Scalix Forums

Hello, I've got postfix integrated into Scalix and it works OK except for the fact that the Scalix mail service is not rejecting mail right away for unknown users (which doesn't have anything to do with postfix):

[root@host postfix]# telnet localhost 10025
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 host.mydomain.com ESMTP Scalix SMTP Relay 11.2.0.11121; Thu, 15 Nov 2007 13:10:02 +1000 (EST)
mail from:<me@somewhere.com>
250 me@somewhere.com... Sender ok
rcpt to:<nobodyhere@host.mydomain.com>
250 Ok
quit
221 host.mydomain.com closing connection
Connection closed by foreign host.

Is there anything I can do to reject unknown users at the door? For the record, I have postfix setup to reject unknown recipients but obviously it won't work properly if the Scalix mail service does't do this either.

The problem here is that Scalix does not actually know which users exist. Yes, it knows which users are internally configured, but it cannot easily find out what is configured in sendmail / postfix / <insert mailer here>. So it accepts, then passes the ones it doesn't know about to the local mailer and have that deal with whatever is remaining (accept, bounce, etc).

You can set up postfix to listen on port 25 instead of Scalix, then have it bouce (as it knows what it can accept), but then you have to find a way of telling it what is valid in Scalix (either a list of via LDAP). Or set up a relay server containing the same information.

Hi, thanks for the reply.

Is there a way to make Scalix so that it will reject mail if it doesn't match any of its internal users? I have got Postfix already configured to listen on port 25, so it does all the mail routing. If theres an email destined for the Scalix service then Postfix hands it off to there and there is no reason for Scalix then to send it back to the mailer to process if the user doesn't exist internally.

I guess it also explains why I am getting a mail loop. Unknown user gets sent to Scalix, then if the user doesn't exist it sends it back to the mailer, then gets sent back into Scalix, repeat until Postfix realizes a loop is occurring.

I can always setup Postfix so that it checks a file for valid recipients before accepting the mail but would be a pain to maintain. I suppose I could get it to check for valid recipients by making it check the Scalix LDAP server first...

I managed to get this going and posted my results here: viewtopic.php?p=42300#42300

Hello,

we have the same problem, that sendmail-scalix is accepting non-existing users, which causes our incomming mailserver to grow a very large active queue.

Our setup is as follow:

We have a main incomming mailserver with postfix who does either a direct local delivery to cyrus, or then relay for several different domains to the final mta.

If the final mta is a sendmail-scalix, then the mail is accepted at the incomming mailserver but the rejects are only done later.

Today we are under a heavy attack for one of the scalix-hosted domains and now have a active queue growing on the postfix server with ~2000 mails per houre. (Actually 14'000 mails since midnight)

Of course, if sendmail-scalix would tell postfix that the addresses are not valid they would get rejected immediatly, saving a great lot of spam/virus processing.

Is there realy no way to tell sendmail-scalix to reject the non-existing users ?
As far as I understand, all valid email destinations are in the scalix ldap server....

I would rather not yetup yet another postfix server just for this...

André

Yes there is a way. You get Postfix to use local_recipient_maps and put your transport maps in that. Then setup a scalix transport that connects to the scalix ldap server. It's all explained in the Postfix howto, except for the part where you need to add transport_maps to local_recipient_maps. It's explained in the URL above.

misc wrote:Yes there is a way. You get Postfix to use local_recipient_maps and put your transport maps in that. Then setup a scalix transport that connects to the scalix ldap server. It's all explained in the Postfix howto, except for the part where you need to add transport_maps to local_recipient_maps. It's explained in the URL above.

Hello,

thanks for your answer.

Yes, I was aware of that possible solution, but since scalix don't support postfix configuration I would rather like a sendmail only solution...
That is what I would like to see...

André

Oh, in that case then, I'm not really sure sorry. Sendmail must have an equivalent way of using LDAP lookup lists but I'm not sure how to do that.

I would recommend the Postfix approach, it really is a lot better at handling mail than Sendmail.

Sendmail is IMO at least as capable as postfix, though that is a topic for a heated discussion, not appropriate here.

To get sendmail LDAP information into sendmail is fairly easy, but I believe beyond the scope of this forum. Google returns quite a few useful links. Two that drew my attention:

http://fedoranews.org/cms/node/927
http://www.faqs.org/docs/Linux-HOWTO/LD ... HOWTO.html

Valerion wrote:Sendmail is IMO at least as capable as postfix, though that is a topic for a heated discussion, not appropriate here.

Valerion wrote:To get sendmail LDAP information into sendmail is fairly easy, but I believe beyond the scope of this forum. Google returns quite a few useful links. Two that drew my attention:

http://fedoranews.org/cms/node/927
http://www.faqs.org/docs/Linux-HOWTO/LD ... HOWTO.html

Why should it be beyond the scope of this forum ?
We are not doing this just for fun, or because it's nice to have it.

In the last month we got hit 3 times by large spam attacks. Always large amounts of spam to addresses in the form 111111@mydomain.com ... zzzzzz@mydomain.com.

We had a reject rate of 12000 Messages per minute and a "temporary" accept rate of ~300 messages per minute.
These 300 messages per minute had then to go trough the virus and spam scanning and have then been rejected by sendmail.
Of course our virus/spam engine was not able to keep up with that large amount of mails and did create a backlog of ~20000 messages. This then delayed all ligitime traffic from/to our site for 3-8 hours.

In my opinion, this is a weakness in the sendmail configuration on the scalix box.... ?

I will look at the links and post a solution when I find one with sendmail.

Thanks.

That volume is quite impressive, and I can see that causing an issue.

I have thought of doing that myself in the past, more than once, to be honest, but I simply didn't have the time to implement it yet. Having some comments from someone who did it before would be very good to refer to.

I can't think of any reason why you wouldn't want to drop any mail at the front door to any user that does not exist. The only disadvantage is that people can brute force to find out which mail accounts are valid.

These days you really want to reject mail for unknown users as early as possible. It's too easy for a spammer to bounce mail off your server. No point to spam/virus scan mail to invalid recipients. The advantages far outweigh the disadvantage (not plural).

Of course, that's just me

I have a postfix server in front of my scalixserver to deal with the unknown user spam. At first, I had the postfix server do LDAP lookups on the ScalixServer, but during a spamrun this would put extra load on the server, and I didn't want that. I've now a script (running every hour), that pulls all valid recipients from LDAP and put this in a file on the postfix server. I've also a list of addresses which should be excluded (some addresses and groups that are for internal use only) from this file. I have then Postfix do lookups in this file. Works great this way.

I have scalix on centos behind IPCop with copfilter (clamav & spamassassin). My default install of scalix also resulted in the failure to reject mail to unknown users. I found a solution which is to modify /etc/mail/local-host-names

Add the domains you accept mail for in this file.My maillog (sendmail) shows rejections for unknown users after making this change.

I did this long ago on scalix 10, so I hope my description is accurate.

Ryan

I am curious if anyone has compared the resources required to do a LDAP lookup (from perimeter device/server) for incoming recipient vs that of scalix/sendmail doing a unknown user rejection? All internet email is sent to scalix on the DMZ so excessive spamming does not directly impact my lan, but IPCop is passing the unknown user statement which stops the delivery or scanning of spam to unknowns.

Ryan