Preventing Spams and Relays
The mail proxy reads its configuration from a file (smtpd_check_rules) in the /etc directory, in our example, /home/smtpd/etc/smtpd_check_rules. Each line in the file beginning with a # is a comment. Blank lines are allowed. Rules have the following format (one line):
where XXX is the error message number. The first rule that matches will be taken and the check ended, so placement of rules should be done carefully.
The first field states the action to either allow an SMTP connection, deny the SMTP connection and close the session or noto which will return an error for the matching rule but will still continue for the session.
The second field is a list of IP addresses and/or host names to match the source SMTP connection. IP addresses may be specified with a netmask to include a whole network. The format of this is XX.XX.XX.XX/bits where bits is the netmask bits for the network. For instance, a network 192.168.0.0 with netmask 255.255.255.0 would be written as 192.168.0.0/24. A few special reserved identifiers that can be used are:
ALL: any IP address and host name
KNOWN: only IP and host names which are DNS resolvable
UNKNOWN: IP and host names which are not DNS resolvable
*: wild-card character
The third and fourth fields are used to match e-mail addresses and have the format user@host. The special word ALL can also be used in these fields.
The fifth field is optional and is used to return error messages from deny and noto to the SMTP client. The following special variables can be used to return information in the error messages:
%F: mail from address
%T: recipient address
%H: connecting host name
%I: connecting IP address
%U: user from the host
All three fields (SourceList, FromList and ToList) must be matched in order for action to be taken.
Listing 1 is an example of a set of rules that assumes the internal network is 10.0.0.0 and a mail hub is at 10.0.0.9. Note that noto_delay will pause for a certain amount of seconds before action is taken. This option was introduced to delay relayers and spammers and the parameters that control this timeout are set in the Makefile:
NOTO_DELAY = 60 DENY_DELAY = 60
A few other configurations can be done that I have not shown here, namely the NS= pattern-check and the use of the IDENT protocol for identifying users. Users who need a more detailed setup of this file should read the file smtpd_address_check.txt in the source directory. Examples for filtering spams and relays can be downloaded from Obtuse's FTP site.
After creating the configuration file, the running mail daemon must be stopped and replaced with smtpd/smtpfwdd. For Sendmail, this can be done by typing:
> ps ax | grep sendmail 24569 ? S 0:00 sendmail: accepting connections on port 25 > kill 24569
This will effectively shutdown the mail daemon. Now, check for queued mail that the daemon has not yet sent out by issuing the command:
/usr/lib/sendmail -bpIf the mail queue is not empty, flush the queue by typing:
/usr/lib/sendmail -qIf mail is still in the queue after awhile, this command can be resent at a later time so the installation of smtpd/smtpfwdd can continue. No new mail will be accepted while the mail daemon is down.
Start the smtpd daemon by issuing the command:
/usr/local/sbin/smtpd -c /home/smtpd -d /spool\ -u daemon -g daemon -D -L
The smtpd daemon will start accepting mail and spool it to the /home/smtpd/spool directory. The parameters on the command line are defined as follows:
-c /home/smtpd: the smtpd home directory
-d /spool: the directory where spooled mail should be stored
-u daemon -g daemon: user/group smtpd
-D: instruction to run as daemon and listen on the SMTP port
-L: instruction to suppress children in daemon mode from making an openlog call
/usr/local/sbin/smtpfwdd -d /home/smtpd/spool -u\ daemon -g daemonOnce it begins running, smtpfwdd will check the spool directory /home/smtpd/spool and starts processing the spooled mail by running the MTA, in this case Sendmail.
A good idea is to run the MTA in such a way that it periodically processes its mail queue and sends out any mail present. Note that we actually have two spool directories here: one used by smtpd and the other by sendmail (usually in /var/spool/mqueue). To run sendmail in non-daemon mode in order to process the queue every 15 minutes, type:
Once everything is running fine, edit your startup files to run smtpd/smtpfwdd by default instead of sendmail.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Using Salt Stack and Vagrant for Drupal Development
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- New Products
- RSS Feeds
- This is the easiest tutorial
5 hours 40 min ago
- Ahh, the Koolaid.
11 hours 18 min ago
- git-annex assistant
17 hours 18 min ago
- direct cable connection
17 hours 40 min ago
- Agreed on AirDroid. With my
17 hours 51 min ago
- I just learned this
17 hours 55 min ago
18 hours 25 min ago
- not living upto the mobile revolution
21 hours 16 min ago
- Deceptive Advertising and
21 hours 52 min ago
- Let\'s declare that you have
21 hours 53 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.