On Thu, 19 Mar 1998, Scott Horton wrote:
>Can someone point to to the cause of the following entries in my maillog.
>I have a bunch of them. Usually, there is an error in the user's mail
>address but not always. I am running RH 4.2, all patches and Steve Coile's
>M$ antispam and virtual domain add-on's. I've hunted in the Batbook, read
>the sendmail.cf file, I can't figure it out - which isn't saying much I
>humbly admit, but I need help anyway :( .
>
>Mar 9 11:18:51 gnls5 sendmail[27434]: LAA27434: SYSERR(root): Infinite
>loop in
>ruleset 195, rule 15
>
>Mar 9 11:19:04 gnls5 sendmail[27434]: LAA27434:
>from=<[EMAIL PROTECTED]>, size=0, class=0, pri=0, nrcpts=0, proto=ESMTP,
>relay=gnld188.mydomain.net [207.xx.xxx.xxx]
Please replace the antispam.m4 file you're using now with the following.
--
Steve Coile
[EMAIL PROTECTED]
----- begin antispam.m4 -----
divert(0)
VERSIONID(`@(#)antispam.m4 1.3 03/19/98')
divert(-1)
# The following identifies a file containing a list of e-mail addresses,
# hosts, and domains that may not pass e-mail to us. Exceptions to the
# deny list may be made in the file defined by OKFROM. The addreses in
# this file are compared against the sender's e-mail address as privided
# via the SMTP "mail from" command.
define(`NOFROM',`/etc/sendmail/from.deny')dnl
# The following identifies a file containing a list of e-mail addresses,
# hosts, and domains that may pass e-mail to us despite other, explicit
# prohibitions in the file defined by NOFROM. These are the exceptions
# to the deny list. The addresses in this file are compared against the
# sender's e-mail address as provided via the SMTP "mail from" command.
define(`OKFROM',`/etc/sendmail/from.allow')dnl
# The following identifies a file containing a list of host names, domain
# names, IP addresses, and IP blocks other those those defined by $=w and
# $=M, to which we pass e-mail. E-mail directed to any hosts, domains,
# or IP addresses outside of the set of hosts and domains described by
# this list, $=w, and $=M are refused.
define(`OKRCPT',`/etc/sendmail/rcpt.allow')dnl
# The following identifies a file containing a list of e-mail addresses,
# host names, domain names, IP addresses, and IP blocks to which we
# will not pass mail, regardless of the recipients described by $=w,
# $=M, and the list contained in OKRCPT.
define(`NORCPT',`/etc/sendmail/rcpt.deny')dnl
# The following identifies a file containing a list of IP addresses and
# IP blocks that may not pass e-mail to us. Exceptions to the deny list
# may be made in the file defined by OKRELAY. The addresses in this file
# are compared against the address of the system passing the mail to us.
define(`NORELAY',`/etc/sendmail/client.deny')dnl
# The following identifies a file containing a list of IP addresses and IP
# blocks that may pass e-mail to us despite other, explicit prohibitions
# in the file defined by NORELAY. These are the exceptions to the deny
# list. The addresses in this file are compared against the address of
# the system passing the mail to us.
define(`OKRELAY',`/etc/sendmail/client.allow')dnl
LOCAL_CONFIG
# The {nofrom} class contains a list of e-mail addresses, hosts, and
# domains (read from the named file) that may not pass e-mail to us.
# Exceptions to the deny list should be listed in the {okfrom} class.
# The addresses in this file are compared against the sender's e-mail
# address, as provided with the SMTP "mail from" command.
F{nofrom} -o NOFROM
# The {okfrom} class contains a list of e-mail addresses, hosts, and
# domains that may pass e-mail to us despite other, explicit prohibitions
# in the {nofrom} class. These are the exceptions to the deny list.
# The addresses in this file are compared against the sender's e-mail
# address, as provided with the SMTP "mail from" command.
F{okfrom} -o OKFROM
# The {norcpt} class contains a list of e-mail addresses, hosts, and
# domains (read from the named file) to which we will not pass e-mail.
# These prohibited recipients override any specified in the {okrcpt},
# $=w, and $=M class.
F{norcpt} -o NORCPT
# The {okrcpt} class contains a list of e-mail addresses, hosts, and
# domains other than those specified in $=w and $=M to which we will
# pass e-mail.
F{okrcpt} -o OKRCPT
# The {norelay} class contains a list of IP addresses and IP blocks
# (read from the named file) that may not pass e-mail through us.
# Exceptions to the deny list should be listed in the {okrelay} class.
# The addresses in this file are compared against the address of the
# system passing the mail to us.
F{norelay} -o NORELAY
# The {okrelay} class contains a list of IP addresses and IP blocks
# that may pass e-mail to us despite other, explicit prohibitions
# in the {norelay} class. These are the exceptions to the deny list.
# The addresses in this file are compared against the address of the
# system passing the mail to us.
F{okrelay} -o OKRELAY
LOCAL_RULESETS
