[NTLUG:Discuss] mail server ... general question ...

Mon Feb 25 15:06:15 CST 2002

On Monday 25 February 2002 01:25 pm, you wrote:
> (general question because I don't know enough specifics yet)
>
> The question is dropping incoming mail that does not have at least one
> recipient listed who's domain matches one in a list of domains.
>
> The assumption is that the mail server software lacks any feature that
> would provide this capability.

Is this a hypothetical question?  Because I believe sendmail can have this 
feature enabled in its access db.  I'm also fairly certain sendmail will not 
accept any mail destined for a domain it doesn't grok.

I have no idea how postfix would do this, however.

> The only two approaches I have been able to think of:
> (1) Server receives mail and calls a program/script to validate the
> domain, waiting for a drop/pass return value.
>      (a) Seems an unlikely approach without extensive modifications to
> the mail server software.
> (2) Filter the incoming data stream, before it reaches the mail server
> software, dropping all invalid messages.
>
> Does that sound right so far?
>

(1) Many mail servers (including sendmail) can be configured to use procmail; 
procmail can perform the recipient validation step and scrap invalid mail.

procmail would have to be configured on a per-user basis though; the closest 
thing I know of for a global procmail policy is to stick a .procmailrc file 
in /etc/skel.  This would only take effect for users created after the 
.procmailrc file is copied to /etc/skel; users which already exist will have 
to have their ~/.procmailrc files modified manually.

(2) This approach is basically a firewall activity, and it seems 
unnecessarily complex.  You would have to create something (perhaps an 
ipchains or iptables module) that dumps TCP/UDP data, checks for packets that 
appear to be destined for a mail server, and then parse those packets to 
figure out their recipient address.

In either of the above cases, you won't be able to do much to stop external 
bandwidth consumption (except possibly figure out who's doing it and inform 
their ISP).  You should be able to keep these spam messages from sucking up 
disk space, however.

> Actually, what we seem to be dealing with is a denial of service attack
> followed by, or couple with, the remailing of spam.
>
> Sorry I cannot be more specific just yet - that's all the details I have
> so far - do they sound right, do you think?
>
> Thanks in advance to anyone who would care to share any insight(s) on
> this kind of thing.

________________________________________
Kelledin
"If a server crashes in a server farm and no one hears it, does it still cost 
four figures to fix?"