RE: Receiver (To/CC envelope fields) addresses verification against LDAP/Active Directory in sendmail
-Original Message- From: Mikhail Goriachev [mailto:[EMAIL PROTECTED] Sent: Saturday, 7 April 2007 3:23 PM You could use /usr/ports/mail/mimedefang (www.mimedefang.org) miltered into your sendmail. Sorta like py-milter but in perl. The simplest, quickest and dirtiest solution would be to feed a list of valid recipients into mimedefang and let it accept or reject incoming mail. Then it is a matter of finding a way to keep the list up to date. Or, instead of feeding mimedefang with a list, you could instruct it to poll your internal mail server like you already suggested. For a long term solution I prefer storing aliases, maps, etc. in LDAP. The LDAP solution would be ideal. The export/access list method you suggest is what LDAPMAP seems to do, but it doesn't compile. I am no coder, so if it doesn't compile right off I won't use it, figuring it will be a hack each time it has to be updated even if I manage to figure out what's stopping it from compiling. I am considering writing a script that exports all valid addresses from Active Directory via LDAP and then processes the results and appends it to the sendmail access database (I hope that there is an alternative to REJECT, as that would enable directory harvesting), a catch-all in virtual users to send anything that isn't valid straight to /dev/null. This poses some risks, however. I would have to build in checks to make sure that an empty or incomplete list was never posted, otherwise, whammo, all mail gone. Will give it some thought. I see Mimedefang everywhere, but I have not messed about with it yet. I guess I need to run up a trial VM to have a go, though I have absolutely no perl skills at all. Thanks for the suggestions! Chris Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Receiver (To/CC envelope fields) addresses verification against LDAP/Active Directory in sendmail
-Original Message- From: Chuck Swiger [mailto:[EMAIL PROTECTED] Sent: Saturday, 7 April 2007 12:44 AM You don't seem to mention using greylisting-- that will return a 4xx temp failure for all initial connections (except from sites which have been whitelisted). Only if the sender retries will the mail go through-- this works great against dictionary-style attacks. -- -Chuck The nervous nelly's above me with more sway are anti-greylisting, and my powers of persuasion have not been up to the task of changing their thinking. I have also read many comments along the lines of It won't be long before the spammers change their tactics again to remove the effectiveness of greylisting Additionally, we have a sales department and they all whinge about any sort of lag, and get full support of management to yell at us when they have to wait an extra minute or two for mail to arrive (and boy do they complain when a 30 MB e-mail takes 10 minutes to get to a client! Not that that is relevant to this subject). I guess I could white-list out all of sales' and senior management's addresses. I could even do an export from Active Directory to produce the whitelist, and that would allow me to only do certain departments. And worse case scenario is everyone's mail is delayed a little, where as the other method could result in lost mail if the LDAP query gets weird results. As that actually is lowering risk I could probably convince management on that footing. Great suggestion! Will have to run up a trial and check it out. Chris Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Receiver (To/CC envelope fields) addresses verification against LDAP/Active Directory in sendmail
On Sat, 7 Apr 2007, Christopher Martin wrote: I guess I could white-list out all of sales' and senior management's addresses. The scenario where sales and senior management get all their spam with no delay and everyone else gets the benefit of greylisting sounds pretty much ideal. Incidentally, my experiments with varying the greylisting timeout period have shown no appreciable difference. It's the initial refusal that does the most good; spam zombies generally can't afford the time to retry. I have seen a few where there's a quick attempt to resend the same spam from up to about five different spam zombies, but greylisting handles that very effectively. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Receiver (To/CC envelope fields) addresses verification against LDAP/Active Directory in sendmail
Spam with randomly generated recipient addresses is draining our mail system's life away, and it seems the easiest way would be to verify the receiving party's/parties' address against Active Directory and then TEMPFAIL any mails that don't have any valid internal mails (rejects would allow directory harvesting to work). Our network has a frontline mail filter system running FreeBSD 6.2, Sendmail, milter-regex, Spam Assassin 3.1.8 and Clam AV, which delivers to our internal Exchange server via a smarthost entry. I would prefer to do the check in a milter, if for no other reason than it removes the need to make unorthodox changes to the sendmail configuration files, and they can also be tested offline before being included in the main sendmail configuration, however the one milter I found the seems to provide what I want, LDAPMAP, doesn't seem to compile under FreeBSD (tried both make and gmake). I found LDAPMAP via this link: http://www.issociate.de/board/post/404279/Sendmail_LDAP_access_milter.html So, have I completely missed a milter in the ports tree that fulfils all my dreams, or am I going to have to get a little more exotic? I found milter-ahead (from Snertsoft), but it's no longer free. I found an article (link below) which suggests a rather hacky seeming solution by using LDAP Routing Maps, but I seem to recall reading posts in the past that said that this was a BAD THING(tm) when used in combination with smarthost delivery. http://groups.google.com.au/group/comp.mail.sendmail/browse_thread/thread/e8 0adc7166005b3c/aa657b332703fe6c%23aa657b332703fe6c Am I going to need to use the hacky solution, or is there a cleaner way? I guess what I am trying to avoid is having to set up a duplicate machine so I can test the hacky solution in isolation (I don't feel my understanding of Sendmail is good enough to quickly fix any problems that arise from hacking the config, and the system is already live). Anyone have any suggestions? Has anyone used the hacked LDAProuting method with smarthost and had it work? Maybe I am going to have to hack something together using milter-cli or py-milter to connect up on SMTP port of the Exchange server and do a HELO, FROM and RCPT and see if the account is valid. Am I missing something basic? Currently, we're very happy with the accuracy of our system, but 80% of the spam that hits our quarantine isn't even addressed to someone in the organisation, thus giving us a pile of cruft to go through that is 5 times as big as it should be. Any help or suggestions are appreciated! Chris Martin ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Receiver (To/CC envelope fields) addresses verification against LDAP/Active Directory in sendmail
Christopher Martin wrote: Spam with randomly generated recipient addresses is draining our mail system's life away, and it seems the easiest way would be to verify the receiving party's/parties' address against Active Directory and then TEMPFAIL any mails that don't have any valid internal mails (rejects would allow directory harvesting to work). Our network has a frontline mail filter system running FreeBSD 6.2, Sendmail, milter-regex, Spam Assassin 3.1.8 and Clam AV, which delivers to our internal Exchange server via a smarthost entry. You don't seem to mention using greylisting-- that will return a 4xx temp failure for all initial connections (except from sites which have been whitelisted). Only if the sender retries will the mail go through-- this works great against dictionary-style attacks. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Receiver (To/CC envelope fields) addresses verification against LDAP/Active Directory in sendmail
Christopher Martin wrote: Spam with randomly generated recipient addresses is draining our mail system's life away, and it seems the easiest way would be to verify the receiving party's/parties' address against Active Directory and then TEMPFAIL any mails that don't have any valid internal mails (rejects would allow directory harvesting to work). [ trim ] Anyone have any suggestions? Has anyone used the hacked LDAProuting method with smarthost and had it work? Maybe I am going to have to hack something together using milter-cli or py-milter to connect up on SMTP port of the Exchange server and do a HELO, FROM and RCPT and see if the account is valid. Am I missing something basic? Currently, we're very happy with the accuracy of our system, but 80% of the spam that hits our quarantine isn't even addressed to someone in the organisation, thus giving us a pile of cruft to go through that is 5 times as big as it should be. Any help or suggestions are appreciated! You could use /usr/ports/mail/mimedefang (www.mimedefang.org) miltered into your sendmail. Sorta like py-milter but in perl. The simplest, quickest and dirtiest solution would be to feed a list of valid recipients into mimedefang and let it accept or reject incoming mail. Then it is a matter of finding a way to keep the list up to date. Or, instead of feeding mimedefang with a list, you could instruct it to poll your internal mail server like you already suggested. For a long term solution I prefer storing aliases, maps, etc. in LDAP. I hope this helps. Regards, Mikhail. -- Mikhail Goriachev Webanoide Telephone: +61 (0)3 62252501 Mobile Phone: +61 (0)4 38255158 E-Mail: [EMAIL PROTECTED] Web: www.webanoide.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]