File: check.html

package info (click to toggle)
fidogate 4.2.8-6
links: PTS
area: main
in suites: woody
size: 5,800 kB
ctags: 2,844
sloc: ansic: 22,020; perl: 2,885; sh: 1,551; yacc: 671; makefile: 585
file content (803 lines) | stat: -rw-r--r-- 17,052 bytes
parent folder | download | duplicates (3)
<HTML>
<HEAD>
<TITLE>
Using check_* in sendmail 8.8
</TITLE>
<LINK REV="MADE" HREF="mailto:ca@informatik.uni-kiel.de">
<LINK REL="HOME" HREF="../index.html">
<LINK REL="UP" HREF="english.html">
<LINK REL="INDEX" HREF="misc.html">
<META NAME="description" CONTENT="sendmail 8.8: using the check_* rules to avoid misuse (unauthorized relaying) of your sendmail system and spam (UCE)">
<META NAME="keywords" CONTENT="e-mail, sendmail, check_mail, check_compat, check_relay, check_rcpt, misuse, spam, uce, control, check, relay">
</HEAD>

<BODY>

<!-- ========================================
Begin
     ========================================  -->
<H1>
Using check_* in sendmail 8.8
</H1>

<EM>Last Update 1997-10-03</EM>
<HR>
Content:
<A HREF="#check_mail">check_mail</A>
|
<A HREF="#check_rcpt">check_rcpt</A>
|
<A HREF="#check_relay">check_relay</A>
|
<A HREF="#check_compat">check_compat</A>
|
<A HREF="#misc">Some more hints</A>
<HR>

<H2>
Introduction
</H2>

<!-- ========================================
     Intro
     ========================================  -->
<A HREF="ftp://FTP.Sendmail.ORG/ucb/src/sendmail/">sendmail 8.8</A>
introduces several
<A HREF="sm8.8.new.html#MISUSE">new rulesets</A>
to check who can use your machine to send e-mail
and to avoid
<A HREF="http://spam.abuse.net/spam/">UCE</A>
from well-known sites.
These are:
<DL>
<DT>
<CODE>
<A HREF="#check_mail">check_mail</A>
</CODE>
<DD>
for the
<CODE>
MAIL
</CODE>
command,

<DT>
<CODE>
<A HREF="#check_rcpt">check_rcpt</A>
</CODE>
<DD>
for the
<CODE>
RCPT
</CODE>
command,

<DT>
<CODE>
<A HREF="#check_relay">check_relay</A>
</CODE>
<DD>
checking 
the host name and host address separated by
<CODE>
$|
</CODE>,

<DT>
<A HREF="#check_compat">check_compat</A>
<DD>
checking both
<CODE>
MAIL
</CODE>
and
<CODE>
RCPT
</CODE>
also
separated by
<CODE>
$|
</CODE>
before delivery.
</DL>

<P>
Moreover, it also defines
new macros:
<CODE>
${client_name},
</CODE>
<CODE>
${client_addr},
</CODE>
and
<CODE>
${client_port}
</CODE>
that have the name,
IP address,
and
port number
of the SMTP client,
respectively.

<P>
After you have read this text carefully,
you can
<A HREF="rules/check.tar">download</A>
(last update: 1997-10-03)
the HACKs for use in your
<CODE>
.mc
</CODE>
file.
Be sure you understand what they are trying to accomplish and
<A HREF="chk-dbg.html">
check them yourself
</A>
before you use them on a production system!

<!-- ============================================================ -->
<H2><A NAME="general">General Information about the new Rules</A></H2>

These new rulesets can do whatever you want,
the only interesting case is when the resolve to the the
<CODE>
$#error
</CODE>
mailer,
i.e.,
<CODE>
$#error $@ error-code $: error-text
</CODE>.
In this case the indicated message is printed
and the command is rejected with an error code.
sendmail can return different reply codes,
which are defined in
<A HREF="ftp://ftp.informatik.uni-kiel.de/pub/internet/rfc/rfc-1800-1899/rfc1893.gz">
RFC 1893
</A>.
However, if you don't repeat the error number in the error text,
sendmail uses the default value 553.