#############################################################################
Spermute_address
R$* < $* @ [ $* . $- ] . > $* $@ $1 < $2 @ [ $3 ] . > $4 . $5
R$* < $* @ [ $- ] . > $* $@ $1 < $2 @ . > [ $3 . $4 ]
R$* < $* @ $- . $+ > $* $@ $1 < $2 @ $4 > $5 . $3
R$* < $* @ $- . > $* $@ $1 < $2 @ . > $4 . $3
R$* < $* @ . > [ $* . ] $1 < $2 @ > [ $3 ]
R$* < $* @ . > . $* $1 < $2 @ > $3
R$* < $* @ . > $@ $1 $2 @ . < >
R$* < $* @ > $* $@ $1 $2 @ < $3 . >
R$* < [ $* . $- ] . > $* $@ $1 < [ $2 ] . > $3 . $4
R$* < [ $- ] . > $* . $@ $1 [ $2 . $3 ] . < >
R$* < $- . $* > $@ $1 $2 . < $3 >
#############################################################################
Scheck_mailfrom
R$* < $* : $* > $* $1 $2 : < $3 > $4
R$* < $={okfrom} . > $* $@ $1 $2 $3 .
R$* < $={nofrom} . > $* $#error $@ 5.7.1 $: 571 Mail from $2 prohibited
R$* $: $>permute_address $1
#############################################################################
Scheck_rcptto
R$* < $* : $* > $* $1 $2 : < $3 > $4
R$* < $={okrcpt} . > $* $@ $1 $2 $3 .
R$* < $={norcpt} . > $* $#error $@ 5.7.1 $: 571 Mail to $2 prohibited
R$* $: $>permute_address $1
#############################################################################
Scheck_relayfrom
R$* < $={okrelay} . > $* $@ $1 $2 $3 .
R$* < $={norelay} . > $* $#error $@ 5.7.1 $: 571 Relay from $2 prohibited
R$* $: $>permute_address $1
#############################################################################
Scheck_rcpt
# Canonicalize the recipient's address so that it's in a easy-to-use
# state.
R$* $: $>3 $1 canonicalize
# Remove trailing periods from the host portion of the recipient's
# address and unfocus from the host portion.
R$* < @ $* . > $* $1 < @ $2 > $3 remove trailing periods
R$* < @ $* > $* $1 @ $2 $3 remove focus
# Obtain the client's (relay's) IP address so that we can determine
# whether the client is allowed to pass mail to us. The client's IP
# address is placed behind the recipient's address so that the call to
# check_mailfrom later will work properly.
R$* $: $1 $| < [ $(dequote "" $&{client_addr} $) ] . >
# Determine whether the client host is allowed to pass mail to us.
# If the client has an IP address or is within an IP address block for
# which we explicitly accept mail, or if the host is otherwise explicitly
# allowed, we discard the client's address as no longer necessary.
# Otherwise, we keep the address to determine later whether the client
# is attemptint to use us to relay to another host outside our control,
# which we don't allow.
#
# Note that we check only the IP address; we do not attempt reverse DNS
# resolution on the IP address on the chance that a malicious domain has
# installed illegitimate reverse mappings (e.g. mapping the IP address
# to a name in your domain).
#
# Traditionally, this step would be done with the check_relay ruleset,
# but by doing it here, we can preserve knowledge about whether the
# host was explicitly allowed or implicitly allowed. That knowledge
# will allow us to prohibit mail *from* outside addresses *to* outside
# addresses from passing through us.
R$* $| < [ 0 ] . > $: $1 Sendmail invoked directly
R$* $| $* < $+ . > $* $>check_relayfrom $1 $| $2 < $3 . > $4
R$* $| $* . $: $1 from explicitly allowed relay
R$* $| $* . < > $: $1 $| $2
# At this point, the workspace is of one of two forms:
#
# rcpt-addr
# rcpt-addr $| client-ip
#
# The first if the client was explicitly allowed, the second if it was
# not explicitly prohibited.
# Determine whether the sender is allowed to pass mail to us. If the
# sender is explicitly allowed to use us, we discard the sender's address
# as no longer necessary. Otherwise, we keep the address to determine
# later whether the client is attempting to use us to relay to another
# host outside our control, which we don't allow.
#
# Traditionally, this step would be done with the check_from ruleset,
# but by doing it here, we can preserve knowledge about whether the
# host was explicitly allowed or implicitly allowed. That knowledge
# will allow us to prohibit mail *from* outside addresses *to* outside
# addresses from passing through us.
# Obtain and canonicalize the sender's address. Unfortunately, if
# the sender address' username portion contains spaces or punctuators,
# dequote won't tokenize it. We try to catch that condition and flag
# the address has untokenized by adding ".ODDSENDER" to the sender's
# address. It's then up to the postmaster to determine whether he wants
# to accept mail with such problematic sender addresses by choosing to
# add "ODDSENDER" to the from.allow file.
R$* $: $1 $| $>3 $(dequote "" $&f $)
R$* "" $&f $: $1 $&f . ODDSENDER
# Remove trailing periods from the host portion of the sender's address
# and unfocus from the host portion.
R$* < @ $* . > $* $1 < @ $2 > $3 remove trailing periods
R$* < @ $* > $* $1 @ $2 $3 remove focus
# Now focus on the entire sender address and process.
R$* $: $1 .
