Receiver (To/CC envelope fields) addresses verification against
LDAP/Active Directory in sendmail
Christopher Martin
outsidefactor at iinet.net.au
Fri Apr 6 11:36:33 UTC 2007
Spam with randomly generated recipient addresses is draining our mail
system's life away, and it seems the easiest way would be to verify the
receiving party's/parties' address against Active Directory and then
TEMPFAIL any mails that don't have any valid internal mails (rejects would
allow directory harvesting to work).
Our network has a frontline mail filter system running FreeBSD 6.2,
Sendmail, milter-regex, Spam Assassin 3.1.8 and Clam AV, which delivers to
our internal Exchange server via a smarthost entry.
I would prefer to do the check in a milter, if for no other reason than it
removes the need to make unorthodox changes to the sendmail configuration
files, and they can also be tested offline before being included in the main
sendmail configuration, however the one milter I found the seems to provide
what I want, LDAPMAP, doesn't seem to compile under FreeBSD (tried both make
and gmake). I found LDAPMAP via this link:
http://www.issociate.de/board/post/404279/Sendmail_LDAP_access_milter.html
So, have I completely missed a milter in the ports tree that fulfils all my
dreams, or am I going to have to get a little more exotic? I found
milter-ahead (from Snertsoft), but it's no longer free.
I found an article (link below) which suggests a rather hacky seeming
solution by using LDAP Routing Maps, but I seem to recall reading posts in
the past that said that this was a BAD THING(tm) when used in combination
with smarthost delivery.
http://groups.google.com.au/group/comp.mail.sendmail/browse_thread/thread/e8
0adc7166005b3c/aa657b332703fe6c%23aa657b332703fe6c
Am I going to need to use the hacky solution, or is there a cleaner way? I
guess what I am trying to avoid is having to set up a duplicate machine so I
can test the hacky solution in isolation (I don't feel my understanding of
Sendmail is good enough to quickly fix any problems that arise from hacking
the config, and the system is already live).
Anyone have any suggestions? Has anyone used the hacked LDAProuting method
with smarthost and had it work? Maybe I am going to have to hack something
together using milter-cli or py-milter to connect up on SMTP port of the
Exchange server and do a HELO, FROM and RCPT and see if the account is
valid.
Am I missing something basic? Currently, we're very happy with the accuracy
of our system, but 80% of the spam that hits our quarantine isn't even
addressed to someone in the organisation, thus giving us a pile of cruft to
go through that is 5 times as big as it should be.
Any help or suggestions are appreciated!
Chris Martin
More information about the freebsd-questions
mailing list