jms1 at jms1
Feb 3, 2010, 11:12 AM
Post #3 of 4
(1294 views)
Permalink
|
On 2010-02-03, at 1057, Yuki (aka Rubén Gómez) wrote:
>
> I wanted to blacklist some e-mail addresses which will not receive any
> mail from my qmail server. If anyone of my users (user [at] server)
> tries to send an email to some directions (user1 [at] mail1,
> user2 [at] mail1, user2 [at] mail2), this mail will go directly to
> /dev/null (or send the mail to admin [at] server to know that's
> working).
>
> Does anyone know how can I do it?
two ways come to mind, depending on how you feel about using patches.
if you don't want to do any patching, and can live with the limitation that this will be server-wide (i.e. the policy will affect every message on the machine, there's no way for different senders to have different policies) then this method works with djb's original qmail-1.03 code, and therefore *should* work regardless of what patches you may be using.
this will send messages into a black hole...
(1) create a dummy userid on the system. make sure the password is locked (most systems create new users in a "locked" state, but make sure) and set up .qmail and .qmail-default files in this user's home directory which don't really deliver mail, but which make qmail-local think that it did. this is similar to the old sendmail trick of delivering mail to /dev/null, but doesn't actually open /dev/null and send mail there- it just plain doesn't send the message anywhere.
example, using "devnull" as the userid:
# useradd devnull
# cd ~devnull
# echo '#' > .qmail
# chmod 644 .qmail
# chown devnull .qmail
# ln .qmail-devnull .qmail-default
if you want the messages to go to an administrator instead of into a black hole, change the contents of the .qmail file to point somewhere else (i.e. "echo '&admin [at] server' > .qmail" etc.)
(2) add the recipient as a virtualdomain on your server, which delivers to the new dummy user.
example, to block everything sent to any "@domain.xyz" address, as well as everything sent to "badguy [at] spammer", assuming the same "devnull" dummy user from above:
# cd /var/qmail/control
# echo 'domain.xyz:devnull' >> virtualdomains
# echo 'badguy [at] spammer:devnull' >> virtualdomains
# chmod 644 virtualdomains
# svc -h /service/qmail-send
(disclaimer: i'm not actually doing this on any servers myself. i'm about 98% sure this works- well, i'm 100% sure the theory works, i'm 98% sure there are no typos in the examples above. test it before trusting it.)
if you want to set up different policies for different types of spammers (i.e. employees can't send mail to domain.xyz but managers can) then you'll need to set up either a second qmail server, or a second instance of qmail on the same machine (which can be done, but it's very very tricky), DON'T change the virtualdomains file in the new qmail instance, and tell the managers to use the new qmail instance instead of the old one.
- OR -
if you're willing to add a patch which you may not already have:
(1) install jay soffian's RCPTCHECK patch (which is also part of my own combined patch, and i think some of the other combined patches include it as well. if you're not sure, run "strings /var/qmail/bin/qmail-smtpd | grep RCPTCHECK" to see if you may already have it.)
http://www.soffian.org/downloads/qmail/qmail-smtpd-doc.html
(2) write a script/program which uses the values of the SENDER and RECIPIENT environment variables to determine whether the message should be accepted or not, and exits with the value 0 for "yes" or 111 for "no". make sure the program is executable by whatever userid qmail-smtpd runs as on your system (normally qmaild, although some mis-guided documentation out there will tell you to change it to some other userid, like "vpopmail" or "qscand". grrrr...)
a simple example might be...
#!/bin/sh
RCPT=`echo $RECIPIENT | tr 'A-Z' 'a-z'`
RDOM=`echo $RCPT | sed 's/^.*@//'`
if [ $RDOM = "@domain.xyz" ] ; then exit 111 ; fi
if [ $RCPT = "badguy [at] spammer" ] ; then exit 111 ; fi
exit 0
(again, disclaimer: not tested. the RCPTCHECK script i'm using on my own server is written in perl, until it reaches a final state that i'm happy with, and then i'm going to re-write it in C.)
(3) configure your qmail-smtpd service so that the RCPTCHECK environment variable points to your script/program, before qmail-smtpd is executed. this can be done in your tcpserver access control file, or if it will affect every sender IP, it's easier to add an "export" command to the service's "run" script.
because you can write whatever logic you want into this script/program, and because this takes effect within qmail-smtpd, this is a much more flexible way to handle these kinds of policies. there's no need to send messages into a black hole, because qmail-smtpd simply doesn't accept the messages to begin with. rejecting the message also provides the sender with some feedback, so they KNOW that their message wasn't delivered (which may be a good thing or a bad thing, depending on your situation.)
this method will not, however, redirect mail to a third party. something like that might be possible with a patch, however i'm not aware of any patch already written for this.
----------------------------------------------------------------
| John M. Simpson --- KG4ZOW --- Programmer At Large |
| http://www.jms1.net/ <jms1 [at] jms1> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------
|
PGP.sig
