Random, usually tech stuff – mostly notes, gotchas, how tos …
You can just copy/paste the following lines:
esxcfg-firewall -e ntpClient
echo “server clock.redhat.com” >> /etc/ntp.conf
echo “clock.redhat.com” > /etc/ntp/step-tickers
/etc/init.d/ntpd restart
chkconfig ntpd on
Just replace clock.redhat.com with your NTP server. If you want more than one time server, just echo the lines more. Use >> for the step-tickers line to append rather than overwrite.
DBS”
> I have a problem, It’s been months since I used MySQL and (I believe) I had
> set it up with a root password. Now I can’t log on to MySQL as root MySQL
> user and create a new user or manage an existing user (I can log onto server
Familiar situation. 
Do so:
service mysql stop
wait until MySQL shuts down. Then run
mysqld_safe –skip-grant-tables &
then you will be able to login as root with no password.
mysql -uroot mysql
In MySQL command line prompt issue the following command:
UPDATE user SET password=PASSWORD(“abcd”) WHERE user=”root”;
FLUSH PRIVILEGES;
At this time your root password is reset to “abcd” and MySQL will now
know the privileges and you’ll be able to login with your new password:
mysql -uroot -pabcd mysql
Taken from:
http://www-941.ibm.com/collaboration/wi … ageId=3625
Just run the command:
echo “- – -” > /sys/class/scsi_host/host0/scan
This should rescan the scsi bus.
1) Install VMware-esx-supptools-3.0.0-1.i386.rpm from the ESX 3 cd.
2) You can then run “/usr/lib/vmware/support/esxnet-support man” and learn how to use the tool, but …
3) To get a trace from the portgroup, you’ll need to run:
/usr/lib/vmware/support/esxnet-support trace -z -p Network0
Network0 of course will need to change to your portgroup name.
Another thing you can do is create a portgroup and put it in promiscuous mode. Then, run tcpdump in that guest that’s in that portgroup.
This is taken from: http://www.trustix.net/wiki/index.php/VMwareTools
This has (so far) only been verified to work on VMware Workstation v5.5 and a TSL 3.0 installation with the following groups installed: “Minimal with SSH”, “Commonly used local utilities” and “Commonly used network utilities”; a typical, almost minimal, TSL system.
You need the following packages installed on the system to get VMware Tools to compile the needed modules (other packages may be installed due to dependencies):
make gcc glibc-devel kernel-source
All in one using swup:
swup --install make gcc kernel-source glibc-devel
n.b. –ignore-filter may be required on TSL 2.2 to allow kernel-source to be installed.
VMware tools won’t compile if you have not configured and prepared the kernel-source.
cd /usr/src ln -s kernel-source-<version> linux
We also need to copy the kernel config file into our kernel-source:
cp /boot/config-<version> /usr/src/linux/.config
cd /usr/src/linux make oldconfig make modules_prepare
n.b. With TSL 2.2 use ‘make dep’ in place of ‘make modules_prepare’.
Having your TSL 3.0 installation active, release the lock (CTRL+ALT) and go to the menu and choose:
VM -> Install VMware Tools..
Mount the virtual CD-ROM containing the VMware tools and install the rpm there. Then unmount it.
mount /mnt/cdrom rpm -Uhv /mnt/cdrom/VMwareTools-<version>-i386.rpm umount /mnt/cdrom
To finish the VMware Tools installation we run the VMware tools configure script and it will compile the VMware Tools modules:
vmware-config-tools.pl
Answer yes to all questions and all but the X Windows display driver is configured. See below for X Window driver support.
When TSL 3.0 was installed as guest OS it found and installed the pcnet32 driver. You could stick with it, but I would recommend you change it for the optimized vmxnet driver which was just compiled. The following instructions are displayed after vmware-config-tools.pl finish to help you replace the network driver:
service network stop rmmod pcnet32 rmmod vxnet vi /etc/modprobe.conf /etc/mkinitrd/modules <-- change vmnics to vmxnet tsl-fixboot.sh --install <kernel-version> depmod -a modprobe vmxnet service network start
You need the following packages installed to have the X Window driver compile (other packages may download and install due to dependencies):
xorg-x11 xorg-x11-devel
As always, you may install them all in one using swup:
swup --install xorg-x11 xorg-x11-devel
Now run vmware-config-tools.pl again to compile the svga driver:
vmware-config-tools.pl
NB! You may get a warning about not being able to compile the vmxnet driver. Just ignore that. You already have it installed if you followed the instructions above.
