How to reject mails for unknown users?

[tuxx-home.at]

Hey,

I need some help with achieving the following thing:
One of my customers domains seems to be a popular target for spam mails.
I have four valid e-mail addresses on this domain, like:

office@domain.at
f.surname@domain.at
g.surname@domain.at
h.surname@domain.at

Unfortunately, Scalix (or the SMTP relay) accepts all incoming mails first and afterwards checks for the existance of the local user, that means, that error messages for unknown local recipients will be sent out to the sender.

On the weekend, our provider blocked us because he suspects us to spam. After looking at the mailqueue, we had 11334 mails in the mailqueue that were awaiting delivery. All of them were in the form of "Error - no such user here" to spoofed or fake sender addresses, so they will never be delivered properly, but due to the fact that the
mailserver tries to deliver them every few hours, our smarthost blocked us due to the
vast amount of e-mails we were trying to send.

Is there any way to limit delivery to only existing users on the SMTP level, so that no "mail delivery failed" messages will be generated at all?

Thanks in Advance,
Alex

[tuxx-home.at]

*bump*

[Kris]

I don't know how to do this with Scalix, but I solved it by putting a simple Linux machine with Postfix on it in front of the Scalix server. You can configure the Postfix machine to do LDAP lookups on Scalix, and reject mail for non-existing addresses.

[tuxx-home.at]

While this is for sure a working solution, I don't think that there is no native Scalix solution for achieving that.

This is a real problem, especially when you get many spams to your domain for invalid recipient mail addresses.

[tuxx-home.at]

OK, I found a solution.

After reading through a lot of manuals, doing a lot of googline and stuff I found out that actually it is (gladfully) something you can configure in the sendmail configuration file.

For my specific client, there are only 4 valid e-mail addresses, so I didn't work on a solution that is either integrated into Scalix or polls information about valid e-mail addresses from there.

If you have CentOS (or something compatible) and sendmail in combination with Scalix, an easy and working fix is described here:

1. Go to /etc/mail and open the file "access"
2. At the end of this file, add the following lines:

Code: Select all

office@mycompany.com                                       OK
user1@mycompany.com                                      OK
user2@mycompany.com                                      OK
user3@mycompany.com                                      OK
mycompany.com                                                   ERROR:550 No user here by that name


In the above shown example, user1-3 and office are valid local_parts for the recipient e-mail address, anything else will be rejected with the given error message.

3. Save the file and rebuild the access.db file with the following command:

Code: Select all

make access.db


4. Reload sendmail configuration

Code: Select all

/etc/init.d/sendmail reload


[KKJensen]

So each user in the company/organization needs to be listed, if not they cannot receive email from outside the scalix system?

[tuxx-home.at]

Exactly.

If you have many users, you might want to update this list automatically. A good starting point for getting a real-time list of available e-mail addresses out of Scalix is to use the `omldapsearch` command which can be used in a script that periodically updates the access list and (only in case if something has changed) reloads sendmail.

Code: Select all

# omldapsearch "(objectClass=Person)" | awk -F= '/^mail=/ { print $2 }'
sxadmin-mail@mydomain.at
sxqueryadmin-mail@mydomain.at
office@mydomain.at
user1@mydomain.at
user2@mydomain.at
user3@mydomain.at


As you can see, the output shows some mail addresses you probably still want to block in your access file, you can simply ignore them in the script to update your aliases db.

[ls-al]

I am wondering why just adding your domain to /etc/mail/local-host-names (or whatever your Fw in sendmail.cf points to) did not help.

[tuxx-home.at]

Because it accepts _ALL_ recipients on that domain and I do only have 4 valid recipients.
Try it out and you'll see.

This is a real problem, because when your domain receives a lot of spam mails, Scalix/sendmail accepts the invalid recipients first and then tries to notify the sender (via e-mail, of course) that the recipient address does not exist.

Of course, the sender address is mostly an invalid or forged address and therefore over a few days, I had thousands of zombies in my mailqueue and when the queue run starts, my server was trying to send thousands of e-mails in a short time to dozens of recipients that don't even exist.