<P>
Just as a reminder, the parts of an
(E)SMTP
dialogue
which are important here are:
<BR>
<CODE>
MAIL From:&lt;sender@address&gt;
</CODE>
<BR>
to specify the sender's address,
and
<BR>
<CODE>
RCPT To:&lt;rcpt@address&gt;
</CODE>
<BR>
to specify the recipient's address,
of which multiple can be given.

<P>
The
<CODE>
check_compat
</CODE>
ruleset is called before delivery with
<CODE>
from_addr $| to_addr
</CODE>
as argument.
The $| is a new meta-symbol used to separate the two addresses.
You can use this ruleset to implement mailrouting policies,
e.g.,
you can prevent the use of your machine as a mailgateway.

<P>
<CODE>
check_compat
</CODE>
is called for all deliveries,
while
<CODE>
check_mail
</CODE>
and
<CODE>
check_rcpt
</CODE>
are only called for SMTP connections.
So the latter won't work when you run
sendmail
in queue delivery mode behind smap or something similar.
In this case, you should try
the <A HREF="checkcompat.txt">patch</A>
for
<CODE>
checkcompat()
</CODE>
written by
Kyle Jones.

<!-- ============================================================ -->
<H2><A NAME="check_mail">check_mail</A></H2>

The address supplied through the
<CODE>
MAIL
</CODE>
command can be checked against the
<CODE>
check_mail
</CODE>
ruleset.

<P>
<A HREF="chk-newmap.html">A new version</A>
uses a map with error messages as right side.
It has several advantages over the version presented here.

<P>
You can use this to prevent known spammers from sending you e-mail.
First, you may have a list of domains
in an external file
which you want to ban completely:
<BR>
<CODE>
F{SpamDomains} /etc/mail/SpamDomains
</CODE>
<BR>
e.g.,
<PRE>
cyberpromo.com
quantcom.com
</PRE>

Next, you may have a list of users which you want to ban too:
<BR>
<CODE>
F{Spammer} /etc/mail/Spammer
</CODE>
<BR>
e.g.,
<PRE>
lamer@aol.com
</PRE>

Now you can use these as follows:
<PRE>
<A HREF="rules/check_mail">Scheck_mail</A>
R&lt;$={Spammer}&gt;		$#error $@ 5.7.1 $: "551 We don't accept junk mail"
R&lt;$={Spammer}.&gt;		$#error $@ 5.7.1 $: "551 We don't accept junk mail"
R$*			$: $&gt;3 $1
R$*&lt;@$={SpamDomains}.&gt;$*	$#error $@ 5.7.1 $: "551 We don't accept junk mail from your domain"
R$*&lt;@$={SpamDomains}&gt;$*		$#error $@ 5.7.1 $: "551 We don't accept junk mail from your domain"
</PRE>

In addition, you may want to act on broken mailers which don't use
&lt;&gt; around addresses:
<PRE>
R$={Spammer}		$#error $@ 5.7.1 $: "551 We don't accept junk mail"
R$={Spammer}.		$#error $@ 5.7.1 $: "551 We don't accept junk mail"
</PRE>

If you want to stop receiving mails from subdomains of well known spammers,
you can modify the last two rules a bit:
<PRE>
R$*&lt;@$*$={SpamDomains}.&gt;$*	$#error $@ 5.7.1 $: "551 We don't accept junk mail from your domain"
R$*&lt;@$*$={SpamDomains}&gt;$*		$#error $@ 5.7.1 $: "551 We don't accept junk mail from your domain"
</PRE>


Next step could be the following:
you want also to reject mail from those domains,
which are not registered in the DNS.
However, this may also be a temporary fault,
so you should give back a temporary failure.

<PRE>
# if you enable the last rule, you can disable this one.
# host without a . in the FQHN ?
R$*&lt;@$-&gt;$*	$#error $@ 4.1.8 $: "451 invalid host name"		no real name
# lookup IP address (reverse mapping available?)
# R$*&lt;@[$-.$-.$-.$-]&gt;$*	$: $1 &lt; @ $[ [ $2.$3.$4.$5 ] $] &gt; $6 
# no DNS entry? this is dangerous!
# R$*&lt;@$*$~P&gt;$*	$#error $@ 4.1.8 $: "451 unresolvable host name, check your configuration."		no real name
</PRE>

The hint to perform a reverse-mapping of the IP address comes from
<A HREF="http://www.stud.uni-hannover.de/~jk/">Jan Kr&uuml;ger</a>.

