configuring sendmail to reject spoofed email addresses

Donald Tyler dtyler at frazerbilt.com
Wed Jul 21 12:27:33 UTC 2004 

Thanks to everyone for the replies.

Yes I see now that it would cause problems with mailing lists...

I know how to block specific domains, but the shear volume of domains that
sends junk mail makes that unmanageable (Apart from the fact that we also
get legitimate mail from some of those domains).

Steve's method of stopping people from spoofing his own domain sounds like
something I could use. I will look into implementing that in SendMail (any
info on how to do this would be appreciated).

Our SMTP server requires authentication, so I should be able to set it up
exactly as Steve has (assuming SendMail is capable of this).

Thanks again for all your help.


Donald Tyler

-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of Cowles, Steve
Sent: Tuesday, July 20, 2004 10:04 AM
To: 'General Red Hat Linux discussion list'
Subject: RE: configuring sendmail to reject spoofed email addresses

Donald Tyler wrote:
> Hi,
> 
> Like everyone else, our junkmail is getting horrendous. Most of the
> emails we receive use an email for the "From" section of the header,
> but it doesn't match the email in the "Return-Path" section.
> 
> My question is this:
> 
> Is there anyway to configure sendmail so that if there is an email
> address in the "From" section, and it does not match the
> "Return-Path" section, for it to reject the email?
> 
> Thanks in advance
> 
> 
> Donald Tyler

Donald,

First, I no longer use sendmail as my MTA, so I can't answer your question
directly. I now use postfix.

Second, if I understand your post correctly, you are wanting to configure
sendmail to test against the "Return-Path" header. According to RFC-822,
this particular header entry is added by the LDA (like procmail), not
sendmail.

Third, So that you can ask your question using terminology that everyone
will understand, look at the following sections of an e-mail... Basically an
e-mail is broken up into envelope, header and body sections.

# telnet mail.mydomain.com 25
220 mail.mydomain.com ESMTP Postfix (2.1.1)  --> Start of envelope
helo mail.remote_mta.com
250 mail.mydomain.com
mail from: <scowles at mydomain.com>            --> envelope from
250 Ok
rcpt to: <scowles at mydomain.com>              --> envelope to
554 <scowles at mydomain.com>: Envelope address rejected, Go Away!
rset                                         --> Lets start over
250 Ok
mail from: <steve_cowles at other.com>          --> envelope from
250 Ok
rcpt to: <scowles at mydomain.com>              --> envelope to
250 Ok
data                            --> End envelope, start header
354 End data with <CR><LF>.<CR><LF> 
From: Steve Cowles <steve_cowles at other.com>   --> Header from
To: Steve Cowles <scowles at mydomain.com>       --> Header to
Subject: This is a test.                      --> Header subject
                           --> Blank line, end header, start body
This is line 1 of body.
This is line 2 of body.
.                          --> End body, submit to defined mailer
250 Ok: queued as ADAF839CA
quit
221 Bye

Note the 554 reject line
  554 <scowles at mydomain.com>: Envelope address rejected, Go Away!

I have postfix configured to reject anyone claiming to be from mydomain.com
when specified as the envelope from address, not the header from. 

Is this possibly what your wanting sendmail to test?

BTW: If I was to test the header from for mydomain.com, then I could no
longer accept e-mail from the redhat list servers. Check the headers of this
e-mail.

Hopefully the above will help you understand exactly what you want to test
and give you some pointers on where to implement this in sendmail. If I
remember right, the /etc/mail/access file tests the envelope from/to
addresses. i.e.

mydomain.com	REJECT

This is basically how I configure postfix, but I also have to allow SMTP
AUTH clients to specify an envelope sender being from mydomain.com.
Fortunately, postfix works on the basis of the "First Test Wins" methodolgy.
So the ordering of my tests is critical.

Steve Cowles


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list