Sendmail

Anti-Spam Configuration Control

    Overview
    relay_* Features
    Access Database
    Fine Control In The Access Database
    Delay All Checks
    Header Checks

Overview
The primary anti-spam features available in sendmail are:

    Relaying is denied by default.
    Better checking on sender information.
    Access database.
    Header checks.

Relaying (transmission of messages from a site outside your host (class {w}) to another site except yours) is denied by default. Note that this changed in sendmail 8.9; previous versions allowed relaying by default. If you really want to revert to the old behaviour, you will need to use FEATURE(`promiscuous_relay'). You can allow certain domains to relay through your server by adding their domain name or IP address to class {R} using RELAY_DOMAIN() and RELAY_DOMAIN_FILE() or via the Access Database. Note that IPv6 addresses must be prefaced with "IPv6:". The file consists (like any other file based class) of entries listed on separate lines, e.g.,
sendmail.org
128.32
IPv6:2002:c0a8:02c7
IPv6:2002:c0a8:51d2::23f4
host.mydomain.com
[UNIX:localhost]

Notice: the last entry allows relaying for connections via a UNIX socket to the MTA/MSP. This might be necessary if your configuration doesn't allow relaying by other means in that case, e.g., by having localhost.$m in class {R} (make sure $m is not just a top level domain).
relay_* Features

If you use
FEATURE(`relay_entire_domain')

then any host in any of your local domains (that is, class {m}) will be relayed (that is, you will accept mail either to or from any host in your domain).

You can also allow relaying based on the MX records of the host portion of an incoming recipient address by using
FEATURE(`relay_based_on_MX')

For example, if your server receives a recipient of user@domain.com and domain.com lists your server in its MX records, the mail will be accepted for relay to domain.com. This feature may cause problems if MX lookups for the recipient domain are slow or time out. In that case, mail will be temporarily rejected. It is usually better to maintain a list of hosts/domains for which the server acts as relay. Note also that this feature will stop spammers from using your host to relay spam but it will not stop outsiders from using your server as a relay for their site (that is, they set up an MX record pointing to your mail server, and you will relay mail addressed to them without any prior arrangement). Along the same lines,
FEATURE(`relay_local_from')

will allow relaying if the sender specifies a return path (i.e. MAIL FROM: <user@domain>) domain which is a local domain.

This is a dangerous feature as it will allow spammers to spam using your mail server by simply specifying a return address of user@your.domain.com. It should not be used unless absolutely necessary.

A slightly better solution is
FEATURE(`relay_mail_from')

which allows relaying if the mail sender is listed as RELAY in the access map. If an optional argument `domain' is given, the domain portion of the mail sender is also checked to allowing relaying. This option only works together with the tag From: for the LHS of the access map entries (see below: Finer control).

This feature allows spammers to abuse your mail server by specifying a return address that you enabled in your access file. This may be harder to figure out for spammers, but it should not be used unless necessary.

Instead use SMTP AUTH or STARTTLS to allow relaying for roaming users.

If source routing is used in the recipient address (e.g., RCPT TO: <user%site.com@othersite.com>), sendmail will check user@site.com for relaying if othersite.com is an allowed relay host in either class {R}, class {m} if FEATURE(`relay_entire_domain') is used, or the access database if FEATURE(`access_db') is used. To prevent the address from being stripped down, use:
FEATURE(`loose_relay_check')

If you think you need to use this feature, you probably do not. This should only be used for sites which have no control over the addresses that they provide a gateway for. Use this FEATURE with caution as it can allow spammers to relay through your server if not setup properly.

NOTICE: It is possible to relay mail through a system which the anti-relay rules do not prevent:
the case of a system that does use FEATURE(`nouucp', `nospecial') (system A) and relays local messages to a mail hub (e.g., via LOCAL_RELAY or LUSER_RELAY) (system B). If system B doesn't use FEATURE(`nouucp') at all, addresses of the form <example.net!user@local.host> would be relayed to <user@example.net>.
System A doesn't recognize `!' as an address separator and therefore forwards it to the mail hub which in turns relays it because it came from a trusted local host. So if a mailserver allows UUCP (bang-format) addresses, all systems from which it allows relaying should do the same or reject those addresses.

As of 8.9, sendmail will refuse mail if the MAIL FROM: parameter has an unresolvable domain (i.e., one that DNS, your local name service, or special case rules in ruleset 3 cannot locate). This also applies to addresses that use domain literals, e.g., <user@[1.2.3.4]>, if the IP address can't be mapped to a host name. If you want to continue to accept such domains, e.g., because you are inside a firewall that has only a limited view of the Internet host name space (note that you will not be able to return mail to them unless you have some "smart host" forwarder), use
FEATURE(`accept_unresolvable_domains')

Alternatively, you can allow specific addresses by adding them to the access map, e.g.,

From:unresolvable.domain    OK
From:[1.2.3.4]            OK
From:[1.2.4]            OK

Notice: domains which are temporarily unresolvable are (temporarily) rejected with a 451 reply code. If those domains should be accepted (which is discouraged) then you can use
LOCAL_CONFIG
C{ResOk}TEMP

sendmail will also refuse mail if the MAIL FROM: parameter is not fully qualified (i.e., contains a domain as well as a user). If you want to continue to accept such senders, use
FEATURE(`accept_unqualified_senders')

Setting the DaemonPortOptions modifier 'u' overrides the default behavior, i.e., unqualified addresses are accepted even without this FEATURE. If this FEATURE is not used, the DaemonPortOptions modifier 'f' can be used to enforce fully qualified domain names.
Access Database

An ``access'' database can be created to accept or reject mail from selected domains. For example, you may choose to reject all mail originating from known spammers. To enable such a database, use
FEATURE(`access_db')

Notice: the access database is applied to the envelope addresses and the connection information, not to the header.

The FEATURE macro can accept as second parameter the key file definition for the database; for example
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access_map')

Notice: If a second argument is specified it must contain the option `-T<TMPF>' as shown above. The optional third and fourth parameters may be `skip' or `lookupdotdomain'. The former enables SKIP as value part (see below), the latter is another way to enable the feature of the same name.

Remember, since /etc/mail/access is a database, after creating the text file as described below, you must use makemap to create the database map. For example:
makemap hash /etc/mail/access < /etc/mail/access

The table itself uses e-mail addresses, domain names, and network numbers as keys. Note that IPv6 addresses must be prefaced with "IPv6:". For example,

spammer@aol.com            REJECT
cyberspammer.com        REJECT
TLD                REJECT
192.168.212            REJECT
IPv6:2002:c0a8:02c7        RELAY
IPv6:2002:c0a8:51d2::23f4    REJECT

would refuse mail from spammer@aol.com, any user from cyberspammer.com (or any host within the cyberspammer.com domain), any host in the entire top level domain TLD, 192.168.212.* network, and the IPv6 address 2002:c0a8:51d2::23f4. It would allow relay for the IPv6 network 2002:c0a8:02c7::/48.

The value part of the map can contain:
OK    Accept mail even if other rules in the running ruleset would reject it, for example, if the domain name is unresolvable. "Accept" does not mean "relay", but at most acceptance for local recipients. That is, OK allows less than RELAY.
RELAY    Accept mail addressed to the indicated domain or received from the indicated domain for relaying through your SMTP server. RELAY also serves as an implicit OK for the other checks.
REJECT    Reject the sender or recipient with a general purpose message.
DISCARD    Discard the message completely using the $#discard mailer. If it is used in check_compat, it affects only the designated recipient, not the whole message as it does in all other cases. This should only be used if really necessary.
SKIP    This can only be used for host/domain names and IP addresses/nets. It will abort the current search for this entry without accepting or rejecting it but causing the default action.
### any text    where ### is an RFC 821 compliant error code and "any text" is a message to return for the command. The string should be quoted to avoid surprises, e.g., sendmail may remove spaces otherwise. This type is deprecated, use one the two ERROR: entries below instead.
ERROR:### any text    as above, but useful to mark error messages as such.
ERROR:D.S.N:### any text    where D.S.N is an RFC 1893 compliant error code and the rest as above.

For example:

cyberspammer.com    ERROR:550 "We don't accept mail from spammers"
okay.cyberspammer.com    OK
sendmail.org        RELAY
128.32            RELAY
IPv6:1:2:3:4:5:6:7    RELAY
[127.0.0.3]        OK
[IPv6:1:2:3:4:5:6:7:8]    OK

would accept mail from okay.cyberspammer.com, but would reject mail from all other hosts at cyberspammer.com with the indicated message. It would allow relaying mail from and to any hosts in the sendmail.org domain, and allow relaying from the 128.32.*.* network and the IPv6 1:2:3:4:5:6:7:* network. The latter two entries are for checks against ${client_name} if the IP address doesn't resolve to a hostname (or is considered as "may be forged"). That is, using square brackets means these are host names, not network numbers.

Warning: if you change the RFC 821 compliant error code from the default value of 550, then you should probably also change the RFC 1893 compliant error code to match it.

For example, if you use
user@example.com ERROR:450 mailbox full

the error returned would be "450 5.0.0 mailbox full" which is wrong. Use "ERROR:4.2.2:450 mailbox full" instead.

Note, UUCP users may need to add hostname.UUCP to the access database or class {R}.

If you also use:
FEATURE(`relay_hosts_only')

then the above example will allow relaying for sendmail.org, but not hosts within the sendmail.org domain. Note that this will also require hosts listed in class {R} to be fully qualified host names.

You can also use the access database to block sender addresses based on the username portion of the address. For example:
FREE.STEALTH.MAILER@    ERROR:550 Spam not accepted

Note that you must include the @ after the username to signify that this database entry is for checking only the username portion of the sender address.

If you use:
FEATURE(`blacklist_recipients')

then you can add entries to the map for local users, hosts in your domains, or addresses in your domain which should not receive mail:

badlocaluser@        ERROR:550 Mailbox disabled for this username
host.mydomain.com    ERROR:550 That host does not accept mail
user@otherhost.mydomain.com    ERROR:550 Mailbox disabled for this recipient

This would prevent a recipient of badlocaluser@mydomain.com, any user at host.mydomain.com, and the single address user@otherhost.mydomain.com from receiving mail.

Please note: a local username must be now tagged with an @ (this is consistent with the check of the sender address, and hence it is possible to distinguish between hostnames and usernames). Enabling this feature will keep you from sending mails to all addresses that have an error message or REJECT as value part in the access map. Taking the example from above:

spammer@aol.com        REJECT
cyberspammer.com    REJECT

Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com.

There are several DNS based blacklists, the first of which was the RBL (``Realtime Blackhole List'') run by the MAPS project, see http://mail-abuse.org/. These are databases of spammers maintained in DNS. To use such a database, specify
FEATURE(`dnsbl')

This will cause sendmail to reject mail from any site in the original Realtime Blackhole List database. This default DNS blacklist, blackholes.mail-abuse.org, is a service offered by the Mail Abuse Prevention System (MAPS). As of July 31, 2001, MAPS is a subscription service, so using that network address won't work if you haven't subscribed. Contact MAPS to subscribe (http://mail-abuse.org/).

You can specify an alternative RBL server to check by specifying an argument to the FEATURE. The default error message is
Mail from IP-ADDRESS refused by blackhole site SERVER

where IP-ADDRESS and SERVER are replaced by the appropriate information. A second argument can be used to specify a different text. By default, temporary lookup failures are ignored and hence cause the connection not to be rejected by the DNS based rejection list. This behavior can be changed by specifying a third argument, which must be either `t' or a full error message. For example:
FEATURE(`dnsbl', `dnsbl.example.com', `', `"451 Temporary lookup failure for " $&{client_addr} " in dnsbl.example.com"')

If `t' is used, the error message is:
451 Temporary lookup failure of IP-ADDRESS at SERVER

where IP-ADDRESS and SERVER are replaced by the appropriate information.

This FEATURE can be included several times to query different DNS based rejection lists, e.g., the MAPS Dial-Up User List (DUL).

Notice: to avoid checking your own local domains against those blacklists, use the access_db feature and add:

Connect:10.1        OK
Connect:127.0.0.1    RELAY

to the access map, where 10.1 is your local network. You may want to use "RELAY" instead of "OK" to allow also relaying instead of just disabling the DNS lookups in the backlists.

The features described above make use of the check_relay, check_mail, and check_rcpt rulesets. If you wish to include your own checks, you can put your checks in the rulesets Local_check_relay, Local_check_mail, and Local_check_rcpt. For example if you wanted to block senders with all numeric usernames (i.e. 2312343@bigisp.com), you would use Local_check_mail and the regex map:

LOCAL_CONFIG
Kallnumbers regex -a@MATCH ^[0-9]+$

LOCAL_RULESETS
SLocal_check_mail
# check address against various regex checks
R$*                $: $>Parse0 $>3 $1
R$+ < @ bigisp.com. > $*    $: $(allnumbers $1 $)
R@MATCH                $#error $: 553 Header Error

These rules are called with the original arguments of the corresponding check_* ruleset. If the local ruleset returns $#OK, no further checking is done by the features described above and the mail is accepted. If the local ruleset resolves to a mailer (such as $#error or $#discard), the appropriate action is taken. Otherwise, the results of the local rewriting are ignored.