<!--
<P>
There is a
<A HREF="chk-db.html">
new proposal which uses a map lookup
</A>
instead of plain text files.
-->

<!-- ============================================================ -->
<H2><A NAME="check_rcpt">check_rcpt</A></H2>

The address supplied through the
<CODE>
RCPT
</CODE>
command can be checked against the
<CODE>
check_rcpt
</CODE>
ruleset.

On first look,
this ruleset doesn't make much sense.
Why check the recipient?
sendmail does this anyway when trying to deliver,
esp. for local recipients.
However,
this ruleset can be used to check
whether your system is (mis)used as a gateway.
The
<CODE>
check_compat
</CODE>
ruleset,
which seems to be better suited for this purpose,
since it
gets both addresses (sender and recipient) as parameters,
is called too late.

To reject a misuse at the earliest moment
(and save your bandwith etc),
you can refer to
the address of the sending system,
which
is available in the macro
<CODE>
${client_addr}
</CODE>.
However, to use it in a rule, you have to refer to it as:
<CODE>
$(dequote "" $&amp;{client_addr} $)
</CODE>
so sendmail defers evaluation and tokenizes it.

The
<A HREF="rcpt_old.html">old solution</A>
is based on
a proposal from
<A HREF="mailto:cthuang@io.org">Chin Huang</A>:

But since there is
<A HREF="relay1.html#rcptproblem">a problem</A>
with these rules,
here is a new solution.

First,
we check whether it is a local client:
it can do whatever it want.
Next, we remove the local part, maybe repeatedly.
If it still has routing information in it,
it seems to be a relay attempt.

So list in the class
<PRE>
F{LocalIP} /etc/mail/LocalIP
</PRE>
the IP addresses of the local clients you will allow to relay
through your mail server, for example
<PRE>
134.245
127.0.0.1
</PRE>
A client which connects from one of these IP numbers can
send mail through your gateway anywhere.

<PRE>
<A HREF="rules/check_rcpt4">Scheck_rcpt</A>
# first: get client addr
R$+			$: $(dequote "" $&amp;{client_addr} $) $| $1
R0 $| $*		$@ ok			no client addr: directly invoked
R$={LocalIP}$* $| $*	$@ ok			from here
# not local, check rcpt
R$* $| $*		$: $&gt;3 $2
# remove local part, maybe repeatedly
R$*&lt;@$=w.&gt;$*		$&gt;3 $1 $3
# still something left?
R$*&lt;@$+&gt;$*		$#error $@ 5.7.1 $: 551 we do not relay
</PRE>

The trailing
<CODE>
$*
</CODE>
after
<CODE>
$={LocalIP}
</CODE>
matches incompletely specified IP addresses on octet boundaries,
as can be seen by
<CODE>
134.245
</CODE>
which matches a whole class B subnet.


<P>
If you relay mail for other systems
(e.g., the secondary MX of a system points to your mailhost
or your server is the primary MX, but you forward the mail to another system), use also:
<PRE>
F{RelayTo} /etc/mail/RelayTo
</PRE>
to list all hosts you relay mail to or accept mail for.
For example, we put
<PRE>
uni-kiel.de
</PRE>
in
<CODE>
RelayTo
</CODE>.
Then change the line
<PRE>
R$*&lt;@$=w.&gt;$*		$&gt;3 $1 $3
</PRE>
to
<PRE>
R$*&lt;@$*$={RelayTo}.&gt;$*		$&gt;3 $1 $4
</PRE>
(or just add the latter).
The leading
<CODE>
$*
</CODE>
will match with subdomains of those domains in
<CODE>
RelayTo
</CODE>
too.
<!--
You can use the same list of host (or domain) names,
if you use
<KBD>
HACK(use_names)
</KBD>,
i.e., 
<CODE>
$={LocalNames}
</CODE>.
-->
You can also
<A HREF="chk-relay-map.html">
use a map
</A>
instead of a class,
if you slightly change the rules.