The fact that I'm using my provider's mailserver as a smarthost didn't make things better, in fact, they blocked me several times over the last few weeks because they had rules established on their mailserver that identified our host as a spamrelay then.

So, in my opinion, this issue needs to be fixed by _DEFAULT_ in the scalix installation somehow as this is a real world problem that actually is very nasty.

If there's already a way to get this feature without having to tinker with the access db on your own, please tell me and I'll be happy to try it out.

[ls-al]

Because it accepts _ALL_ recipients on that domain ....

It shouldnt. Fw just tells sendmail that this instance is responsible for the domain. If sendmail finally does not know to handle mails to unknown users by any other method (e.g. mailertable) it will bounce them.
What OS are you running on?

[Valerion]

Changing this by default would be a bad idea, I think. There are certain recipients you are REQUIRED to have (e.g. postmaster@domain.com) that Scalix does not handle by itself. In addition, some networks may set up their own list of "must-have" aliases that are used internally, and may be forwarded between servers. If Scalix simply blocks this, some network services may stop working. It would violate the principle of "least-surprise", I think.

Personally I do my spam-filtering with a combination of blacklisting, greylisting and Spamassassin. The few that manage to get through I can deal with. Blacklisting by itself is especially useful, as a lot of spamming is done from dynamic dial-up/ADSL-type accounts.

[tuxx-home.at]

OK, sorry, you're right. Somehow the entry in /etc/mail/local-host-names does work now.
The accessdb approach worked too, btw, it didn't cause any surprises on the sender side as it clearly stated that the recipient's address is not valid on the SMTP level, so, no surprises, just an error message instead of an error e-mail.

Anyhow, thanks for pointing that out, local-host-names works now as it should, will monitor that over the next few days.

Update: OK, since I've turned it out, I've received ten spam mails again, all going to "mail@mydomain.at". I think I will go back to my previous approach as this is the safest solution for me.

[ls-al]

I think this needs some further explanations...
For bigger deployments I fully agree with Valerion that another machine in front of a Scalix server makes sense and will prevent lots of unwanted crap.
However, there are cases where a company can not use this scenario. Just think of the SMTPMILTER function. It makes no sense to have a machine in fron of a Commtouch Antispam or SpamAssassin Milter.

In any case we have to make sure that we are not creating a backscatter system. To do this, we need to understand that Scalix by default only knows the internet addresses that are known in the SYSTEM-directory (or directories when running with multiple instances).
Everything else will be passed to sendmail and is therefore heavily depending on the current sendmail configuration.

Assuming that Alex' customer has the domain "domain.at" and Scalix runs on the host "scalix.domain.at" the default configuration will probably create a "RELAY accept .domain.at" in the smtpd.cfg. I believe that this was done for other reasons and will most likely change in one of the next releases of Scalix. Several bugs and enhancement requests are dealing with this.

This will pass the mails for addresses for domain.at that are not known in Scalix to sendmail. We can (or have to) tweak anything further in the sendmail configuration (avoid to change the .cf, use the .mc).
Inserting the domain(s) in /etc/mail/local-host-names is best practise if there is no other mail server in the company. When using the mailertable feature we should care that our system knows the valid recipients on the other end. Otherwise we will create a backscatter there. BTW: Its possible to get the access db working with LDAP if necessary (Sendmail Cookbook, written by Craig Hunt).

Finally, if you still run on CentOS: mail@ _is_ a valid recipient by default. Look at your aliases.

[richmyers]

Does anyone know if there is a way to disable NDR emails totally. In exchange it is a simple checkbox. NDR emails cause a huge backscatter problem if your mailserver is targeted for bounceback spam. currently i am having issues with being listed with backscatter.org and barracuda because of it.

[Valerion]

The easiest is likely to set up a catchall mailbox and clean it regularly with omtidy or a mail client. You can try to block them from being sent in sendmail, but I can't think off the top of my head how to do that.