SunScreen 3.2 Administration Guide

SMTP Proxy Service


Note -

User authentication does not apply.


To Set Up the SunScreen Environment
  1. Configure addresses and rules for DNS servers and address(es) for SMTP server(s) as follows:


    ssadm edit Initial
    edit> add Address dns0 HOST 1.2.3.4
    edit> add Address dns1 HOST 1.2.3.5
    edit> add Address dns-servers GROUP { dns0 dns1 } { }
    edit> add Address smtp-server HOST ...
    edit> add Rule dns localhost dns-servers ALLOW
    

  2. Test spam filtering.

    The rule below allows any address to all inbound mailboxes, no relay checking.


    edit> add Rule smtp "*" smtp-server ALLOW PROXY_SMTP RELAY
    edit> save
    

  3. Type the following to create a basic mail spam list (list of domains and/or addresses which won't be allowed to send mail):


    ssadm edit Initial mail_spam add spam.com
    ssadm edit Initial mail_spam add 0.0.0.0..255.255.255.255
    


    Note -

    For more information on spam control, see "SMTP Proxy" in SunScreen 3.2 Administrator's Overview.


  4. Type the following to activate the configuration:


    ssadm activate Initial
    

    This refuses mail from any named host in spam.com, any host that has an unregistered address, and any originator name (in MAIL FROM: command) within spam.com.

Now a connection from an unregistered host, or from a registered host under the domain spam.com, looks like this:


% telnet efs 25
Trying 1.2.3.4...
Connected to efs
Escape character is "^]".
455 Smells like ... bacon ... no, spam!
Connection closed by foreign host.

The reverse-translated name (or lack thereof) has determined the originator is a spammer.

A connection from a registered host not under the domain spam.com looks like this:


% telnet efs 25
Trying 1.2.3.4...
Connected to efs
Escape character is "^]".
220 efs ESMTP Sendmail 8.7.4/8.7.3;
Thu, 11 Mar 1999 19: 34: 40 -0800 (PST)
helo me.com
250 efs Hello me.com [3.4.5.6],
pleased to meet you
mail from: elvis-lives@spam.com
455 Smells like ... bacon ... no, spam!
Connection closed by foreign host.

The connection is aborted because the originating user was determined to be a spammer. elvis-lives@spam.com is an alternate syntax for the mailbox.

To Test Relay Blocking
  1. Type the following to replace the previous rule with a rule that checks relaying:


    edit> add Rule smtp "*" smtp-server ALLOW PROXY_SMTP
    

    This allows only configured domains in inbound mailbox names.

  2. Type the following to create a basic mail relay list (a list of domains and/or hosts which will/will not be allowed as recipient):


    ssadm edit Initial mail_relay add good.org
    ssadm edit Initial mail_relay add !too.good.org
    ssadm edit Initial mail_relay add !too-mailer
    ssadm edit Initial mail_relay add plenty.org
    

    The ! prefix indicates that the domain or host is not to be allowed; if you are using csh, remember to escape the !, which is a shell meta-character.

    Relay processing first compares the recipient domain(s) to those which are NOTs (that is, begin with !); if the recipient is found there, the message is refused.

    Second, the recipient domain(s) are compared to the list of OK domains (that is, without !); if found, the recipient is allowed.

  3. Activate the configuration.

    This refuses mail to any mailbox in the subdomain too.good.org or for the host too-mailer, but accepts messages bound for any mailbox in other parts of good.org, or any mailbox in plenty.org (from RCPT TO: command).

    This example shows mail for allowed recipients, ending in one which will not be relayed-to:


    % telnet efs 25
    Trying 1.2.3.4...
    Connected to efs
    Escape character is "^]".
    220 efs ESMTP Sendmail 8.7.4/8.7.3;
    Thu, 11 Mar 1999 19: 34: 40 -0800 (PST)
    helo me.com
    250 efs Hello me.com [3.4.5.6],
    pleased to meet you
    mail from: me@me.com
    250 me@me.com... Sender ok
    rcpt to: <johnny.b@good.org>
    250 Recipient ok
    rcpt to: extra@extra@good.org
    250 Recipient ok
    rcpt to: <chinz@plenty.org>
    250 Recipient ok
    rcpt to: but.not@too.good.org
    454 Relay refused
    Connection closed by foreign host.

    The connection was aborted because the recipient would require a forbidden relay operation.

    Other examples of relay addresses that will not be allowed are:

    • bad1@too-mailer

    • bad2@too-mailer@good.org

    • bad3@too.good.org@good.org

    • @good.org,bad4@too.good.org

    • @too.good.org,bad5@ok.good.org


      Note -

      The last two bullet items are examples of older, ARPANET-style path naming, and most modern mail transfer agents (MTA), such as sendmail, are not configured to accept them, regardless of whether they pass our relay filtering. Also, mailbox names surrounded by <> are treated as if they there are no <>s.


  4. Test default relay.

    If there is no configured relay list, the domain name of the SunScreen host itself is used as the allowed domain. For example, if the SunScreen name is host@domain.com, the relay checking behaves as if the following command was configured as the entire relay list:


    ssadm edit Initial mail_relay domain.com
    

    The following example shows mail which actually gets through:


    % telnet efs 25
    Trying 1.2.3.4...
    Connected to efs
    Escape character is "^]".
    220 efs ESMTP Sendmail 8.7.4/8.7.3; Thu, 11 Mar 1999 19: 34: 40 -0800 (PST)
    helo me.com
    250 efs Hello me.com [3.4.5.6], pleased to meet you
    mail from: me@me.com
    250 me@me.com... Sender ok
    rcpt to: you@good.com
    250 Recipient ok
    rcpt to: really@really.good.org
    250 Recipient ok
    rcpt to: i-got@plenty.org
    250 Recipient ok
    rcpt to: good@and.plenty.org
    250 Recipient ok
    data
    354 Enter mail, end with "." on a line by itself
    Subject: I Love Candy
    
    I really, really love good candy ... yummm!  Send me some!
    
    .
    250 UAA01234 Message accepted for delivery
    quit
    221 efs closing connection
    Connection closed by foreign host.

    After the . (ending the mail session), the proxy and mailer return to the state where the mailer expects a next message (starting with a MAIL FROM: command.


    Note -

    Backslash \ and end-of-line denote command line continuation.