia Tech CNS. Digital UNIX now uses statvfs for determining free disk space. Patch from Randall S. Winchester of the University of Maryland. HP-UX 11.x from Richard Allen of Opin Kerfi HF. IRIX 64 bit fixes from Kari Hurtta of the Finnish Meteorological Institute. IRIX 6.2 configuration fix for mail.local from Michael Kyle of CIC/Advanced Computing Laboratory. QNX from Glen McCready <glen@qnx.com>. SCO 4.2 and 5.x use /usr/bin instead of /usr/ucb for links to sendmail. Install with group bin instead of kmem as kmem does not exist. From Guillermo Freige of Gobernacion de la Pcia de Buenos Aires and Paul Fischer of BTG, Inc. SunOS 4.X does not include bcopy(). Patch from Per Hedeland of Ericsson. SunOS 5.7 includes getloadavg() function for determining load average. Patch from John Beck of Sun Microsystems. CONFIG: add DATABASE_MAP_TYPE to set the default type of database map for the various maps. The default is hash. Patch from Robert Harker of Harker Systems. CONFIG: new confEBINDIR m4 variable for defining the executable directory for certain programs. CONFIG: new FEATURE(local_lmtp) to use the new LMTP support for local mail delivery. By the default, /usr/libexec/mail.local is used. This is expected to be the mail.local shipped with 8.9 which is LMTP capable. The path is based on the new confEBINDIR m4 variable. CONFIG: Use confEBINDIR in determining path to smrsh for FEATURE(smrsh). Note that this changes the default from /usr/local/etc/smrsh to /usr/libexec/smrsh. To obtain the old path for smrsh, use FEATURE(smrsh, /usr/local/etc/smrsh). CONFIG: DOMAIN(generic) changes the default confFORWARD_PATH to include $z/.forward.$w+$h and $z/.forward+$h which allow the user to setup different .forward files for user+detail addressing. CONFIG: add confMAX_RCPTS_PER_MESSAGE, confDONT_PROBE_INTERFACES, and confDONT_BLAME_SENDMAIL to set MaxRecipientsPerMessage, DontProbeInterfaces, and DontBlameSendmail options. CONFIG: by default do not allow relaying (that is, accepting mail from outside your domain and sending it to another host outside your domain). CONFIG: new FEATURE(promiscuous_relay) to allow mail relaying from any site to any site. CONFIG: new FEATURE(relay_entire_domain) allows any host in your domain as defined by the 'm' class ($=m) to relay. CONFIG: new FEATURE(relay_based_on_MX) to allow relaying based on the MX records of the host portion of an incoming recipient. CONFIG: new FEATURE(access_db) which turns on the access database feature. This database give you the ability to allow or refuse to accept mail from specified domains for administrative reasons. By default, names that are listed as "OK" in the access db are domain names, not host names. CONFIG: new confCR_FILE m4 variable for defining the name of the file used for class 'R'. Defaults to /etc/mail/relay-domains. CONFIG: new command RELAY_DOMAIN(domain) and RELAY_DOMAIN_FILE(file) to add items to class 'R' ($=R) for hosts allowed to relay. CONFIG: new FEATURE(relay_hosts_only) to change the behavior of FEATURE(access_db) and class 'R' to lookup individual host names only. CONFIG: new FEATURE(blacklist_recipients) turns on the ability to block incoming mail destined for certain recipient usernames, hostnames, or addresses. CONFIG: By default, MAIL FROM: commands in the SMTP session will be refused if the host part of the argument to MAIL FROM: cannot be located in the host name service (e.g., DNS). CONFIG: new FEATURE(accept_unresolvable_domains) accepts unresolvable hostnames in MAIL FROM: SMTP commands. CONFIG: new FEATURE(accept_unqualified_senders) accepts MAIL FROM: senders which do not include a domain. CONFIG: new FEATURE(rbl) Turns on rejection of hosts found in the Realtime Blackhole List. You can specify the RBL name server to contact by specifying it as an optional argument. The default is rbl.maps.vix.com. For details, see http://maps.vix.com/rbl/. CONFIG: Call Local_check_relay, Local_check_mail, and Local_check_rcpt from check_relay, check_mail, and