diff options
author | Bob Beck <beck@cvs.openbsd.org> | 1998-02-07 21:05:52 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 1998-02-07 21:05:52 +0000 |
commit | 89d256ebd464730f9e5e861ede1694e4dbee790c (patch) | |
tree | 421034e5f754cb017a2fc01026a7f3dc91183a1d /share | |
parent | 0e4dd16744ca5918503acd651582f58301d828a1 (diff) |
smtpd/smtpfwdd examples.
Diffstat (limited to 'share')
-rw-r--r-- | share/smtpd/Makefile | 13 | ||||
-rw-r--r-- | share/smtpd/README | 74 | ||||
-rw-r--r-- | share/smtpd/example.antispam | 90 | ||||
-rw-r--r-- | share/smtpd/example.features | 48 | ||||
-rw-r--r-- | share/smtpd/example.norelay | 34 |
5 files changed, 259 insertions, 0 deletions
diff --git a/share/smtpd/Makefile b/share/smtpd/Makefile new file mode 100644 index 00000000000..9464f4c036b --- /dev/null +++ b/share/smtpd/Makefile @@ -0,0 +1,13 @@ +# +# $Id: Makefile,v 1.1 1998/02/07 21:05:50 beck Exp $ +# +FILES= example.* +NOOBJ= noobj + +all clean cleandir depend lint tags: + +install: + install -d ${DESTDIR}${BINDIR}/smtpd + install -c -m 0444 ${FILES} ${DESTDIR}${BINDIR}/smtpd + +.include <bsd.prog.mk> diff --git a/share/smtpd/README b/share/smtpd/README new file mode 100644 index 00000000000..fc357d5b925 --- /dev/null +++ b/share/smtpd/README @@ -0,0 +1,74 @@ + + OpenBSD smtpd/smtpfwdd README + +WHAT IS IT?: + + smtpd and smtpfwdd are an implementation of a store and forward +smtp proxy. Smtpd is a daemon witch runs in a chrooted environment and +talks smtp in order to recieve mail. It spools received mail to it's +chroot. Smtpfwdd is a daemon which periodically scans the smtpd chroot +directory and invokes sendmail to deliver the mail, either locally or +by forwarding it to its eventual destination. + +INSTALLATION: + + To use the smtpd and smtpfwdd distributed with OpenBSD you will +need to perform a couple of steps. + +1) edit /etc/rc.conf + change smtpfwdd_flags from NO to "". + change sendmail_flags to "-q30m". + +sendmail_flags="-q30m" # for 'normal' use: sendmail_flags="-bd -q30m" +smtpfwdd_flags="" # for 'normal' use: smtpfwdd_flags="", no -bd above. + + +2) edit /etc/inetd.conf + uncomment the line : + +smtp stream tcp nowait root /usr/libexec/smtpd smtpd + +3) make the chroot needed by smtpd to run in: + + mkdir /var/spool/smtpd + chmod 700 /var/spool/smtpd + chown uucp.daemon /var/spool/smtpd + mkdir /var/spool/smtpd/etc + chmod 755 /var/spool/smtpd/etc + cp /etc/resolv.conf /var/spool/smtpd/etc/resolv.conf + chmod 644 /var/spool/smtpd/etc/resolv.conf + cp /etc/localtime /var/spool/smtpd/etc/localtime + chmod 644 /var/spool/smtpd/etc/localtime + touch /var/spool/smtpd/etc/smtpd_check_rules + chmod 644 /var/spool/smtpd/etc/smtpd_check_rules + +4) edit /var/spool/smtpd/etc/smtpd_check_rules appropriately for your + domain. A good starting point is the example.norelay in this directory, + although you will need to edit this file to use it. + +5) Now reboot, and you should be set up running smtpd. + +NOTES: + + If you intend to run smtpd on a dual homed bastion host type +firewall system as a store and forward smtp proxy, you will need to +play some minor DNS games. This is necessary to ensure that while +externally your mail is MXed to your firewall host, internally, your +mail is MX'ed to your real internal mailhost. Briefly, this is done as +follows: + + 1) Your internal DNS knows about everything in your domain, +(including extrenally visible hosts) and MX'es mail to the internal +mailhost. It uses your external DNS as a forwarder. (Note this means +that the external DNS must be accessible by the internal DNS + + 2) Your external DNS knows about only your externally visible +hosts, and MX's mail to your firewall bastion host. + + 3) Your firewall bastion host uses the internal DNS in it's +etc resolv.conf. + + You should refer to either the O'reilly "DNS and BIND" book by +Paul Ablitz and Cricket Liu, or "Building Internet Firewalls" by Brent +Chapman and Elizabeth Zwickery for details on this type of split DNS +setup. diff --git a/share/smtpd/example.antispam b/share/smtpd/example.antispam new file mode 100644 index 00000000000..607d0cd0335 --- /dev/null +++ b/share/smtpd/example.antispam @@ -0,0 +1,90 @@ +# example antispam