R$* $| $* $| $* . $: $1 $| $2 $| < $3 . >
R$* $| $* . $: $1 $| < $2 . >
R$* $| $* < $+ . > $* $>check_mailfrom $1 $| $2 < $3 . > $4
R$* $| $* . $: $1 from explicitly allowed sender
R$* $| $* . < > $: $1 $| $2
# At this point, the workspace is of one of three forms:
#
# rcpt-addr
# rcpt-addr $| from-addr
# rcpt-addr $| client-ip $| from-addr
#
# In the first case, both the clinet and the sender are explicitly
# allowed. In the second case, the client address is explicitly allowed.
# In the third case, neither the client nor the sender addresses were
# explicitly prohibited. The case in which the sender is explicitly
# allowed is handled within the last few lines of the rules above for
# reasons explained in the next paragraph.
#
# If *either* the client *or* the sender *or both* were explicitly
# allowed, the only thing we're going to concern ourselves with from
# this point on is the recipient's address; we're comfortable that
# the message is coming from someone or somewhere we trust. Only if
# neither the client nor the sender wereexplicitly allowed will they be
# important later.
R$* $: $1 .
R$* $| $* $| $* . $: $2 $| $3 $| < $1 . >
R$* $| $* . $: < $1 . > explicitly allowed from
R$* . $: < $1 . > explicitly allowed from, relay
# Now the workspace is one of the two following forms:
#
# < rcpt-addr . >
# client-ip $| from-addr $| < rcpt-addr . >
#
# with focus on the recipient address so that we can check it.
# If the recipient's host is in IP form, attempt to obtain a name.
# If no name can be found, keep the IP form.
R$* < $* @ [ $* ] . > $* $: $1 < $2 @ $[ [ $3 ] $: [ $3 ] . $] > $4
# Check to see if we accept mail for the intended recipient. By checking
# the recipient's address here, before we check whether the recipient's
# address is in our domain, for a host we handle mail for, or for a host
# we masquerade as, we can intercept messages destined for internal users.
# This might be useful if, say, one of our users is being mailbombed
# and we want to disable mail for the user while we locate the attacker.
R$* < $+ . > $* $>check_rcptto $1 < $2 . > $3
# If mail to the recipient is explicitly allowed, it doesn't matter
# whether the recipient is outside of our local systems or not, we accept
# the message.
R$* $| $* $| $* . $@ $3 relay to explicitly allowed
R$* . $@ $1 to explicitly allowed
# If the message is implicitly allowed, we have to determine whether the
# message is bound for a local system or an external system. At this
# point, it's safe to accept all messages bound for internal systems.
R$* $| $* . < > $1 $| $2 relay attempt
R$* . < > $@ $1 to implicitly allowed
R$* $| $* $| $* @ $=M $@ $3 @ $4 to host we masquerade as
R$* $| $* $| $* @ $* $=m $@ $3 @ $4 $5 to host in our domain
R$* $| $* $| $* @ $=w $@ $3 @ $4 to host we handle mail for
# Another, obscure situation is that the recipient's address does not
# include a hostname portion (e.g. user rather than user@hostname).
# In that case, the recipient is local but will not have been matched
# by any of the previous rules, so we have to handle it explicitly here.
# We never refuse mail destined to a local address.
R$* $: $1 .
R$* $| $* $| $* @ $* . $: $1 $| $2 $| $3 @ $4
R$* $| $* $| $* . $@ $3 no hostname portion
# If we arrive at this point, the following conditions have been met:
#
# - The client address was neither explicitly allowed nor explicitly
# prohibited. Assume that it is untrustworthy.
#
# - The sender's address was neither explicitly allowed nor explicitly
# prohibited, nor was it within our domain, of a host for which we
# handle mail, or of a host we masquerade as. In other words, the
# sender's address is outside our domain of influence or interest.
#
# - The recipient's address was neither explicitly allowed nor explicitly
# prohibited, nor was it within our domain, of a host for which we
# handle mail, or of a host we masquerade as. In other words, the
# recipient's address is outside our domain of influence or interest.
#
# Because we cannot trust the client to provide legitimate sender
# addresses, and because the sender and recipient addresses are both
# outside of our service responsibility (i.e. have no clear relation to
# our users), we refuse the message.
R$* $| $* $| $* $#error $@ 5.7.1 $: "571 Relay from " < $2 > " via "
$1 " to " < $3 > " prohibited"
----- end antispam.m4 -----
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