<P>
Several people asked for a possibility to allow relaying
based on the FROM address too.
Take a look at
<A HREF="chk-rcpt5.html">
another version
</A>
which should be able to do just this.

<P>
Can anyone see a problem with this simpler approach?
If somebody has a better solution for this, please
<A HREF="mailto:ca@informatik.uni-kiel.de">let me know</A>.


<!-- ============================================================ -->
<H2><A NAME="check_relay">check_relay</A></H2>

<CODE>
check_relay
</CODE>
gets
the host name and host address of the client separated by
<CODE>
$|
</CODE>
as parameters.
This can be used as a substitute for
<CODE>
TCPWRAPPERS
</CODE>.
You can enable the code for
<CODE>
TCPWRAPPERS
</CODE>
by compiling sendmail with
<CODE>
-DTCPWRAPPERS=1
</CODE>.

A small example is:

<PRE>
F{DeniedIP} /etc/mail/DeniedIP
F{DeniedNames} /etc/mail/DeniedNames
</PRE>

These (plain text) files contain a list of IP addresses and hostnames
which are not allowed to access your mailserver.

<PRE>
<A HREF="rules/check_relay">Scheck_relay</A>
R$+ $| $={DeniedIP}$*		$#error $@ 5.7.1 $: "no access from your IP address"
R$*$={DeniedNames} $| $*	$#error $@ 5.7.1 $: "no access from your host"
</PRE>

(note the trailing/leading
<CODE>
$*
</CODE>
to match with incompletely specified IP addresses/names).

<P>
Access will be refused with the error message:
<PRE>
550 Access denied
</PRE>
and the error string will be logged.

<P>
If you try to use maps, you need
<A HREF="patches/sm_check_relay.p1.html">
a patch
</A>
for sendmail 8.8.5 (it's fixed in later versions).
Have a look at
<A HREF="chk-rel.html">
a version
</A>
which uses the same databases (with some additions) as
<A HREF="chk-db.html">
check_mail
</A>.
The
<A HREF="chk-newmap.html">latest version</A>
allows to specify individual error messages.

<!-- ============================================================ -->
<H2><A NAME="check_compat">check_compat</A></H2>

Although
<CODE>
check_compat
</CODE>
gets both addresses (sender and recipient)
as parameters to check whether your machine is used as
a gateway,
it's too late.
<CODE>
check_compat
</CODE>
is called after the whole message has been transmitted.

You could do something like this:
<PRE>
<A HREF="rules/check_compat">Scheck_compat</A>
R$+ $| $+		$: $2 $| $&gt;3 $1	canonicalize sender
R$+ $| $+		$: $2 $| $&gt;3 $1	canonicalize recipient
R$- $| $+		$@ok		from here
R$+ $| $-		$@ok		to here
R$+&lt;@$=w.&gt; $| $+	$@ok		from here
R$+ $| $*&lt;@$=w.&gt;	$@ok		to here
R$*			$#error $@ 5.7.1 $: "551 we do not support relaying"
</PRE>
to prevent (mis)use of your machine as a mail gateway by other
people.
Maybe you have to use some other class than
<CODE>
w
</CODE>.
If you have a better example for this purpose,
please
<A HREF="mailto:ca@informatik.uni-kiel.de">let me know</A>.
However,
this ruleset has
a problem with forwarding.
That's one of the reasons why you should use the
<A HREF="#check_rcpt">
check_rcpt solution
</A>.

