Home » Blogs » sandip's blog

Sendmail tips

Submitted by sandip on Sun, 06/22/2008 - 22:41
  1. Backup files:
       /etc/mail/sendmail.mc
       /etc/mail/sendmail.cf
       /etc/mail/access
       /etc/mail/access.db
       /etc/aliases
  2. These changes go in the /etc/mail/sendmail.mc file:

    Security enhancements:

    • Require a HELO or EHLO greeting from the sending SMTP server.
    • Put limits on Sendmail forks and other settings to stop a DOS attack from overwhelming server.
    • Munge the Sendmail server identification.
    • Recipient throttle to identify when an envelope arrives with more than 4 invalid users, presuming that this is a dictionary attack.
    • Limit the number of recipients in a single message.

    dnl #
    dnl #start security mods
    define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl
    define(`confMAX_DAEMON_CHILDREN',20)dnl
    define(`confSMTP_LOGIN_MSG',$j Sendmail; $b)dnl
    define(`confMIN_FREE_BLOCKS', `4000')dnl
    define(`confMAX_HEADERS_LENGTH', `32000')dnl
    define(`confMAX_MIME_HEADER_LENGTH', `1024')dnl
    define(`confBAD_RCPT_THROTTLE',`4')dnl
    define(`confMAX_RCPTS_PER_MESSAGE', `10')
    dnl #end security mods
    dnl #

    Enable DNS BlockLists:

    dnl #
    dnl # Begin Spam Block Enhancement mod
    dnl # Start BlockList
    FEATURE(`dnsbl', `bl.spamcop.net', `"554 Spam blocked - see http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
    FEATURE(`dnsbl', `zen.spamhaus.org', `"554 Rejected - see http://www.spamhaus.org/query/bl?ip="$&{client_addr}')dnl
    dnl # sorbs dynamic user list ( not dial up )
    FEATURE(`dnsbl', `dul.dnsbl.sorbs.net', `"554 Rejected "$&{client_addr}" - see http://dnsbl.sorbs.net"')dnl
    dnl # End BlockList
    dnl # Start dont bounce errors back to me
    define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')dnl
    dnl # End dont bounce
    dnl # Start delay checks, so we see the intended recipient
    dnl # Added friend so we can exempt specified local user via access file
    FEATURE(`delay_checks',`friend')dnl
    dnl # End delay checks
    dnl # End Spam Block Enhancement mod
    dnl #

    All of the above should go before the line:

    FEATURE(`blacklist_recipients')dnl

    Notes:

    The above Double Bounce Address throws the double bounces into the bit bucket.

    The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

  3. Create an alias in "/etc/aliases" called dev-null and point it to "/dev/null":

    dev-null: /dev/null

  4. In file "/etc/mail/access", enter:

    Connect:xxx.xxx.xxx.xxx OK

    where xxx.xxx.xxx.xxx is the server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists used!

  5. To apply the configurations, run:

    # newaliases
    # makemap hash /etc/mail/access.db < /etc/mail/access
    # m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
    # /sbin/service sendmail restart

Bookmark/Search this post with
  • del.icio.us
  • Digg
  • Facebook
  • identi.ca
  • LinkedIn
  • SlashDot
  • StumbleUpon
  • Technorati
  • Twitter
»
Comment