Re: Spam to local recipients

> Standard reply: Use access table entries to accept connection only from
> a few nets and reject all remaining.
>
> # explicitly allow connection from "good" IP addresses
> conenct:aaa.bbb.ccc.ddd OK
> connect:eee.fff.ggg.hhh OK
> connect:127.0.0.1 RELAY
> # reject messages from all */8 nets
> connect:0 REJECT
> connect:1 REJECT
> ...
>
> IF you server should relay messages submitted using SMTP AUTH
> THEN use FEATURE(`delay_checks').
>

This doesn't seem to work on one of our test servers here. Like I
mentioned, this is a CentOS+BQ applicance, I'm not sure what may be in
the sendmail config allowing sending of mail. Here is my access file...

localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
0 REJECT
1 REJECT

I tried previously with the connect: prefix and using OK in place of
RELAY, but get the same response. After making changes, I makemap the
access file and then try sending mail. It went through, but I found my
IP on the poprelayd list and removed it, now getting relaying denied. Is
there something in my sendmail.cf I can look for that might be defeating
my setup?

Here is my session....

220 lex.tpa-hosting.webtent.net ESMTP Sendmail Ready; Tue, 18 Dec 2007
10:27:00 -0500
ehlo webtent.org
250-lex.tpa-hosting.webtent.net Hello columbus.webtent.org
[70.110.70.43], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 52428800
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
mail from: robert@webtent.com
250 2.1.0 robert@webtent.com... Sender ok
rcpt to: admin@lex.tpa-hosting.webtent.net
250 2.1.5 admin@lex.tpa-hosting.webtent.net... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
Subject: Test
Testing
..
250 2.0.0 lBIFR0FY028100 Message accepted for delivery
quit
221 2.0.0 lex.tpa-hosting.webtent.net closing connection
Connection closed by foreign host.

Re: Spam to local recipients

Robert Fitzpatrick writes:

>> Standard reply: Use access table entries to accept connection only from
>> a few nets and reject all remaining.
>>
>> # explicitly allow connection from "good" IP addresses
>> conenct:aaa.bbb.ccc.ddd OK
>> connect:eee.fff.ggg.hhh OK
>> connect:127.0.0.1 RELAY
>> # reject messages from all */8 nets
>> connect:0 REJECT
>> connect:1 REJECT
>> ...
>>
>> IF you server should relay messages submitted using SMTP AUTH THEN
>> use FEATURE(`delay_checks').
>>
>
> This doesn't seem to work on one of our test servers here. Like I
> mentioned, this is a CentOS+BQ applicance, I'm not sure what may be in
> the sendmail config allowing sending of mail. Here is my access
> file...
>
> localhost.localdomain RELAY
> localhost RELAY
> 127.0.0.1 RELAY
> 0 REJECT
> 1 REJECT

I have talked about 255 entries (0-255 except 127).

connect:0 REJECT
connect:1 REJECT
....
connect:126 REJECT
connect:128 REJECT
connect:129 REJECT
....
connect:255 REJECT

sendmail does not support "default reject", the 254 entries for */8 nets
is its substitute.

> I tried previously with the connect: prefix and using OK in place of
> RELAY, but get the same response. After making changes, I makemap the
> access file and then try sending mail. It went through, but I found my
> IP on the poprelayd list and removed it, now getting relaying
> denied. Is there something in my sendmail.cf I can look for that might
> be defeating my setup?
>
> Here is my session....
> [...]

--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/

Re: Spam to local recipients

Andrzej Adam Filip wrote:
> Robert Fitzpatrick writes:
>
>>> Standard reply: Use access table entries to accept connection only from
>>> a few nets and reject all remaining.
>>>
>>> # explicitly allow connection from "good" IP addresses
>>> conenct:aaa.bbb.ccc.ddd OK
>>> connect:eee.fff.ggg.hhh OK
>>> connect:127.0.0.1 RELAY
>>> # reject messages from all */8 nets
>>> connect:0 REJECT
>>> connect:1 REJECT
>>> ...
>>>
>>> IF you server should relay messages submitted using SMTP AUTH THEN
>>> use FEATURE(`delay_checks').
>>>
>> This doesn't seem to work on one of our test servers here. Like I
>> mentioned, this is a CentOS+BQ applicance, I'm not sure what may be in
>> the sendmail config allowing sending of mail. Here is my access
>> file...
>>
>> localhost.localdomain RELAY
>> localhost RELAY
>> 127.0.0.1 RELAY
>> 0 REJECT
>> 1 REJECT
>
> I have talked about 255 entries (0-255 except 127).
>
> connect:0 REJECT
> connect:1 REJECT
> ...
> connect:126 REJECT
> connect:128 REJECT
> connect:129 REJECT
> ...
> connect:255 REJECT
>

Duh! Hate when that happens. After *reading* your post again, this works
absolutely fabulous! Even with all our AUTH methods using the
delay_checks feature....thanks!

