Friday, September 4, 2009

HOWTO: Sendmail tips for Ensim

SkyHi @ Friday, September 04, 2009
Okay, I've mooched off everyone else for too long without "giving back", so here goes, my tips for Sendmail on Ensim:

1) Backup your /usr/lib/opcenter/sendmail/install/ and /etc/ and /etc/mail/access and /etc/mail/access.db and /etc/aliases files before you start!
2) These changes go in the file

Security enhancements:

#FL20031125 start mods

#define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl


define(`confSMTP_LOGIN_MSG',$j Sendmail Secure/Rabid; $b)

define(`confMIN_FREE_BLOCKS', `4000')

define(`confMAX_HEADERS_LENGTH', `32000')

define(`confMAX_MIME_HEADER_LENGTH', `1024')

define(`confMAX_RCPTS_PER_MESSAGE', `100')

#FL20031125 end mods

This requires a HELO or EHLO greeting from the sending SMTP server; puts limits on Sendmail forks and other settings to stop a DOS attack from overwhelming your server; Munges the Sendmail server identification to make it harder to hack (since you don't know the version of Sendmail); limits the number of recipients in a single message.

My blocklists. I put different numbers in each blocklist reject message, so I can identify & count them out of /var/log/maillog and get stats on each one...

#FL20030930 our blocklists

FEATURE(`dnsbl', `', `551 Rejected - see [url][/url]')dnl

FEATURE(dnsbl, `', `"552 Spam blocked see: [url][/url]" $&{client_addr}')dnl

FEATURE(`dnsbl', `', `"554 Rejected " $&{client_addr} " found in"')dnl

FEATURE(`dnsbl', `', `"555 Rejected " $&{client_addr} " found in"')dnl

FEATURE(dnsbl,`',`559 Message from $&{client_addr} rejected - see [url][/url]')

FEATURE(`dnsbl', `', `"556 Rejected " $&{client_addr} " - see [url][/url]"')dnl

FEATURE(`dnsbl', `', `"557 Rejected " $&{client_addr} " - see [url][/url]"')dnl

FEATURE(dnsbl,`', `"558 Host is on the AHBL - Please see [url][/url]"$&{client_addr}')dnl

FEATURE(`dnsbl', `', `"560 Rejected " $&{client_addr} " - listed by"')dnl

#don't bounce errors back to me

define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')

#delay checks, so we see the intended recipient


#FL20030930 end of our blocklists

all of the above go before the line:


Other notes:
create an alias in /etc/alias called dev-null and point it to /dev/null:

dev-null: /dev/null

the above Double Bounce Address is where someone sends email to a bogus mailbox on YOUR server, and YOUR server bounces it back to the FROM address, which then bounces back to you, because of course it was from a spammer! This throws the double bounce into the bit bucket ;-)

The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

In file /etc/mail/access: OK

where is YOUR server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists you use!

To apply this, run:

m4 /usr/lib/opcenter/sendmail/install/ > /etc/

/sbin/service sendmail restart

If you have a problem, restore your /etc/ and restart sendmail. You DID back it up, right?

Any others with some tips?