Don't use the standard sendmail mc file, Ensim will simply overwrite for you. Instead, start with
vi /usr/lib/opcenter/sendmail/install/sendmail.mc
You'll know you're in the correct file if the second line reads DO NOT EDIT!!!!
First, add in some rate-limiting so as to not tax the server. These lines go in somewhere BEFORE the LOCAL_DOMAIN section. Put it right above if if floats your boat:
dnl # -- Loy says: after 5 bad address attempts, throttle this sender --
define(`confBAD_RCPT_THROTTLE',`5')dnl
Make sure you can whitelist folks caught in the dnsbls by placing an OK line in access.db:
dnl # -- Loy says: allow whitelisting --
FEATURE(`delay_checks')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
Then, you can start messing with the spammers. Pauses will make many show up in /var/log/maillog as starting before handshaking is finished. Rate limiting will terminate connections on flood attacks. Both of these have to be AFTER the access.db line:
dnl # -- Loy says: greeting pause of 5 seconds - AFTER access_db --
FEATURE(`greet_pause', `5000')
dnl # -- Loy says: rate limit overly pushy mail servers - AFTER access_db--
FEATURE(`ratecontrol', `nodelay',`terminate')dnl
Here you can add dnsbls without having them erased later. Look for this line:
define(`POP_B4_SMTP_TAG', `')
And place your dnsbl listings AFTER it, like so:
dnl # -- Loy says: block lists here --
FEATURE(`dnsbl',`dnsbl.njabl.org',`',`"Source $&{client_addr} rejected per NJABL - http://njabl.org/"')dnl
FEATURE(`dnsbl',`sbl.spamhaus.org',`Source rejected per http://spamhaus.org')dnl
FEATURE(`dnsbl',`pbl.spamhaus.org', `Source rejected per http://spamhaus.org/pbl')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
EXPOSED_USER(`postmaster')dnl
You can check for compromised Windows boxen by looking for single-token HELO. These machines will respond with the name the user setup for them, like JACKS_PC or DELL_1100_a. Be careful to have tabs in there between the left and right hand side of the lines. Place these lines right under LOCAL_RULESETS
CODE
dnl -- Loy says: check for single-token HELO which should never happen --
SLocal_check_mail
R<$*> $1
R$* $: $1 $| < $&s >
R$* $| < $- > $: $1 $| WORM
R$* $| WORM $#error $@ 5.7.1 $: "550 Non-valid HELO/EHLO indicates 0wn3d PC as sender. Rejected."
R$* $| $* $: $1
SLocal_check_mail
R<$*> $1
R$* $: $1 $| < $&s >
R$* $| < $- > $: $1 $| WORM
R$* $| WORM $#error $@ 5.7.1 $: "550 Non-valid HELO/EHLO indicates 0wn3d PC as sender. Rejected."
R$* $| $* $: $1
Also under LOCAL_RULESETS, you can check for machines masquerading as you in order to bypass block rules. Change 255.255.255.255 to your IP.
CODE
dnl -- Loy says: check to see if the connecting host claims to be us --
KCheck_Schizo regex -a@MATCH ^255\.255\.255\.255$
R$* $: $1 $| $(Check_Schizo $&{s} $)
R$* $| @MATCH $#error $@ 5.7.1 $: "550 I am " $&{s} ", not you."
R$* $| $* $: $1
KCheck_Schizo regex -a@MATCH ^255\.255\.255\.255$
R$* $: $1 $| $(Check_Schizo $&{s} $)
R$* $| @MATCH $#error $@ 5.7.1 $: "550 I am " $&{s} ", not you."
R$* $| $* $: $1
These aren't a panacea for spam, but I find them useful. Save your original and reconfigure sendmail like so:
cp /etc/mail/sendmail.cf /etc/mail/original.sendmail.cf
m4 /usr/lib/opcenter/sendmail/install/sendmail.mc > /etc/mail/sendmail.cf
service sendmail restart
If you get "tab expected" errors, then you need to go back and replace the spaces in the lines above with tabs. You can now also create custom rules in /etc/mail/access per sendmail docs and
makemap hash /etc/mail/access.db < /etc/mail/access
To implement them. I also have
sendmail -d0 < /dev/null
Noted in my file to review settings. I couldn't find this on the board, so I hope I'm giving back.