Preventing Spams and Relays
The mail proxy reads its configuration from a file (smtpd_check_rules) in the /etc directory, in our example, /home/smtpd/etc/smtpd_check_rules. Each line in the file beginning with a # is a comment. Blank lines are allowed. Rules have the following format (one line):
where XXX is the error message number. The first rule that matches will be taken and the check ended, so placement of rules should be done carefully.
The first field states the action to either allow an SMTP connection, deny the SMTP connection and close the session or noto which will return an error for the matching rule but will still continue for the session.
The second field is a list of IP addresses and/or host names to match the source SMTP connection. IP addresses may be specified with a netmask to include a whole network. The format of this is XX.XX.XX.XX/bits where bits is the netmask bits for the network. For instance, a network 192.168.0.0 with netmask 255.255.255.0 would be written as 192.168.0.0/24. A few special reserved identifiers that can be used are:
ALL: any IP address and host name
KNOWN: only IP and host names which are DNS resolvable
UNKNOWN: IP and host names which are not DNS resolvable
*: wild-card character
The third and fourth fields are used to match e-mail addresses and have the format user@host. The special word ALL can also be used in these fields.
The fifth field is optional and is used to return error messages from deny and noto to the SMTP client. The following special variables can be used to return information in the error messages:
%F: mail from address
%T: recipient address
%H: connecting host name
%I: connecting IP address
%U: user from the host
All three fields (SourceList, FromList and ToList) must be matched in order for action to be taken.
Listing 1 is an example of a set of rules that assumes the internal network is 10.0.0.0 and a mail hub is at 10.0.0.9. Note that noto_delay will pause for a certain amount of seconds before action is taken. This option was introduced to delay relayers and spammers and the parameters that control this timeout are set in the Makefile:
NOTO_DELAY = 60 DENY_DELAY = 60
A few other configurations can be done that I have not shown here, namely the NS= pattern-check and the use of the IDENT protocol for identifying users. Users who need a more detailed setup of this file should read the file smtpd_address_check.txt in the source directory. Examples for filtering spams and relays can be downloaded from Obtuse's FTP site.
After creating the configuration file, the running mail daemon must be stopped and replaced with smtpd/smtpfwdd. For Sendmail, this can be done by typing:
> ps ax | grep sendmail 24569 ? S 0:00 sendmail: accepting connections on port 25 > kill 24569
This will effectively shutdown the mail daemon. Now, check for queued mail that the daemon has not yet sent out by issuing the command:
/usr/lib/sendmail -bpIf the mail queue is not empty, flush the queue by typing:
/usr/lib/sendmail -qIf mail is still in the queue after awhile, this command can be resent at a later time so the installation of smtpd/smtpfwdd can continue. No new mail will be accepted while the mail daemon is down.
Start the smtpd daemon by issuing the command:
/usr/local/sbin/smtpd -c /home/smtpd -d /spool\ -u daemon -g daemon -D -L
The smtpd daemon will start accepting mail and spool it to the /home/smtpd/spool directory. The parameters on the command line are defined as follows:
-c /home/smtpd: the smtpd home directory
-d /spool: the directory where spooled mail should be stored
-u daemon -g daemon: user/group smtpd
-D: instruction to run as daemon and listen on the SMTP port
-L: instruction to suppress children in daemon mode from making an openlog call
/usr/local/sbin/smtpfwdd -d /home/smtpd/spool -u\ daemon -g daemonOnce it begins running, smtpfwdd will check the spool directory /home/smtpd/spool and starts processing the spooled mail by running the MTA, in this case Sendmail.
A good idea is to run the MTA in such a way that it periodically processes its mail queue and sends out any mail present. Note that we actually have two spool directories here: one used by smtpd and the other by sendmail (usually in /var/spool/mqueue). To run sendmail in non-daemon mode in order to process the queue every 15 minutes, type:
Once everything is running fine, edit your startup files to run smtpd/smtpfwdd by default instead of sendmail.
Practical Task Scheduling Deployment
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.View Now!
|The Firebird Project's Firebird Relational Database||Jul 29, 2016|
|Stunnel Security for Oracle||Jul 28, 2016|
|SUSE LLC's SUSE Manager||Jul 21, 2016|
|My +1 Sword of Productivity||Jul 20, 2016|
|Non-Linux FOSS: Caffeine!||Jul 19, 2016|
|Murat Yener and Onur Dundar's Expert Android Studio (Wrox)||Jul 18, 2016|
- Stunnel Security for Oracle
- The Firebird Project's Firebird Relational Database
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- SUSE LLC's SUSE Manager
- Managing Linux Using Puppet
- My +1 Sword of Productivity
- Non-Linux FOSS: Caffeine!
- SuperTuxKart 0.9.2 Released
- Google's SwiftShader Released
- Doing for User Space What We Did for Kernel Space