Friday, September 4, 2009

HOWTO: Sendmail tips for Ensim

SkyHi @ Friday, September 04, 2009
Okay, I've mooched off everyone else for too long without "giving back", so here goes, my tips for Sendmail on Ensim:

1) Backup your /usr/lib/opcenter/sendmail/install/sendmail.mc and /etc/sendmail.cf and /etc/mail/access and /etc/mail/access.db and /etc/aliases files before you start!
2) These changes go in the sendmail.mc file

Security enhancements:

CODE
#FL20031125 start mods

#define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun,needmailhelo')dnl

define(`confMAX_DAEMON_CHILDREN',50)

define(`confSMTP_LOGIN_MSG',$j Sendmail Secure/Rabid; $b)

define(`confMIN_FREE_BLOCKS', `4000')

define(`confMAX_HEADERS_LENGTH', `32000')

define(`confMAX_MIME_HEADER_LENGTH', `1024')

define(`confMAX_RCPTS_PER_MESSAGE', `100')

#FL20031125 end mods


This requires a HELO or EHLO greeting from the sending SMTP server; puts limits on Sendmail forks and other settings to stop a DOS attack from overwhelming your server; Munges the Sendmail server identification to make it harder to hack (since you don't know the version of Sendmail); limits the number of recipients in a single message.

My blocklists. I put different numbers in each blocklist reject message, so I can identify & count them out of /var/log/maillog and get stats on each one...

CODE
#FL20030930 our blocklists

FEATURE(`dnsbl', `relays.ordb.org', `551 Rejected - see [url]http://ordb.org/[/url]')dnl

FEATURE(dnsbl, `bl.spamcop.net', `"552 Spam blocked see: [url]http://spamcop.net/bl.shtml?[/url]" $&{client_addr}')dnl

FEATURE(`dnsbl', `dnsbl.sorbs.net', `"554 Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl

FEATURE(`dnsbl', `rhsbl.sorbs.net', `"555 Rejected " $&{client_addr} " found in rhsbl.sorbs.net"')dnl

FEATURE(dnsbl,`dnsbl.njabl.org',`559 Message from $&{client_addr} rejected - see [url]http://njabl.org/[/url]')

FEATURE(`dnsbl', `sbl.spamhaus.org', `"556 Rejected " $&{client_addr} " - see [url]http://www.spamhaus.org/SBL/[/url]"')dnl

FEATURE(`dnsbl', `cbl.abuseat.org', `"557 Rejected " $&{client_addr} " - see [url]http://cbl.abuseat.org[/url]"')dnl

FEATURE(dnsbl,`dnsbl.ahbl.org', `"558 Host is on the AHBL - Please see [url]http://www.ahbl.org/tools/lookup.php?ip=[/url]"$&{client_addr}')dnl

FEATURE(`dnsbl', `chinanet.blackholes.us', `"560 Rejected " $&{client_addr} " - listed by chinanet.blackholes.us"')dnl

#don't bounce errors back to me

define(`confDOUBLE_BOUNCE_ADDRESS', `dev-null')

#delay checks, so we see the intended recipient

FEATURE(`delay_checks')dnl

#FL20030930 end of our blocklists


all of the above go before the line:

FEATURE(`blacklist_recipients')dnl

Other notes:
create an alias in /etc/alias called dev-null and point it to /dev/null:

dev-null: /dev/null

the above Double Bounce Address is where someone sends email to a bogus mailbox on YOUR server, and YOUR server bounces it back to the FROM address, which then bounces back to you, because of course it was from a spammer! This throws the double bounce into the bit bucket ;-)

The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

In file /etc/mail/access:

Connect:xxx.xxx.xxx.xxx OK

where xxx.xxx.xxx.xxx is YOUR server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists you use!

To apply this, run:

m4 /usr/lib/opcenter/sendmail/install/sendmail.mc > /etc/sendmail.cf

/sbin/service sendmail restart

If you have a problem, restore your /etc/sendmail.cf and restart sendmail. You DID back it up, right?

Any others with some tips?


Reference: http://forums.theplanet.com/lofiversion/index.php/t37434.html