<!--
If you can't do that, you can add these rules in front:
<PRE>
R$+		$: $(dequote "" $&{client_addr} $) $| $1
R0 $| $*	$@ ok
R$={LocalIP}$* $| $*	$@ ok
R$* $| $+	$: $2
</PRE>
-->

<!-- ============================================================ -->
<H2><A NAME="misc">Some more hints</A></H2>

<!-- ============================================================ -->
<H3><A NAME="errcode">Problems with Reply Codes 571, 418</A></H3>

Thanks to
<A HREF="http://www.qpsf.edu.au/people/seanv.html">Sean Vickery</A>
for pointing out a mistake with the reply codes
used in the
<CODE>
check_
</CODE>
rules.
The correct SMTP reply codes are
<CODE>
45x
</CODE>
or
<CODE>
55x
</CODE>
according to
<A HREF="ftp://ftp.informatik.uni-kiel.de/pub/internet/rfc/rfc-0800-0899/rfc0821.gz">
RFC 821
</A>.
The codes
<CODE>
5.7.1, 4.1.8
</CODE>
etc. are
<CITE>
Enhanced Mail System Status Codes
</CITE>
as defined in
<A HREF="ftp://ftp.informatik.uni-kiel.de/pub/internet/rfc/rfc-1800-1899/rfc1893.gz">
RFC 1893
</A>.

<!-- ============================================================ -->
<H3><A NAME="nasty">Nasty?</A></H3>

<P>
If you have a good connection to the internet,
and you want to be a bit
<EM>
nasty
</EM>,
you could change all error codes from
permanent (5)
to
temporary (4),
e.g., instead of
<CODE>
"551 ..."
</CODE>
you can use
<CODE>
"451 ...".
</CODE>
This has the consequence that the spammer will try again later on,
so his resources are tied up.
The more people implement such a scheme,
the longer it will take the spammer to distribute his junk.
<EM>
But be careful:
</EM>
this ties up your resources too!


<!-- ============================================================ -->
<H3><A NAME="testing">Testing the rules</A></H3>

Before installing these rules on a productions system,
you need to test them.
Read the
<A HREF="chk-dbg.html">
guide to debug
</A>
these new rules.
It also contains a
<A HREF="ftp://vancouver-webpages.com/pub/chkspam">
link
</A>
to a
<A HREF="chk-dbg.html#SCRIPT">
script to test mail relaying capabilities
</A>.

<!-- ============================================================ -->
<H3><A NAME="other">Other proposals</A></H3>

More examples can be found in
<A HREF="http://www.Sendmail.ORG/antispam.html">Anti-Spam Provisions in Sendmail 8.8</A>
and in
<A HREF="chk-ex.html">
this list
</A>,
which also contains some links
to pages
<A HREF="http://www-rcd.cc.purdue.edu/~af5/spam.html">
with more explanations.
</A>

<P>
Yet another possibility is to use the
<CODE>
checkcompat()
</CODE>
routine.
Kyle Jones
proposed the following
<A HREF="checkcompat.txt">patch</A>.
It is intended to disallow all non-local e-mail traffic through your host.

<P>
These rules can act only based on the information given
during the (E)SMTP dialogue (the envelope),
and on the address of the sender (or recipient).
They can't filter based on the header or the content of
the e-mail.
If you want this,
either install
<A HREF="software.html#FILTER">
procmail as local delivery agent
</A>
or
<A HREF="postings/spamcan.html">
patch sendmail.
</A>

<H3><A NAME="where">Where to put this in sendmail.cf?</A></H3>
<P>
If you don't want to use the supplied
<A HREF="rules/check.tar">
HACKs
</A>
to build a
<CODE>
sendmail.cf
</CODE>
from a
<CODE>
.mc
</CODE>
file
then you have
<A HREF="chk-cf.html">
to place the new stuff in your
<CODE>
.mc
</CODE>
or
<CODE>
sendmail.cf
</CODE>
</A>
by hand.
Or read the
<A HREF="http://www.glenns.org/sendmail.antispam.html">instructions</A>
written by
<A HREF="http://www.glenns.org/">Glenn Fleishman</A>.
<HR>
<A HREF="misc.html">[(links)]</A>
<A HREF="english.html">[Hints]</A>
<A HREF="../faqs/sendmailv8.html">[FAQ]</A>
<A HREF="README.cf.8.8.html">[cf/README]</A>
<A HREF="new.html">[New]</A>

<ADDRESS>
Copyright &#169;
<A HREF="../index.html">
Claus A&szlig;mann
</A>
Please send comments to:
<A HREF="mailto:ca@informatik.uni-kiel.de"> &lt;ca@informatik.uni-kiel.de&gt;</A>
</ADDRESS>
</BODY>
</HTML>