On Thu, 19 Mar 1998, Scott Horton wrote: >Can someone point to to the cause of the following entries in my maillog. >I have a bunch of them. Usually, there is an error in the user's mail >address but not always. I am running RH 4.2, all patches and Steve Coile's >M$ antispam and virtual domain add-on's. I've hunted in the Batbook, read >the sendmail.cf file, I can't figure it out - which isn't saying much I >humbly admit, but I need help anyway :( . > >Mar 9 11:18:51 gnls5 sendmail[27434]: LAA27434: SYSERR(root): Infinite >loop in >ruleset 195, rule 15 > >Mar 9 11:19:04 gnls5 sendmail[27434]: LAA27434: >from=<[EMAIL PROTECTED]>, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP, >relay=gnld188.mydomain.net [207.xx.xxx.xxx] Please replace the antispam.m4 file you're using now with the following. -- Steve Coile [EMAIL PROTECTED] ----- begin antispam.m4 ----- divert(0) VERSIONID(`@(#)antispam.m4 1.3 03/19/98') divert(-1) # The following identifies a file containing a list of e-mail addresses, # hosts, and domains that may not pass e-mail to us. Exceptions to the # deny list may be made in the file defined by OKFROM. The addreses in # this file are compared against the sender's e-mail address as privided # via the SMTP "mail from" command. define(`NOFROM',`/etc/sendmail/from.deny')dnl # The following identifies a file containing a list of e-mail addresses, # hosts, and domains that may pass e-mail to us despite other, explicit # prohibitions in the file defined by NOFROM. These are the exceptions # to the deny list. The addresses in this file are compared against the # sender's e-mail address as provided via the SMTP "mail from" command. define(`OKFROM',`/etc/sendmail/from.allow')dnl # The following identifies a file containing a list of host names, domain # names, IP addresses, and IP blocks other those those defined by $=w and # $=M, to which we pass e-mail. E-mail directed to any hosts, domains, # or IP addresses outside of the set of hosts and domains described by # this list, $=w, and $=M are refused. define(`OKRCPT',`/etc/sendmail/rcpt.allow')dnl # The following identifies a file containing a list of e-mail addresses, # host names, domain names, IP addresses, and IP blocks to which we # will not pass mail, regardless of the recipients described by $=w, # $=M, and the list contained in OKRCPT. define(`NORCPT',`/etc/sendmail/rcpt.deny')dnl # The following identifies a file containing a list of IP addresses and # IP blocks that may not pass e-mail to us. Exceptions to the deny list # may be made in the file defined by OKRELAY. The addresses in this file # are compared against the address of the system passing the mail to us. define(`NORELAY',`/etc/sendmail/client.deny')dnl # The following identifies a file containing a list of IP addresses and IP # blocks that may pass e-mail to us despite other, explicit prohibitions # in the file defined by NORELAY. These are the exceptions to the deny # list. The addresses in this file are compared against the address of # the system passing the mail to us. define(`OKRELAY',`/etc/sendmail/client.allow')dnl LOCAL_CONFIG # The {nofrom} class contains a list of e-mail addresses, hosts, and # domains (read from the named file) that may not pass e-mail to us. # Exceptions to the deny list should be listed in the {okfrom} class. # The addresses in this file are compared against the sender's e-mail # address, as provided with the SMTP "mail from" command. F{nofrom} -o NOFROM # The {okfrom} class contains a list of e-mail addresses, hosts, and # domains that may pass e-mail to us despite other, explicit prohibitions # in the {nofrom} class. These are the exceptions to the deny list. # The addresses in this file are compared against the sender's e-mail # address, as provided with the SMTP "mail from" command. F{okfrom} -o OKFROM # The {norcpt} class contains a list of e-mail addresses, hosts, and # domains (read from the named file) to which we will not pass e-mail. # These prohibited recipients override any specified in the {okrcpt}, # $=w, and $=M class. F{norcpt} -o NORCPT # The {okrcpt} class contains a list of e-mail addresses, hosts, and # domains other than those specified in $=w and $=M to which we will # pass e-mail. F{okrcpt} -o OKRCPT # The {norelay} class contains a list of IP addresses and IP blocks # (read from the named file) that may not pass e-mail through us. # Exceptions to the deny list should be listed in the {okrelay} class. # The addresses in this file are compared against the address of the # system passing the mail to us. F{norelay} -o NORELAY # The {okrelay} class contains a list of IP addresses and IP blocks # that may pass e-mail to us despite other, explicit prohibitions # in the {norelay} class. These are the exceptions to the deny list. # The addresses in this file are compared against the address of the # system passing the mail to us. F{okrelay} -o OKRELAY LOCAL_RULESETS ############################################################################# Spermute_address R$* < $* @ [ $* . $- ] . > $* $@ $1 < $2 @ [ $3 ] . > $4 . $5 R$* < $* @ [ $- ] . > $* $@ $1 < $2 @ . > [ $3 . $4 ] R$* < $* @ $- . $+ > $* $@ $1 < $2 @ $4 > $5 . $3 R$* < $* @ $- . > $* $@ $1 < $2 @ . > $4 . $3 R$* < $* @ . > [ $* . ] $1 < $2 @ > [ $3 ] R$* < $* @ . > . $* $1 < $2 @ > $3 R$* < $* @ . > $@ $1 $2 @ . < > R$* < $* @ > $* $@ $1 $2 @ < $3 . > R$* < [ $* . $- ] . > $* $@ $1 < [ $2 ] . > $3 . $4 R$* < [ $- ] . > $* . $@ $1 [ $2 . $3 ] . < > R$* < $- . $* > $@ $1 $2 . < $3 > ############################################################################# Scheck_mailfrom R$* < $* : $* > $* $1 $2 : < $3 > $4 R$* < $={okfrom} . > $* $@ $1 $2 $3 . R$* < $={nofrom} . > $* $#error $@ 5.7.1 $: 571 Mail from $2 prohibited R$* $: $>permute_address $1 ############################################################################# Scheck_rcptto R$* < $* : $* > $* $1 $2 : < $3 > $4 R$* < $={okrcpt} . > $* $@ $1 $2 $3 . R$* < $={norcpt} . > $* $#error $@ 5.7.1 $: 571 Mail to $2 prohibited R$* $: $>permute_address $1 ############################################################################# Scheck_relayfrom R$* < $={okrelay} . > $* $@ $1 $2 $3 . R$* < $={norelay} . > $* $#error $@ 5.7.1 $: 571 Relay from $2 prohibited R$* $: $>permute_address $1 ############################################################################# Scheck_rcpt # Canonicalize the recipient's address so that it's in a easy-to-use # state. R$* $: $>3 $1 canonicalize # Remove trailing periods from the host portion of the recipient's # address and unfocus from the host portion. R$* < @ $* . > $* $1 < @ $2 > $3 remove trailing periods R$* < @ $* > $* $1 @ $2 $3 remove focus # Obtain the client's (relay's) IP address so that we can determine # whether the client is allowed to pass mail to us. The client's IP # address is placed behind the recipient's address so that the call to # check_mailfrom later will work properly. R$* $: $1 $| < [ $(dequote "" $&{client_addr} $) ] . > # Determine whether the client host is allowed to pass mail to us. # If the client has an IP address or is within an IP address block for # which we explicitly accept mail, or if the host is otherwise explicitly # allowed, we discard the client's address as no longer necessary. # Otherwise, we keep the address to determine later whether the client # is attemptint to use us to relay to another host outside our control, # which we don't allow. # # Note that we check only the IP address; we do not attempt reverse DNS # resolution on the IP address on the chance that a malicious domain has # installed illegitimate reverse mappings (e.g. mapping the IP address # to a name in your domain). # # Traditionally, this step would be done with the check_relay ruleset, # but by doing it here, we can preserve knowledge about whether the # host was explicitly allowed or implicitly allowed. That knowledge # will allow us to prohibit mail *from* outside addresses *to* outside # addresses from passing through us. R$* $| < [ 0 ] . > $: $1 Sendmail invoked directly R$* $| $* < $+ . > $* $>check_relayfrom $1 $| $2 < $3 . > $4 R$* $| $* . $: $1 from explicitly allowed relay R$* $| $* . < > $: $1 $| $2 # At this point, the workspace is of one of two forms: # # rcpt-addr # rcpt-addr $| client-ip # # The first if the client was explicitly allowed, the second if it was # not explicitly prohibited. # Determine whether the sender is allowed to pass mail to us. If the # sender is explicitly allowed to use us, we discard the sender's address # as no longer necessary. Otherwise, we keep the address to determine # later whether the client is attempting to use us to relay to another # host outside our control, which we don't allow. # # Traditionally, this step would be done with the check_from ruleset, # but by doing it here, we can preserve knowledge about whether the # host was explicitly allowed or implicitly allowed. That knowledge # will allow us to prohibit mail *from* outside addresses *to* outside # addresses from passing through us. # Obtain and canonicalize the sender's address. Unfortunately, if # the sender address' username portion contains spaces or punctuators, # dequote won't tokenize it. We try to catch that condition and flag # the address has untokenized by adding ".ODDSENDER" to the sender's # address. It's then up to the postmaster to determine whether he wants # to accept mail with such problematic sender addresses by choosing to # add "ODDSENDER" to the from.allow file. R$* $: $1 $| $>3 $(dequote "" $&f $) R$* "" $&f $: $1 $&f . ODDSENDER # Remove trailing periods from the host portion of the sender's address # and unfocus from the host portion. R$* < @ $* . > $* $1 < @ $2 > $3 remove trailing periods R$* < @ $* > $* $1 @ $2 $3 remove focus # Now focus on the entire sender address and process. R$* $: $1 . R$* $| $* $| $* . $: $1 $| $2 $| < $3 . > R$* $| $* . $: $1 $| < $2 . > R$* $| $* < $+ . > $* $>check_mailfrom $1 $| $2 < $3 . > $4 R$* $| $* . $: $1 from explicitly allowed sender R$* $| $* . < > $: $1 $| $2 # At this point, the workspace is of one of three forms: # # rcpt-addr # rcpt-addr $| from-addr # rcpt-addr $| client-ip $| from-addr # # In the first case, both the clinet and the sender are explicitly # allowed. In the second case, the client address is explicitly allowed. # In the third case, neither the client nor the sender addresses were # explicitly prohibited. The case in which the sender is explicitly # allowed is handled within the last few lines of the rules above for # reasons explained in the next paragraph. # # If *either* the client *or* the sender *or both* were explicitly # allowed, the only thing we're going to concern ourselves with from # this point on is the recipient's address; we're comfortable that # the message is coming from someone or somewhere we trust. Only if # neither the client nor the sender wereexplicitly allowed will they be # important later. R$* $: $1 . R$* $| $* $| $* . $: $2 $| $3 $| < $1 . > R$* $| $* . $: < $1 . > explicitly allowed from R$* . $: < $1 . > explicitly allowed from, relay # Now the workspace is one of the two following forms: # # < rcpt-addr . > # client-ip $| from-addr $| < rcpt-addr . > # # with focus on the recipient address so that we can check it. # If the recipient's host is in IP form, attempt to obtain a name. # If no name can be found, keep the IP form. R$* < $* @ [ $* ] . > $* $: $1 < $2 @ $[ [ $3 ] $: [ $3 ] . $] > $4 # Check to see if we accept mail for the intended recipient. By checking # the recipient's address here, before we check whether the recipient's # address is in our domain, for a host we handle mail for, or for a host # we masquerade as, we can intercept messages destined for internal users. # This might be useful if, say, one of our users is being mailbombed # and we want to disable mail for the user while we locate the attacker. R$* < $+ . > $* $>check_rcptto $1 < $2 . > $3 # If mail to the recipient is explicitly allowed, it doesn't matter # whether the recipient is outside of our local systems or not, we accept # the message. R$* $| $* $| $* . $@ $3 relay to explicitly allowed R$* . $@ $1 to explicitly allowed # If the message is implicitly allowed, we have to determine whether the # message is bound for a local system or an external system. At this # point, it's safe to accept all messages bound for internal systems. R$* $| $* . < > $1 $| $2 relay attempt R$* . < > $@ $1 to implicitly allowed R$* $| $* $| $* @ $=M $@ $3 @ $4 to host we masquerade as R$* $| $* $| $* @ $* $=m $@ $3 @ $4 $5 to host in our domain R$* $| $* $| $* @ $=w $@ $3 @ $4 to host we handle mail for # Another, obscure situation is that the recipient's address does not # include a hostname portion (e.g. user rather than user@hostname). # In that case, the recipient is local but will not have been matched # by any of the previous rules, so we have to handle it explicitly here. # We never refuse mail destined to a local address. R$* $: $1 . R$* $| $* $| $* @ $* . $: $1 $| $2 $| $3 @ $4 R$* $| $* $| $* . $@ $3 no hostname portion # If we arrive at this point, the following conditions have been met: # # - The client address was neither explicitly allowed nor explicitly # prohibited. Assume that it is untrustworthy. # # - The sender's address was neither explicitly allowed nor explicitly # prohibited, nor was it within our domain, of a host for which we # handle mail, or of a host we masquerade as. In other words, the # sender's address is outside our domain of influence or interest. # # - The recipient's address was neither explicitly allowed nor explicitly # prohibited, nor was it within our domain, of a host for which we # handle mail, or of a host we masquerade as. In other words, the # recipient's address is outside our domain of influence or interest. # # Because we cannot trust the client to provide legitimate sender # addresses, and because the sender and recipient addresses are both # outside of our service responsibility (i.e. have no clear relation to # our users), we refuse the message. R$* $| $* $| $* $#error $@ 5.7.1 $: "571 Relay from " < $2 > " via " $1 " to " < $3 > " prohibited" ----- end antispam.m4 ----- -- PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES! http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.