Re: Spam to local recipients

Andrzej Adam Filip wrote:
> Robert Fitzpatrick writes:
>
>>> Standard reply: Use access table entries to accept connection only from
>>> a few nets and reject all remaining.
>>>
>>> # explicitly allow connection from "good" IP addresses
>>> conenct:aaa.bbb.ccc.ddd OK
>>> connect:eee.fff.ggg.hhh OK
>>> connect:127.0.0.1 RELAY
>>> # reject messages from all */8 nets
>>> connect:0 REJECT
>>> connect:1 REJECT
>>> ...
>>>
>>> IF you server should relay messages submitted using SMTP AUTH THEN
>>> use FEATURE(`delay_checks').
>>>
>> This doesn't seem to work on one of our test servers here. Like I
>> mentioned, this is a CentOS+BQ applicance, I'm not sure what may be in
>> the sendmail config allowing sending of mail. Here is my access
>> file...
>>
>> localhost.localdomain RELAY
>> localhost RELAY
>> 127.0.0.1 RELAY
>> 0 REJECT
>> 1 REJECT
>
> I have talked about 255 entries (0-255 except 127).
>
> connect:0 REJECT
> connect:1 REJECT
> ...
> connect:126 REJECT
> connect:128 REJECT
> connect:129 REJECT
> ...
> connect:255 REJECT
>

Duh! Hate when that happens. After *reading* your post again, this works
absolutely fabulous! Even with all our AUTH methods using the
delay_checks feature....thanks!

Re: Spam to local recipients

Robert Fitzpatrick writes:

> Andrzej Adam Filip wrote:
>> Robert Fitzpatrick writes:
>>
>>>> Standard reply: Use access table entries to accept connection only from
>>>> a few nets and reject all remaining.
>>>>
>>>> # explicitly allow connection from "good" IP addresses
>>>> conenct:aaa.bbb.ccc.ddd OK
>>>> connect:eee.fff.ggg.hhh OK
>>>> connect:127.0.0.1 RELAY
>>>> # reject messages from all */8 nets
>>>> connect:0 REJECT
>>>> connect:1 REJECT
>>>> ...
>>>>
>>>> IF you server should relay messages submitted using SMTP AUTH THEN
>>>> use FEATURE(`delay_checks').
>>>>
>>> This doesn't seem to work on one of our test servers here. Like I
>>> mentioned, this is a CentOS+BQ applicance, I'm not sure what may be in
>>> the sendmail config allowing sending of mail. Here is my access
>>> file...
>>>
>>> localhost.localdomain RELAY
>>> localhost RELAY
>>> 127.0.0.1 RELAY
>>> 0 REJECT
>>> 1 REJECT
>>
>> I have talked about 255 entries (0-255 except 127).
>>
>> connect:0 REJECT
>> connect:1 REJECT
>> ...
>> connect:126 REJECT
>> connect:128 REJECT
>> connect:129 REJECT
>> ...
>> connect:255 REJECT
>>
>
> Duh! Hate when that happens. After *reading* your post again, this
> works absolutely fabulous! Even with all our AUTH methods using the
> delay_checks feature....thanks!

Do you use "make" in /etc/mail directory?

It would provide you with a nice way to use
sendmail-8.xx.x/contrib/cidrexpand (perl script)
to what you like ( "connet:0.0.0.0/0 REJECT")
into what sendmail likes :-)
[remember to keep "connect:127.0.0.1 RELAY"]

P.S.
*IF* you decide to use syntax requiring expansion by cidrexpand
*THEN* make sure put *WARNING* in access file comments about need to
pass it through cidrexpand.

P.S.
Be warned cidrexpand "as it is" may not handle properly all cases of
"overlapping" cidr ranges
[It should relatively easy to fix for small access files (<2_000 lines)]


--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/