Please note, this will only give you a minimalistic xorg-x11 without gnome or another DE/WM. I would recommend you check out the Desktop Environment section to get a fully working and useful desktop.
If you get the error when compiling the tool: “The kernel defined by this directory of header files does not have the same address space size as your running kernel.”
The way I fixed it was just by using a newer version of VMware-tools. I used the source from ESX 3.0 and you can search on the web and you should be able to find it.
This is a very simple setup for those who have a lab environment where they do not want to be connected to the public Internet while doing the testing.
Some background:
The way dnsbl works is that when a connection is made to your mail server, it will take the client’s IP address, reverse it, append a domain onto it, and do a dns A or TXT record lookup for that name.
For example, if a spammer’s IP is 10.4.17.108, and you are using spam.list.com as your dnsbl site, your MTA will do a query for 108.17.4.10.spam.list.com. If the query returns positive, it means that the IP address is listed in the blackhole list and that mail should be rejected.
So the first thing you will need to do is set up a simple dns server. You can find out how to do that by consulting the DNS & Bind book or http://docs.sun.com/db/doc/816-7511 or various other sources.
Then, you need to set up a zone. Here's a sample: # cat /var/named/spam.list.com $TTL 86400 @ 1D IN SOA @ root ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum NS localhost. A 10.4.16.11
108.17.4.10 IN A 127.0.0.2 108.17.4.10 IN TXT "10.4.17.108 is listed in spam.list.com"
With this in tact, all you need to do is set up your MTA to use spam.list.com for dnsbl calls.
ntpd: Synchronizing with time server: [FAILED]
Starting ntpd: [ OK ]
When does it do the sync?
# Synchronize with servers if step-tickers exists
# or the -x option is used
echo -n $”$prog: Synchronizing with time server: ”
/usr/sbin/ntpdate $dropstr -s -b -p 8 $tickers 2>/dev/null >/dev/null
RETVAL=$?
[ $RETVAL -eq 0 ] && success || failure It does the sync when the /etc/ntp/step-tickers file is there. [root@localhost ~]#
cat /etc/ntp/step-tickers
time.vmware.com
Why would this happen? Strange stuff…
[root@localhost ~]# /etc/init.d/ntpd stop
Shutting down ntpd: [ OK ]
[root@localhost ~]# ntpdate time.vmware.com
28 Jun 10:49:44 ntpdate[25663]: step time server 10.16.12.148 offset 90.895171 sec
The ntpdate command doesn’t fail … wonder why… tail /var/log/messages shows:
Jun 28 10:52:31 localhost ntpd: ntpd shutdown failed
un 28 10:52:31 localhost ntpdate[26038]: can’t find host time.vmware.com
Jun 28 10:52:31 localhost ntpdate[26038]: no servers can be used, exiting
Jun 28 10:52:31 localhost ntpd: failed
Jun 28 10:52:31 localhost ntpd[26043]: ntpd [email protected] Wed Nov 17 15:43:55 EST 2004 (1)
Jun 28 10:52:32 localhost ntpd: ntpd startup succeeded
Can’t find host? Why’s that? Let’s try using the IP address instead of the name in the step-tickers file. Well, the IP address fixes it in Redhat Enterprise Linux 4, but I had this problem with ESX server (based on Redhat 7.2).
The problem was
[root@localhost ~]# file /etc/ntp/step-tickers
/etc/ntp/step-tickers: ASCII text, with CRLF line terminators The file was a DOS file. When the problem was in ESX, I was able to see the ^M character in /var/log/messages, so I was able to fix it after finding that. Fun stuff huh?
Interesting Time issue in Linux.<-->
To complicate things a little, this was Redhat Enterprise Linux 4 update 2 in a VMware VM – reason why it makes it a little more complicated is because that there’s a time problem for Virtual Machines – in virtualization, you can’t afford to give the clock ticks that the older 2.6 kernels ask for (default 1000HZ). You can read more on it here: http://www.vmware.com/vmtn/resources/238.
So in this case, virtualization wasn’t the problem.
Here’s where I started:
ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
date
Mon Feb 13 18:25:28 UTC 2006
ls -ld /etc/localtime
lrwxrwxrwx 1 root root 35 Feb 13 18:25 /etc/localtime -> /usr/share/zoneinfo/America/Chicago
cat /etc/sysconfig/clock
ZONE=”America/Chicago”
UTC=false
ARC=false
run hwclock – it just gives you the prompt back.
date -s “Feb 13 20:25:28 PST 2006”
run date and get
Mon Feb 13 04:25:28 UTC 2006
run setup – go through the options set it to America/Chicago and still … UTC … why!?
set:
export TZ=America/chicago
still … date shows UTC!
reboot the Vm, go into the bios … same thing …. why!!??
zdump -v America/Chicago … shows a bunch of bullshit – nothing that helps.
finally:
rpm -qf /usr/share/zoneinfo/America/Chicago
rpm –verify tzdata-2004e-2
S.5….T. /usr/share/zoneinfo/America/Chicago
S.5….T. /usr/share/zoneinfo/CST6CDT
S.5….T. /usr/share/zoneinfo/SystemV/CST6CDT
S.5….T. /usr/share/zoneinfo/US/Central
ahh … wonder how the files got changed. Anyways, it doesn’t matter.
reinstalled rpm
rpm –force -Uvh tzdata-2004e-2.noarch.rpm
Now run:
ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime
Now the date’s okay … cool deal!
Sendmail routing through Microsoft Active Directory
To give credit where credit is due, the attachment was sent to me from Randy Fox from csgsystems. There’s one bug with public folders. The workaround is to create a mailing list by the same name and make the public folder a member of the list.
If you’re reading this, you are probably running a Microsoft Exchange
Server or probably currently already have sendmail relaying to an Exchange
Server and want to improve your setup.
Most sendmail to exchange setups will take mail and blindly relay the mail
over. If yours is like this, you will know that you get email bounces that
can go nowhere because most of the initial intentions of the emails were
for spam and they would just send messages to users that they don’t know
even exist. A major problem with this is that it will hold up your sendmail
queue and hinder your performance as it will try to send these emails just
as much as the ones that are important and need to be sent out immediately.
This article will show you how to use sendmail’s ldap features to look into
the Active Directory to see where the mail should go and have sendmail send
it there. By having sendmail look into the Active Directory, it will know
whether users exist and will stop immediately after the “RCPT TO†in the
envelope if users don’t exist, eliminating the useless, bounce emails that
never get anywhere.
This procedure is not fully supported by Sun support because of the amount
of customization required.
First off, you will need a version of sendmail that has ldap capabilities
compiled into it. You can check this with:
/usr/lib/sendmail -d0.11 < /dev/null
Version 8.12.8+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
When you see LDAPMAP, you know that it will work. Solaris 7-9 should all
work. Patches are available for those that don’t.
The Microsoft Active Directory is a different ldap server than your typical
ldap server, so you will want to browse the directory and learn more about
how it’s designed. You will need to find or create a user that can browse
the Active Directory.
For the sake of simplicity, this example will use the Administrator userid
and his password to bind to the Active Directory server and find view its
contents.
For Solaris 8-9, if you have the SUNWlldap package installed, you can use
the ldapsearch command located /usr/bin. Run something like:
/usr/bin/ldapsearch -L -D “cn=Administrator, cn=Users, dc=domain, dc=com” \
-h domaincontroller.domain.com -b “dc=domain,dc=com” objectclass=* \
> /tmp/active_directory.ldif
It will ask you for a password. You want to input the Windows
Administrator’s password there. You can open the /tmp/active_directory.ldif
file and read it and you can find a lot of the information in the directory
server.
If you do not have the ldapsearch command, while logged in as Administrator
on the Exchange server, you can achieve a similar result in Windows with
ldifde -f c:\temp\export.ldif -v
Upon knowing what’s in the Active Directory, you can proceed to plug this
data into your sendmail configuration.
Because the Active Directory is a little different from your standard ldap
server, some hacks are required to make sendmail work.
