ProblemSome local users encourage spam by responding to spam emails. You have been asked to configure sendmail to stop the spammers and to stop those who encourage spam. SolutionBefore creating any user accounts, create an acceptable use policy that, among many other things, gives you the power to block spam communications ”both inbound and outbound. Ensure that all users agree to this policy before giving out any user accounts. Add the spam addresses you want blocked to the /etc/mail/access text file. Use To : and From : tags to prevent mail from being sent to spammers or from being accepted from spammers. Run makemap to build a hash database from the text file. Create a sendmail configuration that enables the access database with the access_db feature. The required sendmail FEATURE command is: dnl Use the access database FEATURE(`access_db') Rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail, as described in Recipe 1.8. DiscussionBy default, the access database applies to source addresses. The action defined in the database entry is taken based on the source of the email. Given the access database created for Recipe 6.1, mail from example.com , wrotethebook.net , and fake.ora.com is rejected, as the tests in that recipe show. For example, mail from anyone at example.com is rejected with an "Access denied " error. However, the access database from Recipe 6.1 does not prevent mail from the local host being sent to someone at example.com . Adding the To : tag to an access database entry applies the action defined in the entry to recipient addresses that match the key, while the From : tag specifically requests that the action be applied to matching source addresses. Here is the access database from Recipe 6.1 rewritten with To : and From : tags: From:example.com REJECT To:example.com ERROR:5.7.1:550 Mail to this site is not allowed From:wrotethebook.net ERROR:5.7.1:550 Invalid mail source To:wrotethebook.net ERROR:5.7.1:550 Mail to this site is not allowed From:fake.ora.com DISCARD To:fake.ora.com ERROR:5.7.1:550 Mail to this site is not allowed Because the action for the From : example.com entry is REJECT , mail from that site is rejected as shown in Recipe 6.1. With the addition of the To : entry, mail addressed to example.com is also rejected, as this test shows: # telnet localhost smtp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 HELO localhost 250 chef.wrotethebook.com Hello IDENT:UWSRv+Jij66J8vALUBVBECbGPVoU8OQe@localhost [127.0.0.1], pleased to meet you MAIL From:<craig@chef.wrotethebook.com> 250 2.1.0 <craig@chef.wrotethebook.com>... Sender ok RCPT To:<crook@example.com> 550 5.7.1 <crook@example.com>... Mail to this site is not allowed QUIT 221 2.0.0 chef.wrotethebook.com closing connection Connection closed by foreign host.
AlternativesThe blacklist_recipients feature is an alternative way to block outbound mail to known spammers. The blacklist_recipients feature applies every untagged entry in the access database to recipient addresses. The following lines added to the sendmail configuration enable the access database and apply the database to recipient addresses: dnl Use the access database FEATURE(`access_db') dnl Also apply the access database to recipient addresses FEATURE(`blacklist_recipients') The blacklist_recipients feature works well, and it is very easy to use. However, because it applies to every untagged entry in the access database, it does not provide the level of configuration control provided by the To : tag. Additionally, tags are self-documenting . Anyone looking at the sample access database just shown understands that mail to example.com is not allowed when they see the To : tag and the error in the action field. See AlsoChapter 3 and the Introduction to this chapter provide more information about the access database. The sendmail book covers the access database in Section 7.5 and the blacklist_recipients feature in 7.5.5. The Anti-Spam Configuration Control section of the cf/README file also covers this topic. |