file. Modify to suit your needs. +# +# This file goes in /var/spool/smtpd/etc/smtpd_check_rules +# once you have modified it appropriately for your site. +# +# This example does two things: 1, it prevents unauthorized relaying, +# 2), it blocks incoming SPAM from the major SPAM domains. To keep +# an eye on the current worst offenders, check out http://spam.abuse.net/ +# +# If you really dislike SPAM, you can try compiling with NOTO_DELAY +# set to some (relatively small) value, and changing the "noto" rules +# in this file to "noto_delay" rules. +# +# This file assumes that our domains are "mydomain.com" and "otherdomain.com". +# assumes our dns servers are "dns1.mydomain.com", etc. etc. +# you will need to edit this file for your own use. + +# First, allow us to relay outgoing mail from our hosts. +allow:*mydomain.com *otherdomain.com:ALL:ALL + +# don't allow people to use %hack to relay off of me. +noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. +noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. +noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. + +# First, the exceptions. +# "I'll have your spam dear, I love it!" +# +# The people below have requested that all mail be let through to them +# with no filtering for SPAM, and we accomodate them here. +# +allow:ALL:ALL:ALL@hormel.mydomain.com spamboy@otherdomain.com + + +# Block any connections from host in the MAPS rbl at rbl.maps.vix.com +# Beware that this can throw the baby out with the bathwater. +# this one line will mimic the usual sendmail behaviour when using the MAPS RBL +noto:RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused from host %I in MAPS RBL, see http%C//maps.vix.com/rbl/ + +# Block any connections from a host or connecting address who uses a +# nameserver for which the address is in the MAPS rbl at rbl.maps.vix.com. +# Note that this can *really* throw the baby out with the bathwater, +# be sure you understand the implications before using the two below. +#noto:NS=RBL.rbl.maps.vix.com:ALL:ALL:550 Mail refused due to nameserver for %H(%I) in MAPS RBL, see http%C//maps.vix.com/rbl/ +#noto:ALL:NS=RBL.rbl.maps.vix.com:ALL:550 Mail refused due to nameserver for %F in MAPS RBL, see http%C//maps.vix.com/rbl/ + + +# block anyone who uses a major SPAM provider as a nameserver or MX. either +# on a connection from one of their hosts, a connection from a host they act +# as a nameserver for, or a connection with a FROM: address that uses +# a nameserver or MX from a them. As an example, we use the old cyberpromo +# netblocks below. You should not use a rule such as below unless you are +# sure the netblock *currently* belongs to a spamhaus. +#cyberpromo.com +#noto:205.199.212.0/24 205.199.2.0/24 207.124.161.0/24 204.137.221.0/24:ALL:ALL +#noto:ALL:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL +#noto:NS=205.199.212.0/24 NS=205.199.2.0/24 NS=207.124.161.0/24 NS=204.137.221.0/24:ALL:ALL + + + +# dump things with a bogus rhs to a FROM: addresses. usually spammers +# This drops any message where the FROM: address is given as +# anything@bogus, where "bogus" is +# 1) not resolvable as a hostname. +# 2) not resolvable as an NS or MX record +# In other words, this basically tosses anything that gives a FROM address +# in the smtp dialogue that you would probably have no hope of replying +# to via smtp. + +# You can may wish to use a 450 (which invites the sender to retry) +# rather than a 550 that won't in order not to lose real mail that has +# no resolution due to temporary DNS problems. However be warned that +# if you do lots of SPAM may get retried a lot. I've had varying +# success with using 450 depending on how busy the site is. +noto:ALL:NS=UNKNOWN:ALL:550 Your FROM address (%F) doesn't seem to resolve to a host, domain, or MX record. Please mail to %T from a valid e-mail address. + +# dump bozos with all digit addresses. almost always spammers. +noto:ALL:/^[0-9]+@.