FEATUREs for check_* in sendmail 8.9

Last Update 2002-03-21

Introduction

sendmail 8.8 introduced several new rulesets to check who can use your machine to send/relay e-mail and to avoid UBE from well known sites. There are standard rulesets in sendmail 8.9 to this effect (see the release notes.)

The section ANTI-SPAM CONFIGURATION CONTROL in cf/README from the sendmail 8.9 distribution explains all available features. The important new features are:

Access Map

sendmail 8.9 uses a general map which can be activated by
FEATURE(access_db)
that is used for several purposes:

reject:
to reject mail from domains and e-mail addresses (RHS: REJECT or a specific error message). If the RHS is DISCARD, the e-mail will be silently discarded. This isn't recommended. The map is also used in check_relay to control access to the system. The name and the IP address of the connecting system are compared against the map.
accept:
to accept mail even though it might be rejected by other checks within the same ruleset (RHS: OK)
relay:
to allow relaying through your server (RHS: RELAY). This implies that the mail is accepted.
Due to the stricter enforcement of file/directory permissions in sendmail 8.9 and the use of the option -o for the map, there might be problems with its use. If the map doesn't appear to work, run some tests.

Relaying

sendmail 8.9 disallows relaying by default. Additional systems can use your mailserver by several methods: either add them (domain name or IP address) to class R with the help of: RELAY_DOMAIN() or RELAY_DOMAIN_FILE() (default: /etc/mail/relay-domains); or use the access map.

FEATUREs wrt relaying are:

  1. FEATURE(relay_entire_domain) allow relaying for every system in class m, which may cause a problem if it is set incorrectly.
  2. FEATURE(relay_hosts_only) allow relaying only for hosts with exact match in the access map or class R not for subdomains.
  3. FEATURE(relay_based_on_MX) compare the option _ISMX_.
  4. FEATURE(loose_relay_check) see a discussion about relaying.
  5. FEATURE(relay_local_from) will allow relaying if the sender specifies a domain in the envelope sender MAIL FROM which is a local domain. This a not recommended as it will allow to abuse a mail server by simply forging a local sender address. For roaming users, another solution based on POP authentification should be realized.
  6. FEATURE(promiscuous_relay) relay everything, don't activate this unless you absolutely have to do it.
If you encounter a problem with this new FEATURE, try to find out which options you're missing.

Check Sender Information

sendmail 8.9 refuses mail if the MAIL FROM: parameter
  1. has an unresolvable domain part. This can be disabled by
    FEATURE(accept_unresolvable_domains)
    (which is the opposite of the option _DNSVALID_. )
  2. is not fully qualified. This can be turned off by
    FEATURE(accept_unqualified_senders)
    (compare _CHECK_FROM_; it's not the same, but a bit similar. )
  3. matches an entry in the access map. There can be different entries:
    1. domain names, e.g.,
      spammer.domain REJECT
    2. full e-mail addresses, e.g.,
      spammer@domain REJECT
    3. local part of e-mail addresses, e.g.,
      spammer@ REJECT
    Instead of REJECT an explicit error message can be given: 
    spammer.domain	"501 No e-mail from this domain."
spammer@domain	"501 No e-mail from your address."
spammer@		"501 Get a real address."
    or even DISCARD as explained before.

sendmail 8.9 was able to make use of the Realtime Blackhole List by selecting
FEATURE(rbl)
(compare _MAPS_RBL_.) The RBL lookup occurs in the check_relay ruleset after the access map has been consulted. However, there is a bug in 8.9.{0,1}, which can be fixed by a patch for cf/m4/proto.m4 or by using 8.9.2.

Check Recipient

The
FEATURE(blacklist_recipients)
allows the specification of addresses in the access map which are not supposed to receive e-mail. 
badlocaluser		550 Mailbox disabled for this username
host.mydomain	550 That host does not accept mail
user@otherhost.mydomain	550 Mailbox disabled for this recipient
This would prevent a recipient of badlocaluser@mydomain (where mydomain is the local domain), any user at host.mydomain.com, and the single address user@otherhost.mydomain from receiving mail. Note: all entries in the access map are tested for possible rejections!

Some Hints about the Access Map

The default location for the access map is /etc/mail/access, which can be overridden by an argument like:
FEATURE(access_db,`btree -o /etc/access_db')

The access map can have

  1. domain names
  2. e-mail addresses
  3. local parts of e-mail addresses
  4. IP addresses (complete or subnets with octect boundary), e.g., 
    1.2.3.4
192.2.3
10
    For subnets on arbitrary boundaries use contrib/cidrexpand.
as LHS. The lookup of data in the check_* rulesets is usually done against the most specific entry first. So it is possible to override rejections of full domains with acceptance of e-mail addresses. For example, it seems to be possible to reject all mail from SOME.DOMAIN but accept mail from FRIEND@SOME.DOMAIN by using: 
FRIEND@SOME.DOMAIN	OK
SOME.DOMAIN		REJECT
However, the access map is also used in check_relay ruleset. So if e-mail with an address like user@SOME.DOMAIN comes from a site with the hostname SOME.DOMAIN (or HOST.SOME.DOMAIN), it will be rejected by check_relay . There are some more problems with the access map.

The RHS of the access map can consist of

OK
accept e-mail even if other rules in the current ruleset would reject it.
RELAY
Allow domain to relay through the mail server. RELAY implies OK.
REJECT
reject the e-mail with a general error message.
DISCARD
silently discard the message completely.
XYZ some other text
where XYZ is an RFC 821 compliant error code and "some other text" is an error message.
[(links)] [Hints] [Avoiding UBE] [cf/README] [New]
Copyright © Claus Aßmann Please send comments to: <ca at sendmail.org>
Disclaimer: the information provided may be inaccurate or outdated or incomplete. Please contact me if you find an error.