1

I have small problem with my sendmail server and need your little help :-)

My situation is as follow:

User mailboxes are placed on MS exchanege server and all mail to and from outside world are relayed trough my sendmail box. 

Exchange server ----- sendmail server ------ Internet

My servers accept messages for one main domain (say, my.domain.com) and for few other domains (let we narrow it too just one, say my_other.domain.com). After configuring sendmail with showed bellow abbreviated sendmail.mc file, essentially everything works ok, but there is small problem. I want to reject messages addressed to not existing recipients as soon as possible (to avoid sending non delivery reports), so my sendmail server make LDAP queries to exchange server, validating every recipient address. This works well both domains but not for subdomains. Such subdomains do not exist, but someone (I'm mean those heated spamers :-) could try addresses like this:

user@any_host.my.domain.com

or 

user@any_host.my_other.domain.com

and for those addresses results are as follows:

  1. Messages to user@sendmail_hostname.my.domain.com are rejected with error "Unknown user" (due to additional LDAPROUTE_DOMAIN line in my sendmail.mc file, and this is expected behaviour)
  2. Messages to user@any_other_hostname.my.domain.com are rejected with error "Relaying denied". Little strange to me, why this time the error is different, but still ok. After all message was rejected and I don't care very much what error code will be returned to sender (spamer).
  3. Messages to user@sendmail_hostname.my_other.domain.com and user@any_other_hostname.my_other.domain.com are rejected with error "Unknown user" but only when, there is no user@my_other.domain.com mailbox (on exchange server). If such mailbox exist, then all three addresses (i.e. user@my_other.domain.com, user@sendmail_hostname.my_other.domain.com and user@any_other_hostname.my_other.domain.com) will be accepted. (adding additional line LDAPROUTE_DOMAIN(my_sendmail_host.my_other.domain.com) to my sendmail.mc file don't change anything)

My abbreviated sendmail.mc file is as follows (sendmail 8.14.3-5). Both domains are listed in /etc/mail/local-host-names file (FEATURE(use_cw_file) ):

define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl        
define(`confRUN_AS_USER',`smmta:smmsp')dnl

FEATURE(`no_default_msa')dnl
define(`confPRIVACY_FLAGS',`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`access_db', , `skip')dnl
FEATURE(`always_add_domain')dnl
MASQUERADE_AS(`my.domain.com')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl

dnl define(`confLDAP_DEFAULT_SPEC',`-p 389 -h my_exchange_server.my.domain.com -b dc=my,dc=domain,dc=com')dnl 
dnl define(`ALIAS_FILE',`/etc/aliases,ldap:-k (&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0)) -v mail')dnl

FEATURE(`ldap_routing',, `ldap -1 -T<TMPF> -v mail -k proxyAddresses=SMTP:%0', `bounce')dnl
LDAPROUTE_DOMAIN(`my.domain.com')dnl
LDAPROUTE_DOMAIN(`my_other.domain.com ')dnl
LDAPROUTE_DOMAIN(`my_sendmail_host.my.domain.com')dnl
define(`confLDAP_DEFAULT_SPEC', `-p 389 -h "my_exchange_server.my.domain.com" -d "CN=sendmail,CN=Users,DC=my,DC=domain,DC=com" -M simple -P /etc/mail/ldap-secret -b "DC=my,DC=domain,DC=com"')dnl

FEATURE(`nouucp',`reject')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`MAIL_HUB',` my_exchange_server.my.domain.com.')dnl
FEATURE(`stickyhost')dnl

MAILER_DEFINITIONS
MAILER(smtp)dnl

Could someone more experienced with sendmail advice my how to reject messages to those unwanted subdomains?

P.S. Mailboxes @my_other.domain.com are used only for receiving messages and never for sending.

user71061
  • 501
  • 2
  • 10
  • 22

1 Answers1

0

In the configuration README you will see that using MAIL_HUB redirects all incoming mail to a centralized hub. Since you have LDAP routing comment out the MAIL_HUB entry.

adamo
  • 6,925
  • 3
  • 30
  • 58
  • I have tried removing MAIL_HUB directive, but then **all** messages addressed to `any_user@my_other.domain.com` are rejected with error "User unknown". I think that I need right combination of MAIL_HUB, stickyhost and LOCAL_RELAY, but could not figure it out. – user71061 Mar 15 '11 at 10:04
  • Is user1@my.domain.com equivalent to user1@my_other.domain.com ? – adamo Mar 15 '11 at 10:45
  • Sometimes. Every user1@my_other.domain.com has also address user1@my.domain.com, but the opposite is not always true. – user71061 Mar 15 '11 at 10:53
  • First of all, you do not need MAIL_HUB. Now let us concentrate on the "User unknown" error for @my_other.doman.com users. What happens when you query the Exchange server via LDAP from the sendmail host for those users from the command line? – adamo Mar 15 '11 at 14:23
  • I'm sorry but I could not construct valid ldapsearch command (it has different option letters from ldap client build into sendmail). Could you show me how should I do this? (I have already tried: ldapsearch -p 389 -h my_exchange_host -D "CN=user_name,CN=Users,DC=my,DC=domain,DC=com" -y /etc/mail/ldap-secret -b "DC=my,DC=domain,DC=com" -v mail "(&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:user@my_other.domain.com))" , but receive error: "ldap_sasl_interactive_bind_s: Unknown authentication method (-6)". I'm Sorry, but I completely don't understand LDAP. – user71061 Mar 15 '11 at 15:21
  • Do you have the GSSAPI libraries installed on your system? Does the error message come with an "additional info" message? – adamo Mar 15 '11 at 17:00
  • I suppose yes - I have installed package libgssglue1 (with file /usr/lib/libgssglue.so.1.0.0). But LDAP queries works from sendmail. Using recipient address `user@any_host.my_other.domain.com`, sendmail server responses with code 250 if there is mailbox for 'user' and with code 550 whet such mailbox does not exist. Problem is that when user mailbox exist (f.e. 'user@my_other.domain.com') it responses with code 250 also for address 'user@anything.my_other.domain.com'. I think it is more sendmail problem than LDAP. – user71061 Mar 15 '11 at 17:31
  • If you have MAIL_HUB defined, how do you know that sendmail queries Exchange? Do you tcpdump port 389 or have relevant logs that show that LDAP queries for @domain.com are executed? – adamo Mar 15 '11 at 17:49
  • Because my sendmail server themselves knows nothing about existence or not existence of particular mailboxes, but nevertheless it responses correctly with code 250 if user mailbox exist or 550 when not. It can check it only with LDAP ... – user71061 Mar 15 '11 at 20:01
  • Remove MAIL_HUB, keep stickyhost and keep only your domain.com. Does it still work for user@domain.com? If yes, then add my_other.domain.com. Try to locate errors in the Exchange logs to see what is queried – adamo Mar 16 '11 at 14:52
  • FWIW, I have solved this problem on our systems using MIMEDefang and md_check_against_smtp_server() and not LDAP – adamo Mar 17 '11 at 09:01
  • Thank you for your efforts. I have also solved this in similar manner - by adding `*@*.my.domain.com` and `*@*.my_other.domain.com` to spamassassin blacklist. This way unwanted messages are accepted, but at last are definitely marked as a spam (that's why I call it "workaround" only) – user71061 Mar 17 '11 at 17:32
  • Well there's an even better solution, assuming that for example bit-bucket is aliased to /dev/null. See http://pastebin.com/4qDgnRCC on how to modify ruleset 0 to silently discard them. – adamo Mar 17 '11 at 19:56