The section
ANTI-SPAM CONFIGURATION CONTROL
in
cf/README
from the
sendmail 8.9
distribution
explains all available features.
The important new features are:
sendmail 8.9
uses a general map which can be activated by
FEATURE(access_db)
that is used for several purposes:
REJECT
or
a specific
error message).
If the RHS is
DISCARD
,
the e-mail will be silently discarded.
This isn't recommended.
The map is also used in
check_relay
to control access to the system.
The name and the IP address of the connecting system
are compared against the map.
OK
)
RELAY
).
This implies that the mail
is accepted.
R
with the help of:
RELAY_DOMAIN()
or
RELAY_DOMAIN_FILE()
(default: /etc/mail/relay-domains
);
or use the
access map.
FEATUREs wrt relaying are:
FEATURE(relay_entire_domain)
allow relaying for every system in class m
, which may cause
a problem if it is set incorrectly.
FEATURE(relay_hosts_only)
allow relaying only for hosts with exact match in the
access map
or
class R
not for subdomains.
FEATURE(relay_based_on_MX)
compare the option
_ISMX_
.
FEATURE(loose_relay_check)
see a discussion about
relaying.
FEATURE(relay_local_from)
will allow relaying if the sender specifies
a domain in the envelope sender
MAIL FROM
which is a local domain.
This a not recommended as it will allow to abuse a
mail server by simply forging a local sender address.
For roaming users,
another solution
based on
POP authentification
should be realized.
FEATURE(promiscuous_relay)
relay everything, don't activate this
unless you absolutely have to do it.
MAIL FROM:
parameter
FEATURE(accept_unresolvable_domains)
_DNSVALID_
.
)
FEATURE(accept_unqualified_senders)
_CHECK_FROM_
;
it's not the same, but a bit similar.
)
spammer.domain REJECT
spammer@domain REJECT
spammer@ REJECT
REJECT
an explicit error message can be given:
spammer.domain "501 No e-mail from this domain." spammer@domain "501 No e-mail from your address." spammer@ "501 Get a real address."or even
DISCARD
as explained before.
sendmail 8.9
was able to make use
of the
Realtime Blackhole List
by selecting
FEATURE(rbl)
(compare
_MAPS_RBL_.)
The RBL lookup occurs in the
check_relay
ruleset after the
access map
has been consulted.
However, there is a bug in 8.9.{0,1}, which can be fixed by
a patch for cf/m4/proto.m4
or by using 8.9.2.
FEATURE(blacklist_recipients)
badlocaluser 550 Mailbox disabled for this username host.mydomain 550 That host does not accept mail user@otherhost.mydomain 550 Mailbox disabled for this recipientThis would prevent a recipient of
badlocaluser@mydomain
(where mydomain
is the local domain),
any user at
host.mydomain.com
,
and the single address
user@otherhost.mydomain
from receiving mail.
Note:
all entries in the
access map
are tested for possible rejections!
The default location for the
access map
is
/etc/mail/access
,
which can be overridden by an argument like:
FEATURE(access_db,`btree -o /etc/access_db')
The access map can have
1.2.3.4 192.2.3 10For subnets on arbitrary boundaries use contrib/cidrexpand.
check_*
rulesets is usually done against the
most specific entry first.
So it is possible to override rejections of full domains
with acceptance of e-mail addresses.
For example,
it seems to be possible to reject all mail from
SOME.DOMAIN
but accept mail from
FRIEND@SOME.DOMAIN
by using:
FRIEND@SOME.DOMAIN OK SOME.DOMAIN REJECTHowever, the access map is also used in
check_relay
ruleset.
So if e-mail with an address like
user@SOME.DOMAIN
comes from a site with the hostname
SOME.DOMAIN
(or
HOST.SOME.DOMAIN
),
it will be rejected by
check_relay
.
There are
some more problems
with the
access map.
The RHS of the access map can consist of
OK
RELAY
RELAY
implies OK
.
REJECT
DISCARD