Re: [CentOS] sendmail security-with example

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Feizhou wrote:



In above example u can see in the 1st example the
sender(xyz) is not real user of my domain , still he
is able to sendmail to my real users (abhi).




plz help me.


abhishek singh,
The simplest way that I can think of is to create a database of your addresses and then check the mail from against that database and reject if not found. 

The problem is how to maintain that database.
You could add a table lookup for this database and then add rules in Local_check_mail to check mail from: addresses against the database. 

in /etc/mail, create a file realuser
eg:
cat realuser
root    OK
chris   OK

makemap hash realuser.db < realuser
Make a copy of sendmail.cf (eg: test-sendmail.cf) and add a lookup for realuser.db: 

Krealuser hash -o /etc/mail/realuser.db


Add some rulesets to check the mail from against this database:

SLocal_check_mail
R< $- @ domain.com > tabspace   $: < $(realuser $1 $: ? $) >
R< $- @ $* >    tabspace	OK
R< OK >         tabspace	OK
R<?>		tabspace        $#error $@ 5.7.1 $: "550 Access denied"
NB: REPLACE domain.com with your real domain. sendmail rulesets have left and right hand sides separated by tabs. Please make sure you have them when you copy for testing. If you have more than one domain, then add more R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > rules BEFORE the R< $- @ $* > tabspace OK line. Sorry for this as this is just a quick hack. 

You can test offline by:

'sendmail -bt -C test-sendmail.cf'

Some likely output below:

==run check on external address==
> check_mail <dunno@xxxxxxxxx>
check_mail         input: < dunno @ yahoo . com >
Local_check_mail   input: < dunno @ yahoo . com >
Local_check_mail returns: OK
Basic_check_mail   input: < dunno @ yahoo . com >
tls_client         input: $| MAIL
D                  input: < > < ? > < ! "TLS_Clt" > < >
D                returns: < ? > < > < ? > < ! "TLS_Clt" > < >
A                  input: < > < ? > < ! "TLS_Clt" > < >
A                returns: < > < ? > < ! "TLS_Clt" > < >
TLS_connection     input: $| < > < ? > < ! "TLS_Clt" > < >
TLS_connection   returns: OK
tls_client       returns: OK
CanonAddr          input: < dunno @ yahoo . com >
canonify           input: < dunno @ yahoo . com >
Canonify2          input: dunno < @ yahoo . com >
Canonify2        returns: dunno < @ yahoo . com . >
canonify         returns: dunno < @ yahoo . com . >
Parse0             input: dunno < @ yahoo . com . >
Parse0           returns: dunno < @ yahoo . com . >
CanonAddr        returns: dunno < @ yahoo . com . >
SearchList input: < + From > $| < F : dunno @ yahoo . com > < U : dunno @ > < D : yahoo . com > < > 
F                  input: < dunno @ yahoo . com > < ? > < + From > < >
F                returns: < ? > < >
SearchList input: < + From > $| < U : dunno @ > < D : yahoo . com > < > 
U                  input: < dunno @ > < ? > < + From > < >
U                returns: < ? > < >
SearchList         input: < + From > $| < D : yahoo . com > < >
D                  input: < yahoo . com > < ? > < + From > < >
D                  input: < com > < ? > < + From > < >
D                returns: < ? > < >
D                returns: < ? > < >
SearchList       returns: < ? >
SearchList       returns: < ? >
SearchList       returns: < ? >
Basic_check_mail returns: < OKR >
check_mail       returns: < OKR >

==run check on existing address==
> check_mail <chris@xxxxxxxxxx>
check_mail         input: < chris @ domain . com >
Local_check_mail   input: < chris @ domain . com >
Local_check_mail returns: OK
Basic_check_mail   input: < chris @ domain . com >
tls_client         input: $| MAIL
D                  input: < > < ? > < ! "TLS_Clt" > < >
D                returns: < ? > < > < ? > < ! "TLS_Clt" > < >
A                  input: < > < ? > < ! "TLS_Clt" > < >
A                returns: < > < ? > < ! "TLS_Clt" > < >
TLS_connection     input: $| < > < ? > < ! "TLS_Clt" > < >
TLS_connection   returns: OK
tls_client       returns: OK
CanonAddr          input: < chris @ domain . com >
canonify           input: < chris @ domain . com >
Canonify2          input: chris < @ domain . com >
Canonify2        returns: chris < @ domain . com . >
canonify         returns: chris < @ domain . com . >
Parse0             input: chris < @ domain . com . >
Parse0           returns: chris < @ domain . com . >
CanonAddr        returns: chris < @ domain . com . >
SearchList input: < + From > $| < F : chris @ domain . com > < U : chris @ > < D : domain . com > < > 
F                  input: < chris @ domain . com > < ? > < + From > < >
F                returns: < ? > < >
SearchList input: < + From > $| < U : chris @ > < D : domain . com > < > 
U                  input: < chris @ > < ? > < + From > < >
U                returns: < ? > < >
SearchList         input: < + From > $| < D : domain . com > < >
D                  input: < domain . com > < ? > < + From > < >
D                  input: < com > < ? > < + From > < >
D                returns: < ? > < >
D                returns: < ? > < >
SearchList       returns: < ? >
SearchList       returns: < ? >
SearchList       returns: < ? >
Basic_check_mail returns: < OKR >
check_mail       returns: < OKR >

==run check on fake local address==
>check_mail <dunno@xxxxxxxxxx>
check_mail         input: < dunno @ domain . com >
Local_check_mail   input: < dunno @ domain . com >
Local_check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"
check_mail       returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"

==hit CTRL-D to leave sendmail ruleset debugging mode==
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux