[SOLVED] SMTP reject invalid or unknown users

[thatitguy]

Hi all
I'm having a persistent and becoming more annoying issue:
Scalix accepts all email bound for my domain, even if it's no non-existent addresses.

I.e.: mail sent from the internet to unvaliduser@mydomain.com is accepted by omsmtpd, then scalix attempts to bounce the message back, creating backscatter and mucking things up.

Traditionally, I've installed an SMTP gateway that had a list of valid addresses on it. I wrote a php script that I ran hourly on the Scalix server that would create a virtusertable and ship it over to the gateway, and the gateway, now having an authoritative list of valid addresses would reject the *thousands) of attempts at random, non-existent mailboxes that come in everyday.

However, I've started to use Untangle which is not so easy to send a recipient list to (as it's a transparent proxy). As a result, I'm getting tons of backscatter and worse, the Untangle box is sending non-existent users their Untangle digests every day. *grumble*.

So my question is this: is there a way to have the outward fasing smtp engine on Scalix reject mail bound to non-existent mailboxes *before it is accepted*?

Thanks very much for your help as always!
Rubin[/url]

[Valerion]

omsmptd can't do this, because there may very well be users handled by sendmail in the background. As a matter of fact, unless addresses like MAILER-DAEMON@domain is defined as a Scalix mailbox, doing so would not be RFC compliant, only sendmail usually carries the aliases for the system-type accounts.

However, you can use LDAP to pull the information out of Scalix and build a list, but I don't know if Untangle can do this.

[adhodgson]

Hi,

We are in the same situation and got it to work like this:

RELAY accept 127.0.0.1
RELAY accept .domain1.com
RELAY accept .domain2.com
RELAY accept .domain3.com
RELAY accept 10.1.1.0/255.255.255.0
RELAY accept 10.1.2.0/255.255.255.0
RELAY Log_Reject ALL

The golden rule is never put your machine here that acts as your primary MX - i.e, the untangle server, because if you do, you will get the same problem - i.e, Scalix will relay your mail to Sendmail, and it will cause a loop.

I am not sure how Untangle works, the Spamtitan server we have here acts as primary MX, then relays everything to Scalix. It does SMTP callouts before accepting the message, and if Scalix gives a 5xx response, it counts this as an unknown user.

The documentation in smtpd.cfg seems to suggest that the RELAY ACCEPT .domain1.com line will accept messages where the PTR record ends in .domain1.com, but I have found this not to be the case.

Thanks.
Andrew.

[thatitguy]

The problem is that we really want to run Untangle as a bridge not a NAT gateway. I'm a big fan of the 'many layers' security model, and running Untangle bridged is a simple way to add a layer without adding complexity to our network diagram and subnetting.

Still hoping there's a way to do what I outlined in my previous post.

Rubin

[adhodgson]

Rubin,

If I understand your issue, it is that you want Untangle to monitor the traffic over SMTP, but you need to get Scalix to reject unknown users.

When you connect to the external IP address over port 25 externally, do you get a Scalix banner or something else? If you get a Scalix banner, then you need to check whether Untangle is presenting Scalix the IP address of the remote client. If it is, then I believe my suggestion will work.

I also forgot to add that you need to put the domains you are hosting on Scalix into /etc/mail/local-host-names, then Sendmail behind omsmtpd will treat those domains as final destinations, and generate the 5xx response that is then passed back to Omsmtpd.

Thanks.
Andrew.

[thatitguy]

You are so right... it was the local-host-names line that did the trick.

Thank you very much for the pointer - I always configure that in a non-Scalix installation but forgot about it completely on my Scalix installs.

Thanks again
Rubin