Email question

[Cowles, Steve]

Jake McHenry wrote:
> Can I put just the username after the rejects or do I need the entire
> domain name? I am hosting 6 domain names.. I would need to put each
> username at each domain... :-(

Jake,

With any solution, there are always the pros/cons. You've just discovered
the con. But stopping the dictionary attacks far outwighed having to
maintain a list of valid users in my access file. In fact, that's why I
developed the shell script to automate the task of keeping sendmail (now
postfix) in sync with my exchange server. You might have to develop your own
methodology if you decide to implement my solution.

FWIW: I host three domains at this end. I have to add each "valid" recipient
(per domain)to the access file. i.e.

mydomain1.com		REJECT
scowles at mydomain1.com	OK

mydomain2.com		REJECT
scowles at mydomain2.com	OK

Why? If I remember sendmail correctly - by using the access file test in the
manner I described, you are testing accepting/rejecting the inbound e-mail
after the "rcpt to", but "prior" to the inbound e-mail being submitted to
the designated mailer queue. i.e. procmail or relay (in my case). So, in the
case of local delivery, procmail does not ever get called. So it doesn't
have a chance to issue an "Unknown User" back to sendmail for the bounce
message. Which is a good thing for dictionary type of attacks.

Finally, I hope you're not trying to implement such a drastic change to
sendmail on a production server. Setup a test server. That's what I did. The
thought of adding a REJECT for mydomain.com scared the hell out of me at
first.

Again, you milage may vary based on your requirements on how sendmail must
be configured at your end.

Steve Cowles