Large Prod Env Mail Host Was [Re: ClamAV Feedback]
Paul Howarth
paul at city-fan.org
Wed Oct 27 08:57:19 UTC 2004
Ow Mun Heng wrote:
> I couldn't locate a check_mail and check_rcpt in sendmail's Doc (in
> /usr/share/doc)
check_mail and check_rcpt are rulesets in the sendmail.cf configuration file.
They're probably explained in the sendmail operations guide (?) in the
sendmail-doc package.
> What I did find was just references to it. I did find this though
> loose_relay_check
> Normally, if % addressing is used for a recipient, e.g.
> user%site at othersite, and othersite is in class {R}, the
> check_rcpt ruleset will strip @othersite and recheck
> user at site for relaying. This feature changes that
> behavior. It should not be needed for most installations.
>
> But that is only useful if you're using a single email account to forward to multiple users
> within your organisation. (but this would need intervention from your ISP to get them
> to implement the % thingy)
There was a time when % routing was widely implemented. Not now I suspect, but
this isn't what the OP was talking about anyway.
> I believe you're building sendmail yourself them. How does one check if
> using rpm(?) Do you know? (I'm booted into gentoo and I know sendmail is
> compiled with ldap support)
Run: sendmail -d0.10 < /dev/null
The output should include LDAPMAP.
> If I understand your explanation of check_mail and check_rcpt correctly,
> it only adds a level of security/anti-relay check correct?
check_mail and check_rcpt are rulesets called by sendmail when the SMTP MAIL
FROM: and RCPT TO: commands are issued respectively [actually that's not
strictly true if FEATURE(`delay_checks') is being used, but it's the same
principle]. Just about any sort of check that can be expressed in rulesets can
be done at these times. For instance, I check that the connecting client isn't
trying to forge my hostname or IP address in their SMTP HELO greeting. I also
use checks in these rulesets to reject mail from domains whose MX records are
in IP space controlled by certain spammers.
> You're
> already using TLS, how about using SASL as well? Postfix can also query
> against LDAP, so theoretically (anyway) check_mail and check_rcpt can
> also be done. (also with a MySQL backend, much like LDAP, that could
> also be a solution right?)
LDAP and SASL shouldn't be a problem for any decent MTA. The point is that
sendmail's rulesets are *extremely* versatile and can be used for a wide
variety of checks, if you can understand sendmail's configuration language
(which is not easy). I think similar things can be done in Postfix using
perl-based "policy daemons".
>>This is also where Bogofilter is
>>called if we do spam filtering.
>
> Stupid Question. Is Spamassassin via spamass-milter (the mitler side)
> slower or more resource intensive compared to bogofilter?
SpamAssassin does much more than bogofilter so I'd expect it to be more
resource intensive. Since I don't use either though, I couldn't say definitively.
I'm sure the OP will address your other points.
Paul.
More information about the fedora-list
mailing list