You want to go into your /usr/lib/mail/hack directory. You can create it if
the directory isn’t there. (The files are attached.) In there, you want to create a file called
AD_ldap_routing.m4 and inside of it have:
divert(-1) # # Copyright (c) 1999-2001 Sendmail, Inc. and its suppliers. # All rights reserved. # # By using this file, you agree to the terms and conditions set # forth in the LICENSE file which can be found at the top level of # the sendmail distribution. # # divert(0) VERSIONID(`$Id: ldap_routing.m4,v 8.8 2001/06/27 21:46:31 gshapiro Exp $') divert(-1) # Check first two arguments. If they aren't set, may need to warn in proto.m4 ifelse(len(X`'_ARG1_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')') ifelse(len(X`'_ARG2_), `1', `define(`_LDAP_ROUTING_WARN_', `yes')') # Check for third argument to indicate how to deal with non-existant # LDAP records ifelse(len(X`'_ARG3_), `1', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')', _ARG3_, `passthru', `define(`_LDAP_ROUTING_', `_PASS_THROUGH_')', `define(`_LDAP_ROUTING_', `_MUST_EXIST_')') # Check for fouth argument to indicate how to deal with +detail info ifelse(len(X`'_ARG4_), `1', `', _ARG4_, `strip', `define(`_LDAP_ROUTE_DETAIL_', `_STRIP_')', _ARG4_, `preserve', `define(`_LDAP_ROUTE_DETAIL_', `_PRESERVE_')') LOCAL_CONFIG # LDAP routing maps Kldapmh ifelse(len(X`'_ARG1_), `1', `ldap -1 -v msExchHomeServerName,msExchExpansionServerName -k (|(mail=%0)(proxyaddresses=smtp:%0))', `_ARG1_') Kldapmra ifelse(len(X`'_ARG2_), `1', `ldap -1 -v targetAddress -k (|(mail=%0)(proxyaddresses=smtp:%0))', `_ARG2_')
The next step is to make the modifications to your .mc file.
The first feature we should add is a mailertable to tell sendmail where to
send mail with different ldapsearch results.
So we add the line:
FEATURE(`mailertable’)
To add the ldap features into sendmail. Add the lines (of course, you put
in your domains):
HACK(`AD_ldap_routing')
LDAPROUTE_DOMAIN(`domain.com')dnl # what domain to do ldap lookups for.
LDAPROUTE_DOMAIN(`secondarydomain.com')dnl # alternate domain to do ldap lookups for.
You then need to specify your Active Directory settings (this all fits on
one line). You will also need to create the file /etc/mail/ldap.passwd. (We
will do this later)
define(`confLDAP_DEFAULT_SPEC',`-h domaincontroller.domain.com -M simple -d "cn=Administrator, cn=Users, dc=domain, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain, dc=com"')
We will now have to add some custom rulesets. There’s also one line you need to change here:
R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2
Make it match your organzation. You can find this by looking at your
active_directory.ldif file and seeing
the msExchHomeServerName attribute. Every user entry should have something
like:
msExchHomeServerName: /o=Domain/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=domaincontroller
With that, you just strip off the last cn= and make spaces in between.
LOCAL_NET_CONFIG R$* < @ $=m . > $* $#esmtp $@ $2 $: $1 < @ $2 . > $3 internal addr delivered to host R$* < @ $+ . $=m . > $* $#esmtp $@ $2 . $3 $: $1 < @ $2 .$3 . > $4 internal w/host # Begin custom LDAP rule set. # the following lines are essentually copied from the proto.m4 file. They are entered here to maintain the proper, # original flow control but process the Active Directory response properly. # pass names that still have a host to a smarthost (if defined) R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name # deal with other remote names R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 [email protected] # handle locally delivered names R$=L $#local $: @ $1 special local names R$+ $#local $: $1 regular local names SLDAPExpand #do the LDAP lookup for the Exchange Mail Host R<$+><$+><$*> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> <$3> # if mailRoutingAddress (targetAddress) and local or non-existant mailHost, # return the new mailRoutingAddress R<$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 R<$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 # fix hostname in Mailertable, relay from there R<$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$2> $>canonify $1 # if no mailRoutingAddress and local mailHost, # return original address R<> <$=w> <$+> <$+> <$*> $@ $2 # if no mailRoutingAddress and non-local mailHost, # relay to mailHost (Exchange Server) with original address # "de-AD" response at same time # You'll need to do the query manually the find the proper stuff to pull out R<> </ o=CSG Systems , Inc . / ou=CSG / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2 # if still no mailRoutingAddress and no mailHost, # try @domain R<> <> <$+> <$+ @ $+> <$*> $@ $>LDAPExpand <$1> <@ $3> <$4> # if no mailRoutingAddress and no mailHost and this was a domain attempt, # return the original address R<> <> <$+> <@ $+> <$*> $@ $1 # End of custom LDAPExpand rule set
You now want to create your cf file.
/usr/ccs/bin/m4 ../m4/cf.m4 file.mc > file.cf
Now that we’re done with the cf file, we need to supply the other files to
the configuration.
Create the ldap.passwd file:
echo “activedirectorypassword” > /etc/mail/ldap.passwd
Create the mailertable to tell sendmail where to send the mail. When we
stripped the last cn= off of the msExchHomeServerName, we will take that
and put it here. So my /etc/mail/mailertable will look like:
cn=domaincontroller esmtp:exchangeserver.domain.com
After you create this file, you will need to put it in the database for
sendmail to read it. Do this by running the command:
makemap -v hash /etc/mail/mailertable < /etc/mail/mailertable
You will also need to tell sendmail that you take mail for the domain as
well, so you want to put your domain in /etc/mail/local-host-names.
echo “domain.com” > /etc/mail/local-host-names
Now we will need to restart sendmail and test it. Run a command like this
for a user in the Active Directory:
/usr/lib/sendmail -bv [email protected]
You should see: [email protected]… deliverable: mailer esmtp, host
domaincontroller.domain.com, user [email protected]
If you run the same command on a user that’s not in the Active Directory,
you should get:
/usr/lib/sendmail -bv [email protected]
[email protected]… User unknown
Once you’ve got this, you’re all set!
————————————————————————————————————-
Some ideas on troubleshooting:
If you see
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer relay, host cn=exchangeserver, user
[email protected]
You probably forgot the mailertable. The mailertable translates the cn=host
to the actual host and tells it which protocol to use to send the mail. In
our case, we use esmtp.
If you see something like this:
/usr/sbin/sendmail -bv [email protected]
[email protected]… deliverable: mailer esmtp, host domain.com., user
>/o=domain/ou=First.Administrative.Group/cn=Configuration/cn=Servers/[email protected]@domain.com<
You have the wrong data in the area where it says:
# relay to mailHost (Exchange Server) with original address
# “de-AD” response at same time
in the sendmail.mc file.
Because it’s hard to read the .mc file stuff in the text, you can download the files here: AD_Routing.tar
It’s annoying to read. It wastes your time. It wastes you disk space. It can also be a really big problem for mail administrators, especially for those with large networks and many users to look over.
There are many solutions to battle spam, but most administrators are hesitant in the event that there is a good chance of blocking or discarding legitimate and possibly email in the process.
Hopefully this article will give you a better understanding of what is at risk and what you can do about blocking, discarding, or marking spam, increasing your mail performance, save disk space, and save time reading through them.
Well, let’s get started …
First, let’s see that you’re not part of the problem. More specifically, let’s make sure that you’re not helping the spammers by being an open relay. This just means that you don’t allow unauthorized people to relay mail through your mail server. This isn’t likely if you’re using Sendmail 8.9 or above, but if you are using custom rulesets or if you played with the sendmail.cf file yourself, you may want to have this checked out. Let’s also check to see if you’re listed on any blacklists while you’re at it. The site I like to use to test open relays is http://www.ordb.org. There, you just put in your IP address and in a day, you should get the results. You can check if you’re listed on any blacklists by going to http://www.dnsstuff.com in their spam database lookup. If you are listed, you may want to contact the list owner to have yourself removed after a test or with an explanation.
Another thing you can do to protect your users and increase the performance of your system is to add to your mc file:
define(`confPRIVACY_FLAGS’,`authwarnings,novrfy,noexpn,goaway,needmailhelo,restrictqrun’)
This will stop spammers from checking against your machine to see if a user exists, make sure that all mail that comes in starts with the MTA saying “helo,” and allow only root to run the mail queue. Disallowing the features will help increase your performance because your system will no longer respond to a bunch of useless questions.
Let’s start fighting spam!
The risk in blocking spam could be substantial. The last thing you want to do is block an important email that could have meant a lot of business. Of course, the least risky method would be not to block spam at, but what would be the point of this article?
We should see the differences the versions of Sendmail because in as you go up in version, the more you can do against spam and the easier it is.
