Preventing Spams and Relays

The smtpd package is a useful mail daemon for stopping spam, thereby saving money and resources.
Configuring smtpd

The mail proxy reads its configuration from a file (smtpd_check_rules) in the /etc directory, in our example, /home/smtpd/etc/smtpd_check_rules. Each line in the file beginning with a # is a comment. Blank lines are allowed. Rules have the following format (one line):

[allow|deny|noto]:SourceList:FromList:ToList[:XXX message]

where XXX is the error message number. The first rule that matches will be taken and the check ended, so placement of rules should be done carefully.

The first field states the action to either allow an SMTP connection, deny the SMTP connection and close the session or noto which will return an error for the matching rule but will still continue for the session.

The second field is a list of IP addresses and/or host names to match the source SMTP connection. IP addresses may be specified with a netmask to include a whole network. The format of this is XX.XX.XX.XX/bits where bits is the netmask bits for the network. For instance, a network 192.168.0.0 with netmask 255.255.255.0 would be written as 192.168.0.0/24. A few special reserved identifiers that can be used are:

  • ALL: any IP address and host name

  • KNOWN: only IP and host names which are DNS resolvable

  • UNKNOWN: IP and host names which are not DNS resolvable

  • EXCEPT: exceptions

  • *: wild-card character

The third and fourth fields are used to match e-mail addresses and have the format user@host. The special word ALL can also be used in these fields.

The fifth field is optional and is used to return error messages from deny and noto to the SMTP client. The following special variables can be used to return information in the error messages:

  • %F: mail from address

  • %T: recipient address

  • %H: connecting host name

  • %I: connecting IP address

  • %U: user from the host

All three fields (SourceList, FromList and ToList) must be matched in order for action to be taken.

Listing 1 is an example of a set of rules that assumes the internal network is 10.0.0.0 and a mail hub is at 10.0.0.9. Note that noto_delay will pause for a certain amount of seconds before action is taken. This option was introduced to delay relayers and spammers and the parameters that control this timeout are set in the Makefile:

NOTO_DELAY = 60
DENY_DELAY = 60

A few other configurations can be done that I have not shown here, namely the NS= pattern-check and the use of the IDENT protocol for identifying users. Users who need a more detailed setup of this file should read the file smtpd_address_check.txt in the source directory. Examples for filtering spams and relays can be downloaded from Obtuse's FTP site.

Running smtpd

After creating the configuration file, the running mail daemon must be stopped and replaced with smtpd/smtpfwdd. For Sendmail, this can be done by typing:

> ps ax | grep sendmail
24569 ? S 0:00 sendmail: accepting connections on port 25
> kill 24569

This will effectively shutdown the mail daemon. Now, check for queued mail that the daemon has not yet sent out by issuing the command:

/usr/lib/sendmail -bp
If the mail queue is not empty, flush the queue by typing:
/usr/lib/sendmail -q
If mail is still in the queue after awhile, this command can be resent at a later time so the installation of smtpd/smtpfwdd can continue. No new mail will be accepted while the mail daemon is down.

Start the smtpd daemon by issuing the command:

/usr/local/sbin/smtpd -c /home/smtpd -d /spool\
-u daemon -g daemon -D
-L

The smtpd daemon will start accepting mail and spool it to the /home/smtpd/spool directory. The parameters on the command line are defined as follows:

  • -c /home/smtpd: the smtpd home directory

  • -d /spool: the directory where spooled mail should be stored

  • -u daemon -g daemon: user/group smtpd

  • -D: instruction to run as daemon and listen on the SMTP port

  • -L: instruction to suppress children in daemon mode from making an openlog call

Once smtpd is running, check the directory—it will be full of files with the prefix smtp. These files are the spooled mail messages and need to be processed by the MTA. This is the job of smtpfwdd. We run smtpfwdd by typing:
/usr/local/sbin/smtpfwdd -d /home/smtpd/spool -u\
daemon -g daemon
Once it begins running, smtpfwdd will check the spool directory /home/smtpd/spool and starts processing the spooled mail by running the MTA, in this case Sendmail.

A good idea is to run the MTA in such a way that it periodically processes its mail queue and sends out any mail present. Note that we actually have two spool directories here: one used by smtpd and the other by sendmail (usually in /var/spool/mqueue). To run sendmail in non-daemon mode in order to process the queue every 15 minutes, type:

/usr/lib/sendmail -q15m

Once everything is running fine, edit your startup files to run smtpd/smtpfwdd by default instead of sendmail.

______________________

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix