Okay, I've mooched off everyone else for too long without "giving back", so here goes, my tips for Sendmail on Ensim:

1) Backup your /usr/lib/opcenter/sendmail/install/sendmail.mc and /etc/sendmail.cf and /etc/mail/access and /etc/mail/access.db and /etc/aliases files before you start!
2) These changes go in the sendmail.mc file

Security enhancements:



This requires a HELO or EHLO greeting from the sending SMTP server; puts limits on Sendmail forks and other settings to stop a DOS attack from overwhelming your server; Munges the Sendmail server identification to make it harder to hack (since you don't know the version of Sendmail); limits the number of recipients in a single message.

My blocklists. I put different numbers in each blocklist reject message, so I can identify & count them out of /var/log/maillog and get stats on each one...



all of the above go before the line:

FEATURE(`blacklist_recipients')dnl

Other notes:
create an alias in /etc/alias called dev-null and point it to /dev/null:

dev-null: /dev/null

the above Double Bounce Address is where someone sends email to a bogus mailbox on YOUR server, and YOUR server bounces it back to the FROM address, which then bounces back to you, because of course it was from a spammer! This throws the double bounce into the bit bucket ;-)

The delay_checks feature causes it to log the sender from address and other info, when it rejects spam.

In file /etc/mail/access:

Connect:xxx.xxx.xxx.xxx OK

where xxx.xxx.xxx.xxx is YOUR server IP. This keeps you from blocking yourself, if you happen to get listed in one of the blocklists you use!

To apply this, run:

m4 /usr/lib/opcenter/sendmail/install/sendmail.mc > /etc/sendmail.cf

/sbin/service sendmail restart

If you have a problem, restore your /etc/sendmail.cf and restart sendmail. You DID back it up, right?

Any others with some tips?

I have installed Mailscanner and tried this and applied all that is required for fixing with Mailscanner, however send mail did not deliver incoming mails. Plus if you have requested for additional IP addresses, you need to add domain IP address in /etc/mail/access a line 'Connect:xxx.xxx.xxx.xxx OK' for the domains that are hosted with IP Address, otherwise it will not deliver the mail for the domains and rejects.

Any others who have tried this ...

any updates on this.

Well, I made changes using the information above. Seems to be working. however, this is what I used for spam filtering:



So far, email is woking ok, and im bouncing emails flagged by spamcop.net now, and email seems to be working normally.

Using Ensim Pro 3.5.x

btw, when I had dnsbl instead of `dnsbl' for spamcop, all mail stopped. So, i didnt do that

-Sav

I got 3000 double bounces today so I decided to look this up and see if anybody had found a solution. So far so good!

Much thanks pblinux

Jon

This will work with the mailscanner+clamav package that gpan put out without problems?

I haven't had any problems with this howto and the mailscanner package so far. More spam are beign trapped by sendmail and no double bounces.

Great HOW-TO. Thank you .

I had been wondering how/where to apply m4 rules to Ensim's sendmail ..

Wonderful set of black hole lists and sendmail settings here.

Thank you for sharing!

some warnings before you do this:

Some of those blackhole lists are over-aggressive. If you follow these rules verbatim, you are probably rejecting some legit mail along with all the rest. And the chinanet blackhole is just plain disasterous if you have any clients who have family in China.

Personally, I only use:

FEATURE(`dnsbl', `sbl.spamhaus.org', `"554 Rejected " $&{client_addr} " - see http://www.spamhaus.org/SBL/"')dnl
FEATURE(`dnsbl', `cbl.abuseat.org', `"554 Rejected " $&{client_addr} " - see http://cbl.abuseat.org"')dnl


These two are considered fairly safe, they are designed to be low-collateral-damage and have a very low false-positive rate.


Also, technically, using different 55x codes is a violation of the internet mail RFCs. You should only use 554 or 550. 550 indicates that the error has something to do with the recipient address, so I prefer 554.

My server is used by an infected machine to send VIRUS infected emails to everywhere on the internet !!!
When I "top -c" in my box I see several of this processes runinng :

25898 root 15 0 4452 4452 2876 S 0.1 0.4 0:00 sendmail: ./i0UKWBM30885 sncwsrelay2.nai.com.: user open

This not only increase the load of the server but also spread virus accross the internet.

As far as I understood MailScanner and Spamassasin is blocking incoming mail, which is not the case for my HUGE problem.

Does anyone know how to stop this freakin' mails get emailed from my server to the internet?

Is there a solution in the sendmail configuration?

I have applied the security fixes above,
but the processes still lingers when i "top -c" in my box.

Please help me.

thanks

http://forum.ev1servers.net/showthread.php...&threadid=41508

I moved the topic to the link above. I was able to get POP3 working again thanks to what you have here, but that was all. Thank you all for that!

Thanks, great howto... noticed a decrease in my server load as soon as I implemented this!! It seems to have taken a lot of load off MailScanner.

-edited

I must have clicked the post button twice to create a duplicate.

Ok I have installed this and now some clients who SEND mail through my server are getting rejected. Only some of them not all of them. I think I narrowed it down to people who are using AOL as their ISP. Is there a way I can setup sendmail to block only Incomming spam and ignore all outgoing mail and just send it? (as long as they log in with a valid username and password of course)

Ok I have installed this and now some clients who SEND mail through my server are getting rejected. Only some of them not all of them. I think I narrowed it down to people who are using AOL as their ISP. Is there a way I can setup sendmail to block only Incomming spam and ignore all outgoing mail and just send it? (as long as they log in with a valid username and password of course)

I used to get at least 100 double-bounce messages every day to the admin account, not to mention about 200 spam messages per day (to my personal account) that made it through spamassassin. Since making these modifications, I only get 1 or 2 junk emails a day.

If this is enabled should I disable blacklists in mailscanner.conf ?

There should be no reason for the blacklists in MailScanner unless you want to check even more blacklists than the ones in sendmail.cf.

Sendmail will still allow outgoing email if the user authenticates, at least it does for me. What you need to do is look in /var/log/maillog and find the message, then understand what it means. Sendmail.org has documentation. You could also post the message here and we'll try to help.



The blacklists in Sendmail will cause the email to be rejected during the transmission, that is, it never arrives on your network. That was my choice, so it made sense for me. It means it doesn't waste my bandwidth being received, waste disk space or waste CPU time handling it. Only you can decide if that is right for you.

I will say that the lists I've chosen all seem responsible. That is, they only list IPs that actual spam came from, they all provide a reasonable policy about getting delisted, and seldom if ever have a false positive. I have gone months without a single customer complaint about a legitimate email being rejected. In fact, I'll go so far to say that I've *never* had a single legitimate email rejected when the sender's ISP was innocent.

However, today I had *two* complaints. Both were properly rejected, that is, the ISP's email server was guilty of allowing spam through, and was rightly listed on SpamCop. I explained what was going on, and they seemed okay, and were going to contact their ISP. Actually, only one was still listed, the other one was delisted before I ever heard there was a problem. That's an example of the great work being done at SpamCop - they list quickly (based on more than one complaint) but will remove you if you clean up your act.

Overall, my clients love their (nearly) spam free mailboxes, they seem to understand and appreciate the policy on filtering. It is important to be open and upfront with your clients about filtering.

If however you want to filter it *after* it arrives (why?) then you should leave the blacklists out of Sendmail and use them in Mailscanner or whatever.

Note - I have not set up Mailscanner, so I can't help you with that.

I do note that Ensim 3.7 uses Mailscanner with SpamAssassin, plus ClamAV for anti virus scans. I'm testing it right now. Ensim 3.7 allows each user (mailbox) to set their own spam filtering options to SpamAssassin, as well as where the spam goes or if it is just deleted. I think that is really nice and looking forward to it. I built my current setup myself with no help from Ensim, and so I have to maintain it

What's really ironic about all of this is that I find Sendmail cryptic and difficult to set up, and yet I'm leading a discussion on it Given my choice I'd use Postfix any day, but Sendmail is what integreates with Ensim... I may have to break down and read the Sendmail documentation end-to-end, since I have to live with it :eek:

Fred

One other very important thing that hasn't been mentioned.

When you change your Sendmail configuration like this, besides backing up the files I mentioned (you DID back them up, right?), you need to look for errors when you build the file and restart sendmail.

I've seen it where I misspelled something in a blacklist line, but the m4 command and sendmail restart still worked.

So, on the surface, it seemed like the changes took and were okay.

Wrong!

However, going into /var/log/maillog to the end, I'd see error messages each time an email was encountered.

If you see that, it is time to recover your Sendmail configuration and try again. Copy the sendmail.cf file back and restart Sendmail, so your email delivery goes back to normal. Then analyze the /var/log/maillog error message(s) to find out what went wrong, and try again.

An easy way (lazy way) to watch your maillog is

tail -f -s 5 /var/log/maillog

and then just sit there and watch it change. Especially using "screen", which is the greatest thing next to VMware I find it relaxing to watch my Sendmail log, to see the spam bounce off my server It gives me a great sense of accomplishment!

HTH,

Fred

Here is what I think is happening. You are right that sendmail still allows outgoing email if the user authenticates unless like some of my users they are using AOL dialup, and a few other ISPs but AOL is the main one. These few are being assigned an IP address by AOL that turns out be on a blacklist (Seems either alot of spamers use AOL as their ISP or use IPs in the AOL pool to spoof IP addresses) Now because the IP address they are sending from is on a blacklist even though they are ligit normal users sending normal email my server blocks all their sending when it sees the IP the email is orignating from. In fact these users actually get a bounce message from sendmail in their email box as soon as they send the message.

So if that is whats going on then I need to find a way to get sendmail to ignore all checking of outgoing mail period. Thats the only solution I can see that will work short of not using the blacklists at all.

Any help would be great thanks

I sympathize, but you need to be careful. Taking off all outgoing email checks will make your box a spam relay. You'll get booted off EV1 before you know it. Caution is advised.

You could try putting in the email server(s) that your users are sending through, in the /etc/access (or whereever that file is), that should override the blacklists.

Just because your clients use AOL, does not mean they are stuck using AOL's terrible email system.

Have them use an email client like Outlook, Mozilla Mail, Thunderbird, Evolution, Eudora, etc. and they'll be fine using your server for the POP/IMAP and SMTP server.

Why would they get a domain on your server, and then send their email thru AOL's system? That doesn't make any sense to me, but then that's just me

That is exactly what they are doing. They are using Outlook while connected to the net with AOL. AOLs pool of email addresses are the problem. Alot of those IPs are on a black list. So when they use outlook and send mail through my server not through AOLs email servers they get bounced because of the IP address that their computer has been assigned by AOL.

That doesn't make sense to me that they're getting blocked. For example, some of the lists I use now block any dynamic address, like dialup, DSL, Cable, etc.

And yet I can send email from two different DSL accounts I use, one with Verizon, one with Bellsouth.

If I tried to send mail without authenticating, it would not be accepted.

Fred

Dude, I'd like to know what lists you are using that include all dynamic IP's. Been looking for that for a while.

Jon

Hey, hold on, I never said they included *all* dynamic IPs, just a lot of them

Here are my current lists, that target dymamic IPs (plus other problems, too). For details, visit their respective sites to find out how to use them. Some maintain multple DNS zones for various purposes.

FEATURE(`dnsbl', `dnsbl.sorbs.net', `"554 Go away spammer (RC04) - Rejected " $&{client_addr} " found in dnsbl.sorbs.net"')dnl
FEATURE(dnsbl,`dnsbl.njabl.org',`554 Go away spammer (RC06) - Message from $&{client_addr} rejected - see http://njabl.org/')
FEATURE(`dnsbl', `dun.dnsrbl.net', `"554 Go away spammer (RC14) - Rejected " $&{client_addr} " - listed at http://dnsrbl.com/"')dnl
FEATURE(`dnsbl', `spam.dnsrbl.net', `"554 Go away spammer (RC15) - Rejected " $&{client_addr} " - listed at http://dnsrbl.com/"')dnl
FEATURE(`dnsbl', `dul.ru', `"554 Go away spammer (RC16) - Rejected " $&{client_addr} " - Use your ISP email server to send mail - listed in dul.ru"')dnl

Easynet was good and had a dynamic IP list, but they went away late last year...

For example, the dnsbl.sorbs.net list contains their dul.dnsbl.sorbs.net dynamic IP list already. Caution is advised, use at your own risk.

I would advise you to never use a blocklist until you've read how they work. Even then, you might want to monitor Sendmail after you enable them, to see how they're doing it. Weekends are the best time, as the ratio of spam is much higher than during the week when legitimate users are emailing constantly.

Fred

ok, this is a great Howto and all but I want to apply it in a different way to Ensim 3.7 and MailScanner. I have a couple of clients that live in countries where their ISP is constantly being listed in one of those lists so I want to be able to just not give them any spam filtering btu then have MailScanner filter those lists (instead of sendmail)....

Any ideas? I was thinking of somehow making them automatically score as HighScoreSpam. Any input or tips would be much appreciated.

Jon

I have tried the suggested updates, and sendmail would not come back up. I have put all my backups back, reran the m4 command line, and still no sendmail. I am not getting errors in the maillog. I have tried rebooting the server. I do not have sendmail.

I get a Cannot connect to server error.

I have tried restarting sendmail, and MailScanner from the command prompt but I do not get any errors during restart.

I have Ensim 3.5.20-7, with MailScanner

Any help is greatly appreciated. I have no SMTP service presently...

restore your /etc/sendmail.cf and restart sendmail and you're golden. This is why I said to back it up

When sendmail fails to start, it isn't usually obvious as to why, which is why we said to backup the sendmail.mc AND sendmail.cf.

I got everything to work. My server load was too high for sendmail to restart. I stopped enough services for it to restart.

A few peculiar things though. Once restarted, the server load dropped from 12 to 5. Then it started to process the massive amounts of email in the queue (the reason I made the changes in the first place) and the server load jumped to over 27, and processes hit 1680! Once the queue was cleared, the load has dropped to 5, although still high, is lower than it's been in 2 days.

I think it's going to take some time to clear everything out. None of the spam has originated from my server, but all the reply email addresses are invalid users at a valid domain on my server. I get all the bounced messages. I'm hoping the double bounce emails this fix should resolve will cut down on the emails in the queue.

If anyone has any idea how to stop the invalid emails to the domain on my server, I'd love to know.

thank you pblinux, for sharing.

one request / question -- is it possible to have this applied only to one or more domains instead of system-wide? i have a paranoid user who doesn't want the lists applied, but others do.

No, I'm not aware of a way to do that. The blocklist stops the spam cold, before it ever reaches the virtual domain.

By the way, I'm using spfilter to create a list of additional blocklists in Sendmail access format, and preloading that into Sendmail. Not all blocklists are in dnsbl format to work with Sendmail dynamic lookups.

http://spfilter.sourceforge.net/

Instructions are a little cryptic, but basically it is a universal blocklist format. You install spfilter, then run it to fetch the latests blocklist updates, and create a blocklist in your email server's format.

I have this automated in a cron job, and it's cut our remaining spam almost to nothing, without any more false positives. Knowing which blocklists to use is key, as well as not duplicating the access list with your dnsbl lookups. I'm fine tuning it, but it is working really well.

Put together with the Sanitizer and MailScanner with SpamAssassin and ClamAV, our clients are getting superior spam filtering and virus protection

I sense a new/improved HOWTO coming...

Fred

This has been a great how to, makes a huge impact on spam and MailScanner load reduction.

I would be very interested in more info on your additinal mods.

Thanks for a great contribution!

Thanks, Doug.

Yes, I think the key is to keep as much spam as possible from getting into the email gateway in the first place. Otherwise you're going to run it all through MailScanner and SpamAssassin and ClamAV, burning up your CPU power for no reason. Of course, the trick is to do it without inconveniencing legitimate emailers.

I'm moving my clients to this new server starting tomorrow, so I don't know when I'll get to it, but I do plan to update the HOWTO.

Fred

Fred,
Had this working aces on 3.7, but no go on 4.0. Have you upgraded yet?

Fred,
SPFilter is being replaced by Bliab. Have you tried this yet?

I did upgrade to 4.0 in a test machine, but have not tried email there. What problem did you have when you upgraded?

4.0 seems like a very minor upgrade. I'm actually more worried about the RHEL upgrades recently released, so I plan to test all of that.



I saw that, but there doesn't seem to be much info on bliab at this point. spfilter is still being actively maintained, and I'm using it with good success

As an example, one of our clients suddenly got a sustained email attack from t-dialin.net starting the middle of last week. So far, 10,000 spams sent.

Not a single spam got through, because of our dynamic IP filters

So I'm still happy as a clam.

When I get a chance to test Ensim 4.0 more thoroughly, I'll post results here, but I am not expecting any problems actually.

I can't remember if I mentioned that we're also using the Procmail Sanitizer, as a backup filter to MailScanner. It can delete zip files containing dangerous attachments, even if password protected as we saw in February worms.

http://www.impsec.org/email-tools/procmail...l-security.html

Fred

And this is due to SPFilter?

This is where I struggle as I don't know a lot about which lists are best to use. I'd appreciate any advise/tips you'd lend.


Looking very much forward to it.

Jon

Yes. The list of dynamic IPs in the lists supported by SPFilter is much more extensive than the dnsbls I've found. The network's DSL space that was attacking us was listed in the SPFilter lists we brought into Sendmail, so none of their junk made it through.

Amazingly, it's been more than 3 weeks since the attack began, and it is continuing. I've contacted the network's abuse team multiple times, and they've acknowledged the report, but it keeps coming...

The Internet is like the Wild, Wild West sometimes :eek: You have to protect yourself and your clients.

Fred

Here's a little more explanation.

dnsbl (DNS block lists) are checked in real time as email comes in. If the sender's IP address is listed, then Sendmail "hangs up" on their email transmission - the email never comes in. This takes the load off your server, and stops wasted time with anti-virus and spam checking.

dnsbls are great for quick response to spam attacks. Once a particular IP starts spewing spam, services like SpamCop are quick to pick it up and list it. So using, for example, SpamCop's dnsbl is a great way to block spam.

The current crop of Windows worms and viruses is a whole other problem. These are typically sent from blissfully ignorant Windows users whose PCs have become infected. If you are able to block direct connections (i.e. those that bypass their ISP's email server) then you will stop most of this junk. The problem is that the dnsbls don't list much of the dynamic IP address space (dial-up, cable, DSL).

The flip side is that the dynamic IP address space is very stable - it's not like Comcast (the #1 source of this junk) switches their dynamic IP address ranges frequently. SPFilter has a number of dynamic IP blocklists, which we've been using with good success. PLEASE READ the cautions in the files! I ignored one, and it SAID that it blocked some innocent DSL users with fixed IPs, and sure enough I had a legitimate complaint. Other than that it has been flawless.

The deal is this - you update spfilter, and then it creates a file for YOUR email server, in my case, Sendmail. Then you import this into Sendmail. I have a cron job that generates the file and does a makemap command to create the access.db file for Sendmail, each day.

So, SPFilter stuff is good for IP blocklists that don't change very often, like dynamic IP address space used worms and viruses running on infected Windows machines. dnsbls are great for stuff that changes quickly (like spammers).

Another difference - you can override the blocklists in the access.db by putting in the specific IP with an OK or RELAY directive. With dnsbls you cannot do this (at least, *I* do not know how to do this!). So if I have a box on a DSL account, that I want to allow to send email through my server, I can exempt it.

I hope that makes some sense.

When things settle down (maybe sometime this summer) I do plan to write an extensive HOWTO for all of this.

Fred

I just tried to do this on a RHEL Ensim 4.0.1 box and after finishing no one could connect to SMTP at all. Message from outlook is

unable to connect to your outgoing (SMTP) e-mail server

I've done this successfully before on a Ensim 3.1.11 box and it worked great.

Some of my observations of the differences in sendmail installs are

sendmail.cf is not located in /etc anymore now its in /etc/mail
there is another sendmail.mc file in /etc/mail
in the sendmail.mc file you are instructed to use the command make -C /etc/mail instead of the m4 command you list

Other than that everything else looks very simular except maybe the format of access file might have changed in this version of sendmail.

Any Ideas on how to get it working would be appreciated.

Probably there is a syntax error in the sendmail.mc script somewhere. Check /var/log/maillog or /var/log/messages and you'll probably see a message from Sendmail saying the startup failed.

Restore your .mc and .cf files and try again

Ensim definitely uses the m4 command, and yes, under later releases the .cf file is in /etc/mail/sendmail.cf

Fred

Thanks PBLINUX. It works fine now. I actually had a problem with the sendmail config that was making it not work. It seems that once you run up2date on RHEL 3 the red hat updates hose up sendmail so that outgoing mail auth doesn't work anymore. So once I fixed that everything worked. The fix for sendmail auth is

With a plain RHEL 3 installation
cp /etc/pam.d/smtp.sendmail /etc/pam.d/smtp
resolves this problem

For ENSIM
cp /usr/lib/opcenter/sendmail/install/smtp.pam /etc/pam.d/smtp

Thanks to Simonmay for that fix

Anyway it seems to work great with Ensim 4.0.1

Thanks again PBLINUX :o

Well, I finally got around to implementing this on my Ensim 4.0.1 fedora system and it worked flawlessly. In fact, I stopped recieving viruses to my server completely so far and only a little spam is coming through atm. I chose to do things a little differently in that I took spamcop out of the sendmail config because I've had complaints from some clients and I added the following into the sendmail config:


I also set up MailScanner to check every message that comes through the server against spamcop and spamhaus and if it is listed in both then I mark it as high score spam, else if only one sais the message is spam I just mark it as spam and then from there the user can decide how to handle it. This basically gives the user control over most of the questionable spam while filtering server-wide the open relays and such.

We'll see how it works long term but I just wanted to share and say thanks again for a great HowTo. I'm learning much about the spam fight.

Jon

I finally got mailscanner to load on 4.0.1 but now it appears that somehow the queue is not being processed correctly when mailscanner is turned on. I tried turning it off from the appliance but it automatically restarts as I believe there are cron jobs to monitor this.

What should I set to make sure things are pointing at the correct area?

This sounds like an issue that should really be in its own thread...and what do you mean you finally got MailScanner to load? What kinds of error messages were you getting before when you tried to start it? Was it stock MailScanner installed with Ensim or for example gpan's MailScanner rpm?

Starta new thread with that type of info and anything else you can think of that is relevant and I'm sure somebody will be able to help.

Jon

Much Thanks!!! this works great! in Ensim Pro 4.0.1 the /etc/sendmail.cf is now in /etc/mail/sendmail.cf

no problems in RHEL Ensim 4.0.1
Spam has decreased quite a lot, only enabled spamhaus and the other one suggested cbl.abuseat.org. Some spam still arrives but not as much.