Scalix Forums

Hi.

I'm currently evaluating Scalix and look for a setup which best fits our needs.
As I do not want to setup a second box as mailhub and want to implement greylisting I choose the route to make sendmail the receiving mailserver and the scalix smtpd a mail submission only server for authenticated users.

I have to admint that I'm absolutely new to sendmail and what I found about so far is anything but intuitive or straigt forward. Even if I did not find a document here covering all aspects of this setup, I was able to carry all information required together to be nearly successful. What is still missing is that now sendmail will also accept mails on the external interface for local users (mean linux local here) like root and deliver them locally (to the linux user mailbox) which is not desired. Any idea how to prevent local delivery for sendmail?

Woud it be a better idea to setup an additional smarthost e.g exim on the same machine via multiple ip addresses and keep the sendmail / scalix smtp duo untouched?

Thanks for your help.
Kind regards

grubi

There are two different things you can do:

The first is to simply define aliases (in /etc/aliases) for the local users that you want to redirect to specific Scalix user accounts. We typcially do this for root so that machine admin mail goes to a designated PDL.

The other thing you can do is define a "catch-al" as a virtual user for unknown addresses -- you can have all mail for otherwise unknown users to be sent to a designated individual that way. I did this at home -- but it doesn't work without hacking sendmal.cf (not .mc) a bit unless you're running Scalix 11.

In your case, you probably just want to define aliases for the few local users that you actually have as most of the local users that are defined by various bits and pieces of software all alias to "root" anyway.

jch

jch wrote:There are two different things you can do:

The first is to simply define aliases (in /etc/aliases) for the local users that you want to redirect to specific Scalix user accounts. We typcially do this for root so that machine admin mail goes to a designated PDL.

The other thing you can do is define a "catch-al" as a virtual user for unknown addresses -- you can have all mail for otherwise unknown users to be sent to a designated individual that way. I did this at home -- but it doesn't work without hacking sendmal.cf (not .mc) a bit unless you're running Scalix 11.

In your case, you probably just want to define aliases for the few local users that you actually have as most of the local users that are defined by various bits and pieces of software all alias to "root" anyway.

jch

Hi jch.
Thanks for your answer.

But the ugly thing is that all system accounts on your server are valid recipients for delivery from the internet and there can be many of them like scalix, root and even nobody. There should be a way to avoid this (hopefully). IMHO it looks somewhat strange that our mailsystem will accept a mail to nobody as vaid recipient.

Is this behavour similar if you use the default config where the scalix smtpd will accept mails from outside directly?

Thanks

Regards,
grubi

On my system here, the original /etc/aliases has aliases for a lot of "system" accounts to root -- that includes "nobody" and others. (There isn't one for "scalix" -- the scalix user is used to receive Scalix server to Scalix server traffic.) That's just the way the system is set up.

The very last line in /etc/aliases is a commented-out "root: marc" line with the comment "Person who should get root's mail". You could alias "nobody" (for example) to something that will reject mail to that user, but if you're looking after a system you probably want to see mail sent to the system users so that you can do something about it. It seems sensible to me: if I had a larger server to look after (with more than one admin) then I'd split out things like webmaster, hostmaster, etc into separate aliases for those particular functions.

Back to my /etc/aliases, the very last line actually sends all system mail to my work address which Thunderbird then puts in a folder called "admin" so I can check everything is OK (sometimes) or just delete it (mostly).

At home it's different -- I want to make sure everything that is sent to my domain goes to someone (me, actually) which is why I use a virtual domain to make sure it goes somewhere. I'm going to have to do something different about that though -- I get way too many spam rejections coming back to a rubbish address because my domain is known.

jch

jch wrote:The very last line in /etc/aliases is a commented-out "root: marc" line with the comment "Person who should get root's mail". You could alias "nobody" (for example) to something that will reject mail to that user, but if you're looking after a system you probably want to see mail sent to the system users so that you can do something about it. It seems sensible to me: if I had a larger server to look after (with more than one admin) then I'd split out things like webmaster, hostmaster, etc into separate aliases for those particular functions.
jch

I agree that it makes sense that system mails which are addressed to system accounts internally can be aliased to be forwarded to a real person but what is ugly IMO is that those system accounts are addressable from the internet. If you forward them to anything that is unreachable the mail is still accepted in the first place and a bounce message will be generated afterwards.

Regards,
grubi.

PS: Seems there are others
viewtopic.php?t=2351&highlight=system+accounts

To answer my on question.
In the forum I found the following link:
http://www.faqs.org/docs/linux_network/x15291.html
Section 18.8.4.3. seems to cover this issue. I will give it
a try and report back.

grubi

I got it working now.
For those who are interrested here is what I did (Scalix 11):

Add the following lines to you sendmail.mc

FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl

Rebuid your sendmail.cf

Add all local accounts you want delivery to be disabled to /etc/mail/access

Connect:127 RELAY
To:nobody@ REJECT
To:news@ REJECT
To:root@ REJECT

Rebuild your access.db with makemap and you are done.

Regards,
grubi.