6

We have following e-mail topology:

Exchange server --------- Sendmail server ---------------Internet

On sendmail server there is no any user mailbox and messages with sender address user@my.domain.com can arrive only from exchange server and never from Internet. Basing on this fact I want to limit amount of received spam by rejecting all emails incoming from Internet and claiming to be from my own domain (anyuser@my.domain.com).

I have configured an SPF record for my domain and installed on sendmail server a spfmilter, spamassassin and spamass-milter packages. It works well, but there are two issues :

  1. If during SMTP conversation sender specify bad address in "MAIL FROM:" command, it will be rejected, but sender can still issue another "MAIL FROM:" command and if this second address will be accepted, whole messages will be accepted too. I prefer that sender should have no second chance and if he specify at last one address rejected by spfmilter, the whole message should be unconditionally rejected.

  2. If sender has specified valid addresses (accepted by spfmilter), it can issue DATA command and then put a line (as message body) like this "From: <me@my.domain.com>". This line is not a part of SMTP conversation but it becomes part of message header (my outlook display this address as a sender address). So I want configure an spamassassin filter test/rule, which will mark message as a spam (after DATA command it is already too late for rejecting message) if sender addresses given in message header don't match addresses specified as a part of SMTP conversation, but don't know how to do this.

Any suggestions?

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
user71061
  • 501
  • 2
  • 8
  • 22

3 Answers3

2

I use Exim configured with mysql to filter my email. I find the configuration easier to do. Sendmail configuration has always seemed quite cryptic to me.

  1. To prevent a sender from changing the mail_from identity and retrying you will need to add their IP address to a blacklist and enforce the blacklist. If you can get the filter to drop the connection rather than reject the mail_from, then they will need to reconnect to change the mail_from address. I don't think many senders will do so. I'll check my database and update later.

  2. The following rule will check to see if the From address is withing the 'example.com' domain. Add these lines to your local.cf file and restart spamassassin. Increase the score when you are confident that it is working correctly. This presumes you are not using spamassassin for outgoing email. 

header   LOCAL_FROM_HERE        From =~ /[.@]example.com/
score    LOCAL_FROM_HERE        -0.75
describe LOCAL_FROM_HERE        From header is local address

EDIT: I ran some queries on my database of email data. Of 2500 connections that used a local address in the MAIL FROM command, only 28 retried with a non-local address. This is about a 1% fail rate on just rejecting the use of local addresses in the MAIL FROM command. I found no cases where a server reconnected and tried a non-local address.

Assuming the Envelope_from header is added before spamassassin filters the message both conditions can be combined in a single blacklist entry in local.cf. Again this assumes you do not run spamassassin on outgoing email.

blacklist_from   *@example.com

EDIT2: I use an ACL in Exim to reject the Mail From command if a local domain is used in the address. This applies if the connecting host is not one I consider local. Local hostss include servers on the local network, approved relays, and hosts using an authenticated connection on the submission port (587).

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thank you for your answer to p. 2 but could you show me an example how to automatically add sender IP to a black list. – user71061 Mar 23 '11 at 15:44
  • @user71061: I haven't tried to do this with sendmail or filters. It would be a simplification of a greylisting scheme. I have considered building an automatic IP blacklist, but haven't seen an indication that it would be a significant advantage. – BillThor Mar 23 '11 at 16:48
0

Use DKIM. its like SPF record but it shows public key. Yours server signs emails from yours domain with private key

identificator._domainkey.mydomain.com. IN txt "/*spf*/" +" v=DKIM1; k=rsa; p=MIG......endofkey" //BIND9

and in ACL set to verify DKIM signature for all incoming mail that claims to be from yours domain

Dkim was developed to fight your problem (fishing :) )

MealstroM
  • 1,517
  • 1
  • 16
  • 31
0

+1 to the question.

This sounds like a very common scenario that there should be plenty of sendmail plugins for.

Of course you should have dkim-milter and spfmilter, but they don't solve this exact problem, which sounds easy enough to do with just adding your own filter to reject any mails matching something like egrep -e '^From: *@my.domain.com'

DKIM is very good, but if the mail is not signed, you cannot fail it due to a bad signature. Then you must fail it because it lacks a signature and claims to be from your domain.

MattBianco
  • 587
  • 1
  • 6
  • 23
  • if message is not signed and from yours domain -- drop it. cos DKIM signs messages from yours domain. This rule must be added just to yours domain. – MealstroM Mar 23 '11 at 14:49
  • But DKIM basically works on the same principle as SPF. Using DKIM instead of SPF only changes underlying mechanism of verifying sender but main problem remains the same: "How to construct rule for rejecting a message _because it lacks a DKIM signature or positive SPF verification and claims to be from my domain_"? – user71061 Mar 23 '11 at 14:57
  • To @MealstroM: DKIM can verify sender returning results _true_ or _false_. SPF also verifies sender but using different mechanism and returning tree possible values: _true_, _false_ or _neutral_. So replacing SPF with DKIM changes my problem from "*IF* SPF test returns _neutral_ *AND* message claims to be from my domain *THEN* ...." to "*IF* DKIM test returns _false_ *AND* message claims to be from my domain *THEN* ..." But the parts after *THEN* is the same and I don't know how to construct this part. – user71061 Mar 23 '11 at 15:20
  • To @MealstroM: Notice that I already reject message based on negative result of SPF test in an early stage, but problem is that sender can announce himself using other domain name and pass DKIM/SPF verification but then cheat in later part of conversation. – user71061 Mar 23 '11 at 15:24
  • 1
    @user71061 Oh. Youve got problem with X-MAIL-FRom heade in mails body. And not with valid sender Ok. Can you check X-HEADER:FROM with FROM: or X-ENVELOPE-FROM: (dont remember what is correct) in spammassasin or by yours MTA? – MealstroM Mar 23 '11 at 16:02
  • If you can have an ACL on the MAIL command (as you can in Exim), you can drop the mail long before you get to the point of applying a filter. – BillThor May 06 '11 at 20:25