Discussion:
access data base question?
(too old to reply)
Knute Johnson
2024-08-03 21:41:35 UTC
Permalink
I'm running sendmail 8.17.1.9 on a Debian Bookworm virtual server. I
have the following line in my access database:

From:info@ ERROR:550 Go away!

I'm still getting email from info@ email addresses. Do I have something
configured wrong or ?

I have these two lines in my sendmail.mc file:

FEATURE(`access_db', , `skip')dnl
FEATURE(`blocklist_recipients')dnl

Sample email that gets through (with minor obfuscation):

X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <***@etsy.com>
Received: from sourceforge.net ([188.65.247.119])
by knute.server.com (8.17.1.9/8.17.1.9/Debian-2+deb12u2) with ESMTPS id
461GfrWD782197
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
for <***@server.com>; Mon, 1 Jul 2024 16:41:57 GMT
Message-ID: <***@etsy.com>
From: Mylie Mcclure <***@etsy.com>
To: ***@server.com
Subject: Re: your photos
Date: Mon, 1 Jul 2024 19:40:19 +0300
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgColor="#ffffff">
<div align=left><font size=2 face=Arial>Hello! You asked where I saw
your photos, in this link - <a
href="https://un22pry.bigbonusleader.life/df3prg9?m=1">https://google.com/pics/293e9e</a><br></font></div></body></html>

Thanks!
--
Knute Johnson
HQuest
2024-08-03 23:33:30 UTC
Permalink
Post by Knute Johnson
Received: from sourceforge.net ([188.65.247.119])
Since when Etsy it using this false sourceforge.net mail server as their
mx server? Or have you mixed and matched information for privacy to come
up with this aberration?

$ nslookup -q=mx etsy.com
Non-authoritative answer:
etsy.com mail exchanger = 10 aspmx.l.google.com.
etsy.com mail exchanger = 50 aspmx3.googlemail.com.
etsy.com mail exchanger = 30 alt2.aspmx.l.google.com.
etsy.com mail exchanger = 20 alt1.aspmx.l.google.com.
etsy.com mail exchanger = 40 aspmx2.googlemail.com.

Authoritative answers can be found from:

$ nslookup 188.65.147.119
119.147.65.188.in-addr.arpa name = unsetptr.smart-weblications.de.

I would think you should enable a few safety measures - at least a DNSBL
to start - as this seems badly spoofed. A more comprehensive safety list
would include DANE (included with Sendmail), SPF and OpenDKIM (3rd party
tools), to name a few.
Knute Johnson
2024-08-04 01:30:40 UTC
Permalink
Post by HQuest
Post by Knute Johnson
Received: from sourceforge.net ([188.65.247.119])
Since when Etsy it using this false sourceforge.net mail server as their
mx server? Or have you mixed and matched information for privacy to come
up with this aberration?
$ nslookup -q=mx etsy.com
etsy.com        mail exchanger = 10 aspmx.l.google.com.
etsy.com        mail exchanger = 50 aspmx3.googlemail.com.
etsy.com        mail exchanger = 30 alt2.aspmx.l.google.com.
etsy.com        mail exchanger = 20 alt1.aspmx.l.google.com.
etsy.com        mail exchanger = 40 aspmx2.googlemail.com.
$ nslookup 188.65.147.119
119.147.65.188.in-addr.arpa     name = unsetptr.smart-weblications.de.
I would think you should enable a few safety measures - at least a DNSBL
to start - as this seems badly spoofed. A more comprehensive safety list
would include DANE (included with Sendmail), SPF and OpenDKIM (3rd party
tools), to name a few.
I've got spamcop running, SPF, and DKIM. I'm trying to stop any mail
from info@ but it is still being delivered? DANE I don't really know
anything about. I don't understand why that mail is not being blocked
by the entry in the access database.
--
Knute Johnson
Grant Taylor
2024-08-04 02:43:27 UTC
Permalink
I'm running sendmail 8.17.1.9 on a Debian Bookworm virtual server.  I
configured wrong or ?
The SMTP envelope could very well be different.

What do the logs for message ID 461GfrWD782197 show the envelope as?
--
Grant. . . .
Knute Johnson
2024-08-04 19:58:06 UTC
Permalink
Post by Grant Taylor
I'm running sendmail 8.17.1.9 on a Debian Bookworm virtual server.  I
something configured wrong or ?
The SMTP envelope could very well be different.
What do the logs for message ID 461GfrWD782197 show the envelope as?
Sorry, the logs were cleaned up the end of the month. This is another
email from a info@ address. The logs don't say anything about what was
done with it. The log level is 12.

Thanks,
--
Knute Johnson
Claus Aßmann
2024-08-04 10:49:59 UTC
Permalink
Check that sendmail actually has that map entry:

echo '/map access from:info@' | sendmail -bt

(and post the log entries as someone else requested).
Knute Johnson
2024-08-04 19:42:23 UTC
Permalink
Post by Claus Aßmann
(and post the log entries as someone else requested).
Hey Claus, nice to hear from you.

Results of the command:

***@knute:~# echo '/map access from:info@' | sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
Not sure what I should be seeing.
--
Knute Johnson
Claus Aßmann
2024-08-04 19:54:02 UTC
Permalink
Post by Knute Johnson
Post by Claus Aßmann
(and post the log entries as someone else requested).
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Post by Knute Johnson
Not sure what I should be seeing.
The RHS of the map entry -- so that's the correct result.

Unfortunately you still haven't posted the log entries.

Maybe the mail is coming from a "trusted" source or you
use something like
FEATURE(`delay_checks', `friend')

PS: online you can find some information how to test the
check_mail
ruleset (you need to set some macros to get this done right).
Knute Johnson
2024-08-04 21:19:15 UTC
Permalink
Post by Claus Aßmann
Post by Knute Johnson
Post by Claus Aßmann
(and post the log entries as someone else requested).
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Post by Knute Johnson
Not sure what I should be seeing.
The RHS of the map entry -- so that's the correct result.
Unfortunately you still haven't posted the log entries.
Maybe the mail is coming from a "trusted" source or you
use something like
FEATURE(`delay_checks', `friend')
PS: online you can find some information how to test the
check_mail
ruleset (you need to set some macros to get this done right).
So yes, I did have the FEATURE(`delay_checks', `friend'). I took that
out, turned off the localhost relay in access that was on by default,
and I had to disable the conncontrol, and ratecontrol features because
they require the delay_checks feature (or so the configuration script
that comes with Debian said) and everything appears to work as expected now.

I'm still having some difficulty finding emails in the journal by the
ESMTP id though. I'm going to have to play with that some more.

When I trap another email from info@ I will post back.

Thanks!
--
Knute Johnson
Claus Aßmann
2024-08-05 05:52:34 UTC
Permalink
Post by Knute Johnson
I'm still having some difficulty finding emails in the journal by the
ESMTP id though. I'm going to have to play with that some more.
Why don't you grep for info@ in the mail log?
Knute Johnson
2024-08-05 22:17:42 UTC
Permalink
Post by Knute Johnson
I'm still having some difficulty finding emails in the journal by the
ESMTP id though. I'm going to have to play with that some more.
The old logs were wiped at the end of the month. This is from today and
appears to be working correctly now:

Aug 05 10:34:30 knute.vs.mythic-beasts.com sm-mta[1201227]:
475AYSVu1201227: ruleset=check_mail, arg1=<***@visitbeijing.com.cn>,
relay=[176.59.168.223], reject=550 5.0.0 <***@visitbeijing.com.cn>...
Go away info@!
--
Knute Johnson
Grant Taylor
2024-08-08 02:55:48 UTC
Permalink
That looks like it's working. "reject=550 ... Go away ...."
--
Grant. . . .
Loading...