minor list changes
Jay West
jwest at classiccmp.org
Sun Mar 6 21:31:03 CST 2005
Tom wrote...
> The exploit is based upon the fact that the destination host
> rejects unknown users; MX backups, not having that information,
> generally accept *@domain, so the spammer hack is to find the
> n>0th MX host, and queue it all up there. SPreads the load.
>
> What we did was simply use virtusertable on the MX host to list
> each and every single valid user. CLearly this doesn't scale for
> many users but for the dozen or so we have it's fine.
> /etc/mail/virtusertable also handles all the virtual domains etc
> all i one place.
There's a little better way to handle this....I do have a direct line to one
of the programmers inside Sendmail.org. Their internal direction is all LDAP
based for local user tests, replacement of getuserinfo, etc. There's
obviously a noticeable trend towards this in the released code as well.
So, long story short, put all your users in LDAP for sendmail. Then you
don't run the security risk of having local user accounts for email
customers, AND all your MX hosts have access to the LDAP database to prevent
the exploit you mentioned above.
Regards,
Jay West
More information about the cctalk
mailing list