Problem with Scalix and sendmail milters not rejecting mail

[Xlot]

I'm an ex-qmail/amavis/spamassassin/clamav user, so I'm a bit out of my depth with sendmail/scalix - apologies if I'm making a total newbie mistake here.

I've had Scalix 11beta working happily for a couple of weeks, and decided to try adding clamav and mailwasher as sendmail milters, for spam and virus protection..

but, after getting them working, I'm no longer rejecting messages for addresses that don't exist. Instead, all mail is being accepted, regardless of addressing. e.g. maillog says:\

Code: Select all

Nov 18 13:52:59 mail sendmail[4110]: kAI2qxjq004110: from=tester@isp.net, size=0, class=0, nrcpts=1, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 18 13:52:59 mail sendmail[4115]: kAI2qxY9004115: from=<tester@isp.net>, size=909, class=0, nrcpts=1, msgid=<455E758D.4090700@isp.net>, proto=ESMTP, relay=root@localhost
Nov 18 13:53:00 mail sendmail[4116]: kAI2qxLh004116: from=<tester@isp.net>, size=1097, class=0, nrcpts=1, msgid=<455E758D.4090700@isp.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 18 13:53:00 mail sendmail[4116]: kAI2qxLh004116: Milter: data, discard
Nov 18 13:53:00 mail sendmail[4116]: kAI2qxLh004116: discarded
Nov 18 13:53:00 mail sendmail[4115]: kAI2qxY9004115: to=<bunyip2@mydomain.com>, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30909, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (kAI2qxLh004116 Message accepted for delivery)


So I did some reading, and thought I needed to set up the /etc/mail/relay-domains and /etc/mail/mailertable files to let sendmail know how to refer messages for recipient verification..

Unfortunately, I'm now getting messages that bounce, but worryingly its not becase recipient doesn't exist..

Code: Select all

The original message was received at Sat, 18 Nov 2006 13:17:26 +1100
from localhost.localdomain [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----
<doodad@mydomain.com>
    (reason: 553 5.3.5 system config error)

   ----- Transcript of session follows -----
553 5.3.5 mail.mydomain.com. config error: mail loops back to me (MX problem?)
554 5.3.5 Local configuration error


The maillog for these says that the message was accepted still..:

Code: Select all

Nov 18 14:19:07 mail sendmail[4676]: kAI3J7mE004676: from=tester@isp.net, size=0, class=0, nrcpts=1, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 18 14:19:08 mail sendmail[4681]: kAI3J8Pi004681: from=<tester@isp.net>, size=900, class=0, nrcpts=1, msgid=<455E7BAD.2070307@isp.net>, proto=ESMTP, relay=root@localhost
Nov 18 14:19:08 mail sendmail[4682]: kAI3J8Di004682: from=<tester@isp.net>, size=1087, class=0, nrcpts=1, msgid=<455E7BAD.2070307@isp.net>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 18 14:19:08 mail sendmail[4682]: kAI3J8Di004682: Milter: data, discard
Nov 18 14:19:08 mail sendmail[4682]: kAI3J8Di004682: discarded
Nov 18 14:19:08 mail sendmail[4681]: kAI3J8Pi004681: to=<moocow@mydomain.com>, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30900, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (kAI3J8Di004682 Message accepted for delivery)


So.. the question is, should I be even altering the relay-domains file? I noticed it wasn't being used at all when I only had Scalix with Sendmail as its frontend.

My sendmail.mc has this at the end (I removed the clamav stuff until I get just one milter working):

Code: Select all

MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
INPUT_MAIL_FILTER(`mailwasher_server',    `S=unix:/var/run/mwserver/mpd.sock, F=T, T=S:4m;R:4m')
define(`confINPUT_MAIL_FILTERS', `mailwasher_server')


I've run omsendin to get the scalix integration back (I have the Mscalix and Momxport lines at the end of sendmail.cf).

Can anyone shed some light on why I'm not bouncing mail to invalid local addresses? Or can I not get sendmail to check with scalix before running the milter?

[Xlot]

Ok, after yet more reading into sendmail, I've now added the various domains being handled by Scalix into the file:

/etc/mail/local-host-names

Now I'm getting the expected 550's for addresses that don't exist.

Presumably, the reason I didn't need this before I tried to implement the milters is that there was no hand-off to sendmail from omsmtpd, as I wasn't using the SMTPFILTER=TRUE directive?