An example of this is that in Sendmail 8.9 or higher, there’s a:
FEATURE(`accept_unresolvable_domains’)dnl
If this feature is not included in the sendmail configuration, sendmail will not accept mail from domains that do not resolve, meaning that there is no A record or MX record for that domain. This prevents spammers from coming up with fake domain names or at least limits them to only certain fake domain names.
One caveat for this is that as you probably know, some DNS servers do get poisoned or cache false information. For this reason, this can prevent you from getting legitimate email.
In Solaris, this feature is automatically turned on in DOMAIN(solaris-generic). For that reason, in the sendmail.mc file, you may wish to replace
DOMAIN(solaris-generic)dnl
with
DOMAIN(solaris-antispam)dnl
Changing to DOMAIN(solaris-antispam) will remove FEATURE(`accept_unqualified_senders’) from your mc file as well.
SUBJECT BLOCKING
A relatively low risk method of blocking spam is by subject line. You can do this with a simple addition to the mc file before compiling it.
Details for this are here:
http://lantech.geekvenue.net/chucktips/ … index_html
This would be good for blocking viruses that are going around and spam with the same subject line. The subject line here however, would have to be an exact match. Of course, spammers are smarter than this. For this reason, on a lot of spam, you will see that the subject lines have random characters at the end of them. Sendmail allows for regular expression matching as well. To do this, there is an example in the README file in /usr/lib/mail/cf. It’s available in Sendmail 8.10 or above.
ACCESS DATABASE
The next relatively risk-free method of blocking spam is by their envelope from address. In Sendmail 8.8.8 (Solaris 2.6), it is relatively expensive and your list probably shouldn’t be very big and it is also somewhat difficult as well. You can store a list of hosts and a list of email addresses, but they get stored as a list and not a map. Your performance degrades as your list gets longer since the entire file is read and each mail will go through the list of checks as it is processed.
Details for setting this up are here: http://www.Sendmail.org/%7Eca/email/check.html
In Sendmail 8.9 and above (Solaris 7-9), you have what is known as the access database. With this, you can keep a large list of email addresses, domains, subdomains, IP addresses, and even IP networks. Since it is stored in a map (hashed database), regardless of it’s size, Sendmail will look at a map and make one call. (It will take longer to build the map if it’s larger and while the map is being built, you won’t have one in it’s place, but that’s a different discussion.) I would advise keeping a pretty big list. I have a relatively small list of domains and no IP addresses in my list because IP addresses change ownership and there’s always that ever so slight chance that you’re blocking email from a domain that you want email from. I have a pretty big list of email addresses. Some can argue that it’s pointless because the spammers can change their email addresses each time, but I think that it’s still worth having.
To use the access database, in versions 8.9 and higher, simply add to your mc file:
FEATURE(`access_db’,`hash -o /etc/mail/access.db’)dnl
Or
FEATURE(`access_db’,`hash -T -o /etc/mail/access.db’)dnl (in Sendmail 8.12)
Create the file: /etc/mail/access
websculptures.com RELAY
bounced.surecom.com REJECT
[email protected] REJECT
xxxmailgirl.com DISCARD
[email protected] 550 No Such User
You can use the RELAY (if you relay for the domain like being a secondary MX record), REJECT will give an access denied by default, and DISCARD will throw the message into /dev/null. You can also give your own error message and assign it a number. Different numbers are supposed to mean different things – you should follow the error codes listed in RFC 821. I like to use discard because you don’t want spammers to get any more clever in their spamming ways and one way of assuring this is by letting them think that you received the email. After you’re done building the file, you need to build the database. Do this with:
makemap hash /etc/mail/access < /etc/mail/access
You do not need to restart Sendmail for this to take effect.
DNS BLACKLISTS (RBL)
Realtime Blackhole Lists are lists of either mail servers on the Internet are open-relay or known spammers. They are useful in stopping spam because they are lists that you do not have to maintain. They are on the Internet where some are free, some are not. What they do is once a connection is made to your mail server, it will do a DNS lookup on a database to see if it’s listed. If listed, it will return an error message to the client giving him a message. This message is custom, but usually will say something like you are listed on this blackhole list and go to them to get removed.
