Using check_* in sendmail 8.9

Last Update 2000-09-20

Introduction

sendmail 8.8 introduced several new rulesets to check who can use your machine to send/relay e-mail and to avoid UBE from well known sites. There are standard rulesets in sendmail 8.9 to this effect (see the release notes). I will try to explain these rules and how they relate to my HACKs and the provided options. For each option, a notice is given whether the feature is available (maybe in slightly modified form) in 8.9. For those options that are not (yet) in 8.9, new versions of my my HACKs are available.

8.9 has hooks for all check_* rulesets called Local_check_*. My HACKs have already an option for this. Theoretically, you could continue to use these hacks, however this is not the best way. Most of these HACKs can be translated into standard FEATUREs for sendmail 8.9. If you rely on one of the options which are not available in 8.9, you can of course continue to use my rulesets. However, 8.9 introduces several new features which provide significant enhancements to fight UBE, even though they do not allow as much control of acceptance/rejections/relaying as available by the options for my HACKs.

Content of this article:

Temporary Failure Flag

The -T flag for maps makes it possible to distinguish between permanent and temporary lookup failures. This allows the rejection of mails with faked domain parts, for which in 8.8 only a temporary failure can be returned.

Regular Expressions

A further improvement is the incorporation of the regular expression map type from Jan Krüger. This can be used for several purposes, one example is: (slightly modified version from cf/README):
LOCAL_CONFIG 
Kdigits regex -a@MATCH ^[0-9]+$ 
# systems which don't have usernames with only digits
F{NoNumeric}/etc/mail/nonumeric
 
LOCAL_RULESETS 
SLocal_check_mail 
# check address against various regex checks 
R$*		$: $>3 $1		canonify and check from
R$+<@$*$={NoNumeric}.>	$: $(digits $1 $: $1<@$2$3.> $)
R$*@MATCH	$#error $@ 4.1.8 $: "451 Spam address. Go away."

Check Header Lines

Another major improvement is the possibility to check header lines by rulesets, not just the envelope (and some connection information). The line
HHeader: $>Ruleset
instructs sendmail to call Ruleset for each Header line. For example:
HMessage-Id: $>CheckMessageId
tells sendmail to call the ruleset CheckMessageId for each MessageId: header. The ruleset may look like this:
SCheckMessageId
R< $+ @ $+ >		$@ OK
R$*			$#error $: 552 Header Error
It performs a simple syntax check for the Message-Id: header. This provides some nice opportunities together with regular expressions. Another example (simplified version of the ruleset in chk-headers.m4) is:
HTo: $>CheckTo

SCheckTo
R$*		$: $>LookUp $1
R<OK>$*		$@ OK
R<REJECT>$*	$#error $: 552 Header Error To
R<DISCARD>$*	$#discard $: discard
R<$+>$*		$#error $@ 5.7.1 $: $1
which compares the elements of the To: header against the access map. If this map has an entry like
friend@public.com	"501 You must be kidding."
e-mail which contains To: friend@public.com will be rejected.

Yet another example is:

HX-Spanska: $>Spanska

SSpanska
R$*		$#error $: "552 Your system is probably infected by the Happy99 worm; see http://www.symantec.com/avcenter/venc/data/happy99.worm.html"
or just discard it:
R$*		$#discard $: discard
which should take care of the HAPPY99.EXE worm.

And one more example is:

HSubject: $>Subject
D{Subject}C:\\CoolProgs\\Pretty\ Park.exe

SSubject
R${Subject}		$#error $: "552 Virus..."

Problems

There are a few problems with the standard rulesets all of which are solved in sendmail 8.10. The FEATUREs do not allow a very fine-grained control of acceptance/rejections/relaying, and some features require a little knowledge about the check_* rulesets. Therefore I wrote down some ideas about possible enhancements.

8.9.{0,1} has a bug with respect to overriding the RBL which can be fixed by a patch for cf/m4/proto.m4. It is fixed in sendmail 8.9.2.

sendmail 8.9.1 has a bug with respect to the prevention of unauthorized relay attempts which can be fixed by a patch for cf/m4/proto.m4. This hole is fixed in 8.9.2.


[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.