*$/:ALL + +############################################## +# otherwise, allow untrusted connections with mail to anywhere we MX +# this should do it nicely: +allow:ALL:ALL:NS=dns*.mydomain.com +# An alternative is to allow by domain, below. +allow:ALL:ALL:*mydomain.com *otherdomain.com + +############################################## +# don't relay mail to other places from other connections, so +# we don't get used as a spam relay +noto:ALL:ALL:ALL:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. diff --git a/share/smtpd/example.features b/share/smtpd/example.features new file mode 100644 index 00000000000..a378c2973ea --- /dev/null +++ b/share/smtpd/example.features @@ -0,0 +1,48 @@ +# +# example smtpd rules file. +# Also note, this isn't real. It's chosen for illustrative purposes. +# not for practicality. +# +# Rule syntax [allow|deny]:SourceList:FromList:ToList:[XXX message] +# + +# allow the users on the freenet host to send mail from their username +# (obtained by ident query to the box) and no other, except for +# "root" and "uucp", which MTA's on the machine may run as. +allow:root@freenet.my.domain uucp@freenet.my.domain:ALL:ALL +allow:ALL@freenet.my.domain:USER@freenet.my.domain:ALL +deny:freenet.my.domain:ALL:ALL + +# I'm in front of some other people's mail. Allow their mailhost +# to send mail out coming from themselves, but not from other addresses. +allow:mailhost.other1.org:ALL@other1.org ALL@mailhost.other1.org:ALL +deny:mailhost.other1.org:ALL:ALL +allow:mailhost.other2.org:ALL@other2.org ALL@mailhost.other2.org:ALL +deny:mailhost.other2.org:ALL:ALL +# Allow everything else inbound to them +allow:ALL:ALL:ALL@other2.org ALL@mailhost.other2.org +allow:ALL:ALL:ALL@other1.org ALL@mailhost.other1.org + + +# we had a problem with internal people subscribing to lists on +# xxx.com. As such we got a directive from on high that +# we really don't need our people to send any mail to that site. +deny:*.my.domain:ALL:ALL@xxx.com ALL@*.xxx.com + +# don't allow my users to subscribe to majordomo mailinglists except from +# certain machines, and then, only as themselves according to ident. +# except for "luser" who got caught trying to subscribe me to a bunch of +# mailing lists about therapy for control freaks. +allow:ALL@loginhost.my.domain ALL@otherhost.my.domain EXCEPT luser@*.my.domain:USER@my.domain:majordomo@ALL +deny:*.my.domain:ALL:majordomo@ALL + +# allow sources in my domain to mail out with from addresses looking like they +# are from my domain's two allowed forms of email address. +allow:*.my.domain 192.168.20.* 192.168.30.*:ALL@my_domain ALL@mailhost.my.domain:ALL + +# relay incoming mail to my domain. +allow:ALL:ALL:*my.domain + +# don't relay anything else out (bogus FROM:, external spammer using us as a +# relay, etc). +deny:ALL:ALL:ALL diff --git a/share/smtpd/example.norelay b/share/smtpd/example.norelay new file mode 100644 index 00000000000..e2a976e33d6 --- /dev/null +++ b/share/smtpd/example.norelay @@ -0,0 +1,34 @@ +# A simple anti-relay only example. Make sure you don't get used as a third +# party relay to spam other unfortunate people and grind your server +# to a halt dealing with the complaints. + +# this file goes into /var/spool/smtpd/etc/smtpd_check_rules once you +# have made the appropriate modifications to it. + +# assumes we are "my.domain". - edit for your own use. + +# Don't allow people to %hack relay off of me. +noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. +noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. +noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T. + +# we can allow outbound mail from our own hosts by allowing +# outbound from hosts that have dns.my.domain as one of +# their nameservers. this might be useful if we sit in front of a +# lot of domains. but will be slower than below. +#allow:NS=dns.my.domain:ALL:ALL +# alternatively, if we don't want to bother with a name lookup, +# we can simply allow all hosts ending in my.domain to relay through me. +allow:*my.domain:ALL:ALL + +# Again, for inbound mail we can match on the nameserver +# accepting mail for any address where the RHS uses us as a nameserver. +#allow:ALL:ALL:NS=dns.my.domain +# alternatively, allow anything ending in my.domain. +allow:ALL:ALL:*my.domain + +# +# punt anything else, we won't relay for people we don't know. +# +noto:ALL:ALL:ALL:551 Sorry %H(%I), I don't allow unauthorized relaying. Please +use another SMTP host to mail from %F to %T |