Am I right in thinking any time that if I'm using sendmail as an SMTPFILTER I'll have to make sure my local-host-names is up-to-date and includes all the domains I've added through the Scalix Admin Console?

Are there any other files in /etc/mail I neet to maintain? (other than the registring of milters in sendmail.mc and sendmail.cf)

I've worked out that I don't need mailertable - instead I updated my internal dns so that the MX records for the relevant local domains pointed to the correct host (instead of the non-internally-routeable externally-facing smtp gateway).

Do I need to put anything in relay-domains?

As far as I can see, because I'm running sendmail and scalix on the same host, the fact that /etc/mail/access allows relay from localhost is enough, and scalix will deal with the actual sending of mail with the various "from" addresses used by the various domains I use? (as long as the local sendmail on localhost:25 knows that those domains are in fact local?).

Thanks,

Hilton.

[Valerion]

/etc/mail/local-host-names is all you need, I think.

I also tend to keep /etc/mail/access and /etc/mail/mailertable (and the associated database files) up to date, as I need to do some custom forwarding that can't easily be done in DNS.

[Xlot]

/etc/mail/local-host-names is all you need, I think.

I also tend to keep /etc/mail/access and /etc/mail/mailertable (and the associated database files) up to date, as I need to do some custom forwarding that can't easily be done in DNS.

Thanks for the help Valerion

I think, as I have valid MX records for all internal dns resolution of the 7 domains I'm primary MX for, I shouldn't need to update mailertable

A couple of things I've been wondering however that aren't clear in the Scalix doumentation or wiki:

1. The "Scalix Server Setup Guide 11.0 Beta Draft4" document says to add the "SMTPFILTER=TRUE" line above the line "relay accept 127.0.0.1" in smtpd.cfg. This contradicts the Howto's in the wiki (e.g. Amavisd or Mailwasher howto), that say at the end of the file.

Does the placement of the option affect whether relaying occurs before or after its passed through the filter/milter?

2. I've noticed that if I only modify local-host-names with the domains the server is primary MX for, then I get different respones in the bounce for a non-existant address.
e.g. If its to the primary domain (the one set with "RELAY accept" in smtpd.cfg), then the bounce is "550 5.1.1 User unknown".

However, if its to one of the other domains listed in Ubermanager.properties (localDomains), but which has no "RELAY accept" in smtpd.cfg, then its "550 Denied due to spam list".

Would it make sense to add entries to the smtpd.cfg of the form "relay accept otherdomain.com", for each domain that is listed in ubermanager.properties? Mail is sent from the internal network as being from a number of different domains.

Is there any detriment to placing the relay entries in smtpd.cfg for that same set as specified in localDomains? Does the RELAY directive affect whether mail is passed to the SMTPFILTER for processing?

Lots of questions, I know, but I've been seeing some odd behvaiour from the logs for Mailwasher, and I'm trying to get my head around what the problem with my configuration is (e.g. only outbound mail was being scanned by Mailwasher last night - with just local-host-names set and nothing in mailertable etc.)

[Xlot]

Some more forum searches have turned up these threads:

Here's where my confusion on the "RELAY accept" lies:

Someone also trying to get multiple domains working happily - seems that they were having similar issues to me
http://www.scalix.com/community/viewtop ... pt+domains

Another person who used the "RELAY accept" to fix the "550 Denied due to spam list" error I describe above.. here Scalix support seems to think its reasonable to use..
http://www.scalix.com/community/viewtop ... pt+domains

But here support seems to think it shouldn't be necessary?
http://www.scalix.com/community/viewtop ... pt+domains

The issue I have is that I want to get uniform treatment of all the different domains I have running, for the purposes of sendmail milters (Mailwasher in particular) - currently it appears that to get mail bounced correctly, I need to:

1. Add the domains to /etc/mail/local-host-names (so that sendmail identifies the mail as being local, and can bounce it immediately)

2. Add "RELAY accept .domain.com" entries for each domain to /var/opt/scalix/sys/smtpd.cfg (so that all domains give "550 User unknown" as the bounce)

I'm not clear if I should be doing anything else.. I *think* I should leave the /etc/mail/access database alone, as its a step too close to being an open relay. I *think* I don't need to edit the /etc/mail/mailertable if I have internal dns that provides a correct MX record for each domain (i.e. points to the Scalix server's IP address).

I might also need to:

3. Move the "SMTPFILTER=TRUE" directive in smtpd.cfg to above the "RELAY accept" directives.