Access.db Seems to Be Ignored

Hi folks:

I am using sendmail Version 8.13.1 on CentOS 4, and I am trying to use
wildcards in my access.db to block all mail not coming from postini,
my spam firewall service.

I basically can't get it to work at all! Like, nothing happens, and
spam still gets through. Here is my access file:

# by default we allow relaying from localhost...
localhost.localdomain RELAY
localhost RELAY
127.0.0.1 RELAY
postini.com RELAY

1 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
2 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
3 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
4 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
5 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
6 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
7 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
8 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."
9 ERROR:"551 We do not accept mail sent directly to our servers. You
must use the valid MX record of the domain that you are sending to."

Very simple. Here is my sendmail.mc with sensitive stuff blacked out:

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
define(`confLOG_LEVEL', `9')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS',
`authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl define(`confAUTH_OPTIONS', `A p')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/etc/mail/certs')
define(`confCACERT',`/etc/mail/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/mail/certs/cert.pem')
define(`confSERVER_KEY',`/etc/mail/certs/key.pem')
dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
dnl define(`confSERVER_CERT',`/usr/share/ssl/cert.pem')
dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/smtp.key')
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
dnl FEATURE(`access_db',`hash -T /etc/mail/access.db')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6,
Family=inet6')
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MASQUERADE_AS(`**********.com')dnl
FEATURE(masquerade_envelope)dnl
dnl FEATURE(masquerade_entire_domain)dnl
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

That's not so simple, but it's not exotic or anything. Does anyone
have any idea why this may not be working?

Amiri

Re: Access.db Seems to Be Ignored

On Apr 2, 10:40 pm, Amiri wrote:
> Hi folks:
>
> I am using sendmail Version 8.13.1 on CentOS 4, and I am trying to use
> wildcards in my access.db to block all mail not coming from postini,
> my spam firewall service.
>
> I basically can't get it to work at all! Like, nothing happens, and
> spam still gets through. Here is my access file:
>
> # by default we allow relaying from localhost...
> localhost.localdomain RELAY
> localhost RELAY
> 127.0.0.1 RELAY
> postini.com RELAY
>
> 1 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 2 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 3 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 4 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 5 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 6 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 7 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 8 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 9 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
>
> Very simple. Here is my sendmail.mc with sensitive stuff blacked out:
>
> divert(-1)dnl
> include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
> VERSIONID(`setup for Red Hat Linux')dnl
> OSTYPE(`linux')dnl
> define(`confLOG_LEVEL', `9')dnl
> define(`confDEF_USER_ID',``8:12'')dnl
> define(`confTO_CONNECT', `1m')dnl
> define(`confTRY_NULL_MX_LIST',true)dnl
> define(`confDONT_PROBE_INTERFACES',true)dnl
> define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
> define(`ALIAS_FILE', `/etc/aliases')dnl
> define(`STATUS_FILE', `/var/log/mail/statistics')dnl
> define(`UUCP_MAILER_MAX', `2000000')dnl
> define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
> define(`confPRIVACY_FLAGS',
> `authwarnings,novrfy,noexpn,restrictqrun')dnl
> dnl define(`confAUTH_OPTIONS', `A p')dnl
> define(`confAUTH_OPTIONS', `A')dnl
> TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
> define(`confCACERT_PATH',`/etc/mail/certs')
> define(`confCACERT',`/etc/mail/certs/ca-bundle.crt')
> define(`confSERVER_CERT',`/etc/mail/certs/cert.pem')
> define(`confSERVER_KEY',`/etc/mail/certs/key.pem')
> dnl define(`confCACERT_PATH',`/usr/share/ssl/certs')
> dnl define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
> dnl define(`confSERVER_CERT',`/usr/share/ssl/cert.pem')
> dnl define(`confSERVER_KEY',`/usr/share/ssl/certs/smtp.key')
> dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
> dnl define(`confTO_QUEUEWARN', `4h')dnl
> dnl define(`confTO_QUEUERETURN', `5d')dnl
> dnl define(`confQUEUE_LA', `12')dnl
> dnl define(`confREFUSE_LA', `18')dnl
> define(`confTO_IDENT', `0')dnl
> dnl FEATURE(delay_checks)dnl
> FEATURE(`no_default_msa',`dnl')dnl
> FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
> FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
> FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
> FEATURE(redirect)dnl
> FEATURE(always_add_domain)dnl
> FEATURE(use_cw_file)dnl
> FEATURE(use_ct_file)dnl
> FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
> dnl FEATURE(`access_db',`hash -T /etc/mail/access.db')dnl
> EXPOSED_USER(`root')dnl
> DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
> DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl
> dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
> dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
> dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6,
> Family=inet6')
> dnl FEATURE(`accept_unresolvable_domains')dnl
> dnl FEATURE(`relay_based_on_MX')dnl
> LOCAL_DOMAIN(`localhost.localdomain')dnl
> MASQUERADE_AS(`**********.com')dnl
> FEATURE(masquerade_envelope)dnl
> dnl FEATURE(masquerade_entire_domain)dnl
> dnl MASQUERADE_DOMAIN(localhost)dnl
> dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
> dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
> dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
> MAILER(smtp)dnl
> MAILER(procmail)dnl
>
> That's not so simple, but it's not exotic or anything. Does anyone
> have any idea why this may not be working?
>
> Amiri