Detailed instructions on setting this up are here:http://mail-abuse.org/rbl/usage.html
On Sendmail 8.9 or higher, it’s very simple. Add the following lines to your mc file:
FEATURE(`access_db’)dnl
FEATURE(`blacklist_recipients’)dnl
FEATURE(`dnsbl’, `blackholes.mail-abuse.org’)dnl
You can replace “blackholes.mail-abuse.org” with any other services you will be using.
Here’s a pretty extensive list: http://www.declude.com/junkmail/support/ip4r.htm
Be aware that not all of them are known spammers and I’m not sure if the lists are maintained by humans. Using the lists can make you lose legitimate emails. They show no mercy on incompetent email administrators who do not know how to protect their machines from sending out spam.
Another note worth mentioning is that the lists can degrade your performance as well. If you are getting too many mails from different IP addresses for instance or if you are using too many lists and your DNS server is slow, you can have problems. If the list maintainers allow you to download their zone files into your own DNS server, you best do so.
THIRD PARTY PRODUCTS – SPAMASSASSIN & RAZOR w/ PROCMAIL or MIMEDefang
Spamassassin (http://www.spamassassin.org) and Vipul’s Razor (razor.sf.net) are two free and very effective spam-fighting applications. They both require you to compilation however. If you enjoy compiling software and have a spam problem, these tools are well worth the time in setting up. Being effective tools, it would make sense that they are complicated. Spamassassin will go through your mail and look thru it and see if the mail fits a bunch of tests listed here: http://www.spamassassin.org/tests.html. If it fits a particular test, it will assign points to it. So if the email has “sex” in it or if its html is formatted a certain way, it will give or take points. A final value will determine whether or not the mail is spam. You have the power to customize the amount of points it assigns for each test and you also can decide on how many points an email has to have in order to be considered spam. Another nice feature of Spamassassin is that it uses the DNSBL’s. It can see that an email came from a certain IP address and rather than reject the mail outright, it will assign it points and the rest of the email can determine whether or not the email is spam. It can also incorporate Vipul’s Razor. Vipul’s Razor is a “distributed, collaborative, spam detection and filtering network.” Spamassassin can take the Razor’s score into consideration as well.
While Spamassassin and Razor are good applications, you will need to find a way for Sendmail to call these applications and use them. The easiest way I think is with Procmail (http://www.procmail.org). Usage of Procmail however, limits your mail scanning however because it is not done as you are receiving the mail, but after Sendmail has already received the mail and passed onto the Mailer. This means that it would not work for domains that you relay for, only users and aliases on that machine.
Instructions for installing Spamassassin (http://www.spamassassin.org/dist/INSTALL) and Razor (http://razor.sourceforge.net/docs/install.html and http://razor.sourceforge.net/docs/razor-check.html) both include the usage of Procmail. Here are some other cool things you can do with procmail: http://www.uwasa.fi/~ts/info/proctips.html.
For scanning all incoming mail, I think that MIMEDefang (http://www.roaringpenguin.com) is one of the best milter applications available. It checks mail as it is being received and can decide while in transit, whether to relay, deliver, discard, or reject the email. MIMEDefang works well with various antivirus applications and works with Spamassassin. For milter capability however, you should run Sendmail version 8.12 or higher. It was available at the time that 8.11 was out, but we are advised not to use it. Sun’s 8.11.6 version of sendmail does not have milter compiled into it. Sun’s 8.12 Sendmail does, but the operating system does not include the libmilter.a file. For this, you will have to download the source (from http://www.sendmail.org) and compile it from the libmilter directory.
MORE TALK ON SENDMAIL VERSIONS
If you are running Solaris 2.6, you should be running Sendmail 8.8.8. For Solaris 7 and 8, you should run 8.11.6 and for Solaris 9, you should be running 8.12.8. If not, patches are available. The way to determine the version you are running is with the command:
/usr/lib/sendmail –d0.101
If you wish to be running any other version of Sendmail, you can compile it from the source from http://www.sendmail.org. I would like to point out that if you do, you should at least compile in the:
define(`confMAPDEF’, `-DNEWDB’)
This is for hash support in your maps (virtusertable, access_db, genericstable, etc.) You will need the BerkeleyDB (http://www.sleepycat.com) for this.
SOME OTHER SPAM REFERENCES
http://spam.abuse.net/adminhelp/mail.shtml
http://www.digitalanswers.org/check_local