I don't know how busy your mailserver is, but the additional overhead
of inetd exec-ing into a sendmail can bog a moderately busy mailserver
to death. Hence Eric added -DTCPWRAPPERS to sendmail 8.8.x. It works
nicely, BUT it allows EXPNs, VRFYs, etc from the "bad" sites, and only
disallows MAIL FROMs. Thus, I hacked 8.8.5 to have a two-tier wrapper that
can disallow a connection, and/or disallow MAIL FROMs, and obviously,
since it uses libwrap you can designate them as PARANOID in
/etc/hosts.allow to solve your problem/concerns. With the following patch,
you can have fields for "sendmail-connect" (what you are looking for), and
"sendmail-mailfrom" (the default 8.8.x wrapper functionality) in
/etc/hosts.allow:
diff -c sendmail-8.8.5/src//conf.c sendmail-8.8.5-neilhacks/src/conf.c
*** sendmail-8.8.5/src//conf.c Tue Jan 21 07:47:33 1997
--- sendmail-8.8.5-neilhacks/src/conf.c Tue Apr 1 17:51:40 1997
***************
*** 4017,4032 ****
#if DAEMON
bool
! validate_connection(sap, hostname, e)
SOCKADDR *sap;
char *hostname;
ENVELOPE *e;
{
if (rscheck("check_relay", hostname, anynet_ntoa(sap), e) != EX_OK)
return FALSE;
#if TCPWRAPPERS
! if (!hosts_ctl("sendmail", hostname, anynet_ntoa(sap), STRING_UNKNOWN))
{
# ifdef LOG
if (LogLevel >= 4)
--- 4018,4035 ----
#if DAEMON
bool
! validate_connection(sap, hostname, e, tcpdstring)
SOCKADDR *sap;
char *hostname;
ENVELOPE *e;
+ char *tcpdstring;
{
if (rscheck("check_relay", hostname, anynet_ntoa(sap), e) != EX_OK)
return FALSE;
#if TCPWRAPPERS
! /* if (!hosts_ctl("sendmail", hostname, anynet_ntoa(sap),STRING_UNKNOWN))*/
! if (!hosts_ctl(tcpdstring, hostname, anynet_ntoa(sap),STRING_UNKNOWN))
{
# ifdef LOG
if (LogLevel >= 4)
diff -c sendmail-8.8.5/src//daemon.c sendmail-8.8.5-neilhacks/src/daemon.c
*** sendmail-8.8.5/src//daemon.c Tue Jan 14 18:01:05 1997
--- sendmail-8.8.5-neilhacks/src/daemon.c Sun Mar 9 11:42:40 1997
***************
*** 383,391 ****
/* validate the connection */
HoldErrs = TRUE;
! nullconn = !validate_connection(&RealHostAddr,RealHostName, e);
HoldErrs = FALSE;
! if (nullconn)
break;
#ifdef XLA
--- 384,396 ----
/* validate the connection */
HoldErrs = TRUE;
! if(!validate_connection(&RealHostAddr,RealHostName, e,"sendmail-connect")){
! /*fprintf(OutChannel,"\nAccess Denied.\n\n"); */
! exit(0);
! }
! nullconn = !validate_connection(&RealHostAddr,RealHostName, e,"sendmail-mailfrom");
HoldErrs = FALSE;
! if (nullconn)
break;
#ifdef XLA
diff -c sendmail-8.8.5/src//sendmail.h
sendmail-8.8.5-neilhacks/src/sendmail.h
*** sendmail-8.8.5/src//sendmail.h Tue Jan 14 17:51:49 1997
--- sendmail-8.8.5-neilhacks/src/sendmail.h Tue Apr 1 15:36:38 1997
***************
*** 1014,1020 ****
extern char *hostnamebyanyaddr __P((SOCKADDR *));
extern char *anynet_ntoa __P((SOCKADDR *));
# if DAEMON
! extern bool validate_connection __P((SOCKADDR *, char *, ENVELOPE *));
# endif
#endif
--- 1014,1020 ----
extern char *hostnamebyanyaddr __P((SOCKADDR *));
extern char *anynet_ntoa __P((SOCKADDR *));
# if DAEMON
! extern bool validate_connection __P((SOCKADDR *, char *, ENVELOPE *, char *));
# endif
#endif
[END]
Enjoy, although be careful what you wrap out. Most POP Mail clients
that send using SMTP will hang indefinately if that connection closes
immediately after opening. Also, other mailservers sending to you will
simply queue the message and retry it, until it is time to give up.
(Actually, Sendmail will try your second MX host, if it exists, but qmail
(yuk) will queue it, and keep trying that first host, because it thinks
it screwed up on the HELO (Qmail author, please fix!)). Anyway, these are
probably the reasons why Eric wrapped only MAIL FROMs, to be considerate
of the other postmaster, and give them a message rather than fill up
their queue. But, this is a "bad" site, right? IMO, this is much better
than black hole-ing all net traffic from them, just what they abuse.
-Neil
_________________________________________________________________________
Neil Harkins nharkins@well.com
Network/System Administrator, The WELL 415-281-6500-x204