I made a mistake in my sendmail.mc: the line referencing the access.db
is actually not commented out. It's enabled, and I still get the same
spam:

FEATURE(`access_db',`hash -T /etc/mail/access.db')dnl

Sorry for the confusion, but this problem is not about the feature not
being activated!

Amiri

Re: Access.db Seems to Be Ignored

Amiri writes:

> I am using sendmail Version 8.13.1 on CentOS 4, and I am trying to use
> wildcards in my access.db to block all mail not coming from postini,
> my spam firewall service.
>
> I basically can't get it to work at all! Like, nothing happens, and
> spam still gets through. Here is my access file:
>
> # by default we allow relaying from localhost...
> localhost.localdomain RELAY
> localhost RELAY
> 127.0.0.1 RELAY
> postini.com RELAY
>
> 1 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."
> 2 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."

Not sure, but maybe you are thinking the access db is used
by default to block everything else, it does not. Email coming
to an acceptable address is 'usually' accepted. The 'RELAY' you
are adding above is just telling sendmail it is okay for stuff coming
from postini.com to use your mail server to be sent somewhere else --
which I don't think is what you want. I think what you may want is

localhost.localdomain OKAY
localhost OKAY
127.0.0.1 OKAY
postini.com OKAY

# 2 reject options below
*.com REJECT
*.org 550 Sorry we don't want your email

I'm sure the sendmail documentation explains it all, this
tutorial showed up on a web search and looked decent.

http://www.linuxweblog.com/blogs/sandip/20080206/sendmail-ac cessdb-example

Hope this helps.
--
John
____________________________________________________________ _______
John Murtari Software Workshop Inc.
jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)
http://thebook.com/

Re: Access.db Seems to Be Ignored

On Apr 3, 12:57 pm, John Murtari wrote:
> Amiri writes:
> > I am using sendmail Version 8.13.1 on CentOS 4, and I am trying to use
> > wildcards in my access.db to block all mail not coming from postini,
> > my spam firewall service.
>
> > I basically can't get it to work at all! Like, nothing happens, and
> > spam still gets through. Here is my access file:
>
> > # by default we allow relaying from localhost...
> > localhost.localdomain RELAY
> > localhost RELAY
> > 127.0.0.1 RELAY
> > postini.com RELAY
>
> > 1 ERROR:"551 We do not accept mail sent directly to our servers. You
> > must use the valid MX record of the domain that you are sending to."
> > 2 ERROR:"551 We do not accept mail sent directly to our servers. You
> > must use the valid MX record of the domain that you are sending to."
>
> Not sure, but maybe you are thinking the access db is used
> by default to block everything else, it does not. Email coming
> to an acceptable address is 'usually' accepted. The 'RELAY' you
> are adding above is just telling sendmail it is okay for stuff coming
> from postini.com to use your mail server to be sent somewhere else --
> which I don't think is what you want. I think what you may want is
>
> localhost.localdomain OKAY
> localhost OKAY
> 127.0.0.1 OKAY
> postini.com OKAY
>
> # 2 reject options below
> *.com REJECT
> *.org 550 Sorry we don't want your email
>
> I'm sure the sendmail documentation explains it all, this
> tutorial showed up on a web search and looked decent.
>
> http://www.linuxweblog.com/blogs/sandip/20080206/sendmail-ac cessdb-ex...
>
> Hope this helps.
> --
> John
> ____________________________________________________________ _______
> John Murtari Software Workshop Inc.
> jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)http://thebook.com/

Thank you--I'm trying this out now. I think I was misunderstanding the
access.db file, but I haven't had a bunch of spam come through yet so
I can see whether it's working!

Amiri

Re: Access.db Seems to Be Ignored

Amiri wrote:
> On Apr 3, 12:57 pm, John Murtari wrote:
>> Amiri writes:
>>> I am using sendmail Version 8.13.1 on CentOS 4, and I am trying to use
>>> wildcards in my access.db to block all mail not coming from postini,
>>> my spam firewall service.
>>> I basically can't get it to work at all! Like, nothing happens, and
>>> spam still gets through. Here is my access file:
>>> # by default we allow relaying from localhost...
>>> localhost.localdomain RELAY
>>> localhost RELAY
>>> 127.0.0.1 RELAY
>>> postini.com RELAY
>>> 1 ERROR:"551 We do not accept mail sent directly to our servers. You
>>> must use the valid MX record of the domain that you are sending to."
>>> 2 ERROR:"551 We do not accept mail sent directly to our servers. You
>>> must use the valid MX record of the domain that you are sending to."
>> Not sure, but maybe you are thinking the access db is used
>> by default to block everything else, it does not. Email coming
>> to an acceptable address is 'usually' accepted. The 'RELAY' you
>> are adding above is just telling sendmail it is okay for stuff coming
>> from postini.com to use your mail server to be sent somewhere else --
>> which I don't think is what you want. I think what you may want is
>>
>> localhost.localdomain OKAY
>> localhost OKAY
>> 127.0.0.1 OKAY
>> postini.com OKAY
>>
>> # 2 reject options below
>> *.com REJECT
>> *.org 550 Sorry we don't want your email
>>
>> I'm sure the sendmail documentation explains it all, this
>> tutorial showed up on a web search and looked decent.
>>
>> http://www.linuxweblog.com/blogs/sandip/20080206/sendmail-ac cessdb-ex...
>>
>> Hope this helps.
>> --
>> John
>> ____________________________________________________________ _______
>> John Murtari Software Workshop Inc.
>> jmurtari@following domain 315.635-1968(x-211) "TheBook.Com" (TM)http://thebook.com/
>
> Thank you--I'm trying this out now. I think I was misunderstanding the
> access.db file, but I haven't had a bunch of spam come through yet so
> I can see whether it's working!
>
> Amiri

Not to be pedantic, but you *are* rebuilding the access.db file each time you
edit the access file, right?



--
------------------------------------------------------------ ----------------
Tim Daneliuk tundra@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

Re: Access.db Seems to Be Ignored

Amiri wrote:

> 1 ERROR:"551 We do not accept mail sent directly to our servers. You

[...]

> 9 ERROR:"551 We do not accept mail sent directly to our servers. You
> must use the valid MX record of the domain that you are sending to."

Are you really doing only 1 through 9? That won't work.

You need:

Connect:0 REJECT
Connect:1 REJECT
....
Connect:255 REJECT

Sendmail matches on octet boundaries only for Connect: access DB lookups.

But anyway... why don't you just use an iptables rule? Much easier to maintain
and more readable. Also, I doubt you want:

postini.com RELAY

in your access DB unless you really want to relay mail to Postini and/or
allow people who control their reverse DNS to get through. (Aren't
Postini's relays in the "psmtp.com" domain anyway? Doesn't Postini
have a FAQ on how to configure Sendmail?)

Regards,

David.