check_rcpt. Users with local rulesets should place the rules using LOCAL_RULESETS. If a Local_check_* ruleset returns OK, the message is accepted. If the ruleset returns a mailer, the appropriate action is taken, else the return of the ruleset is ignored. CONFIG: CYRUS_MAILER_FLAGS now includes the /:| mailer flags by default to support file, :include:, and program deliveries. CONFIG: Remove the default for confDEF_USER_ID so the binary can pick the proper default value. See the SECURITY note above for more information. MAIL.LOCAL: support -l flag to run LMTP on stdin/stdout. This SMTP-like protocol allows detailed reporting of delivery status on a per-user basis. Code donated by John Myers of CMU (now of Netscape). MAIL.LOCAL: HP-UX support from Randall S. Winchester of the University of Maryland. NOTE: mail.local is not compatible with the stock HP-UX mail format. Be sure to read mail.local/README. MAIL.LOCAL: Prevent other mail delivery agents from stealing a mailbox lock. Patch from Randall S. Winchester of the University of Maryland. MAIL.LOCAL: glibc portability from John Kennedy of Cal State University, Chico. MAIL.LOCAL: IRIX portability from Kari Hurtta of the Finnish Meteorological Institute. MAILSTATS: Display the number of rejected messages in the StatusFile. Patch from Randall Winchester of the University of Maryland. MAKEMAP: New -s flag to ignore safety checks on database map files such as linked files in world writable directories. MAKEMAP: Add support for Berkeley DB 2.X. Remove OLD_NEWDB support. PRALIASES: Add support for Berkeley DB 2.X. RMAIL: Improve portability for other platforms. Patches from Randall S. Winchester of the University of Maryland and Kari Hurtta of the Finnish Meteorological Institute. Changed Files: src/Makefiles/Makefile.* files have been modified to use the new build mechanism and are now BuildTools/OS/*. src/makesendmail changed to symbolic link to src/Build. New Files: BuildTools/M4/header.m4 BuildTools/M4/depend/BSD.m4 BuildTools/M4/depend/CC-M.m4 BuildTools/M4/depend/NCR.m4 BuildTools/M4/depend/Solaris.m4 BuildTools/M4/depend/generic.m4 BuildTools/OS/AIX.4.2 BuildTools/OS/AIX.4.x BuildTools/OS/HP-UX.11.x BuildTools/OS/NeXT.4.x BuildTools/OS/NetBSD.8.3 BuildTools/OS/QNX BuildTools/OS/SunOS.5.7 BuildTools/README BuildTools/bin/Build BuildTools/bin/configure.sh BuildTools/bin/find_m4.sh BuildTools/bin/install.sh Makefile cf/cf/Build cf/cf/obj/generic-hpux10.cf cf/feature/accept_unqualified_senders.m4 cf/feature/accept_unresolvable_domains.m4 cf/feature/access_db.m4 cf/feature/blacklist_recipients.m4 cf/feature/local_lmtp.m4 cf/feature/promiscuous_relay.m4 cf/feature/rbl.m4 cf/feature/relay_based_on_MX.m4 cf/feature/relay_entire_domain.m4 cf/feature/relay_hosts_only.m4 cf/ostype/qnx.m4 contrib/doublebounce.pl mail.local/Build mail.local/Makefile.m4 mail.local/README mailstats/Build mailstats/Makefile.m4 makemap/Build makemap/Makefile.m4 praliases/Build praliases/Makefile.m4 rmail/Build rmail/Makefile.m4 rmail/rmail.0 smrsh/Build smrsh/Makefile.m4 src/Build src/Makefile.m4 src/snprintf.c Deleted Files: mail.local/Makefile mail.local/Makefile.dist mailstats/Makefile mailstats/Makefile.dist makemap/Makefile makemap/Makefile.dist praliases/Makefile praliases/Makefile.dist rmail/Makefile smrsh/Makefile smrsh/Makefile.dist src/Makefile src/Makefiles/Makefile.AIX.4 (split into AIX.4.x and AIX.4.2) src/Makefiles/Makefile.Utah (obsolete platform) Renamed Files: READ_ME => README cf/cf/Makefile => Makefile.BSD cf/cf/Makefile.dist => Makefile src/READ_ME => src/README -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNQ6LbCPkYtS/e6QhAQF04AP/edkcGAqYuLM0EkSWxP+5bsS497/GxuMn xG8rHbOzgEyd3F0cMXI+SfVm4+RMCoiapAAOJ3Y9L9zt+k3cjcwwKZH02J9CFzdD edhJOxfLYgNX6VztGjZCIOFimgWFLERLYwn1ldYIypiNRKcUIv0YGdXQNbrX9aDo jAK817ejo8M= =0etY -----END PGP SIGNATURE----- ------=_NextPart_000_004A_01BD534B.F2F46F00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01bd5375$dbca7700$0201010a>