SMTP Proxy Service
Note -
User authentication does not apply.
To Set Up the SunScreen Environment
-
Configure addresses and rules for DNS servers and address(es) for SMTP server(s) as follows:
ssadm edit Initial edit> add Address dns0 HOST 1.2.3.4 edit> add Address dns1 HOST 1.2.3.5 edit> add Address dns-servers GROUP { dns0 dns1 } { } edit> add Address smtp-server HOST ... edit> add Rule dns localhost dns-servers ALLOW -
Test spam filtering.
The rule below allows any address to all inbound mailboxes, no relay checking.
edit> add Rule smtp "*" smtp-server ALLOW PROXY_SMTP RELAY edit> save
-
Type the following to create a basic mail spam list (list of domains and/or addresses which won't be allowed to send mail):
ssadm edit Initial mail_spam add spam.com ssadm edit Initial mail_spam add 0.0.0.0..255.255.255.255
Note -For more information on spam control, see "SMTP Proxy" in SunScreen 3.2 Administrator's Overview.
-
Type the following to activate the configuration:
ssadm activate Initial
This refuses mail from any named host in spam.com, any host that has an unregistered address, and any originator name (in MAIL FROM: command) within spam.com.
Now a connection from an unregistered host, or from a registered host under the domain spam.com, looks like this:
% telnet efs 25 Trying 1.2.3.4... Connected to efs Escape character is "^]". 455 Smells like ... bacon ... no, spam! Connection closed by foreign host. |
The reverse-translated name (or lack thereof) has determined the originator is a spammer.
A connection from a registered host not under the domain spam.com looks like this:
% telnet efs 25 Trying 1.2.3.4... Connected to efs Escape character is "^]". 220 efs ESMTP Sendmail 8.7.4/8.7.3; Thu, 11 Mar 1999 19: 34: 40 -0800 (PST) helo me.com 250 efs Hello me.com [3.4.5.6], pleased to meet you mail from: elvis-lives@spam.com 455 Smells like ... bacon ... no, spam! Connection closed by foreign host. |
The connection is aborted because the originating user was determined to be a spammer. elvis-lives@spam.com is an alternate syntax for the mailbox.
To Test Relay Blocking
-
Type the following to replace the previous rule with a rule that checks relaying:
edit> add Rule smtp "*" smtp-server ALLOW PROXY_SMTP
This allows only configured domains in inbound mailbox names.
-
Type the following to create a basic mail relay list (a list of domains and/or hosts which will/will not be allowed as recipient):
ssadm edit Initial mail_relay add good.org ssadm edit Initial mail_relay add !too.good.org ssadm edit Initial mail_relay add !too-mailer ssadm edit Initial mail_relay add plenty.org
The ! prefix indicates that the domain or host is not to be allowed; if you are using csh, remember to escape the !, which is a shell meta-character.
Relay processing first compares the recipient domain(s) to those which are NOTs (that is, begin with !); if the recipient is found there, the message is refused.
Second, the recipient domain(s) are compared to the list of OK domains (that is, without !); if found, the recipient is allowed.
-
Activate the configuration.
This refuses mail to any mailbox in the subdomain too.good.org or for the host too-mailer, but accepts messages bound for any mailbox in other parts of good.org, or any mailbox in plenty.org (from RCPT TO: command).
This example shows mail for allowed recipients, ending in one which will not be relayed-to:
% telnet efs 25 Trying 1.2.3.4... Connected to efs Escape character is "^]". 220 efs ESMTP Sendmail 8.7.4/8.7.3; Thu, 11 Mar 1999 19: 34: 40 -0800 (PST) helo me.com 250 efs Hello me.com [3.4.5.6], pleased to meet you mail from: me@me.com 250 me@me.com... Sender ok rcpt to: <johnny.b@good.org> 250 Recipient ok rcpt to: extra@extra@good.org 250 Recipient ok rcpt to: <chinz@plenty.org> 250 Recipient ok rcpt to: but.not@too.good.org 454 Relay refused Connection closed by foreign host.
The connection was aborted because the recipient would require a forbidden relay operation.
Other examples of relay addresses that will not be allowed are:
-
bad1@too-mailer
-
bad2@too-mailer@good.org
-
bad3@too.good.org@good.org
-
@good.org,bad4@too.good.org
-
@too.good.org,bad5@ok.good.org
Note -The last two bullet items are examples of older, ARPANET-style path naming, and most modern mail transfer agents (MTA), such as sendmail, are not configured to accept them, regardless of whether they pass our relay filtering. Also, mailbox names surrounded by <> are treated as if they there are no <>s.
-
-
Test default relay.
If there is no configured relay list, the domain name of the SunScreen host itself is used as the allowed domain. For example, if the SunScreen name is host@domain.com, the relay checking behaves as if the following command was configured as the entire relay list:
ssadm edit Initial mail_relay domain.com
The following example shows mail which actually gets through:
% telnet efs 25 Trying 1.2.3.4... Connected to efs Escape character is "^]". 220 efs ESMTP Sendmail 8.7.4/8.7.3; Thu, 11 Mar 1999 19: 34: 40 -0800 (PST) helo me.com 250 efs Hello me.com [3.4.5.6], pleased to meet you mail from: me@me.com 250 me@me.com... Sender ok rcpt to: you@good.com 250 Recipient ok rcpt to: really@really.good.org 250 Recipient ok rcpt to: i-got@plenty.org 250 Recipient ok rcpt to: good@and.plenty.org 250 Recipient ok data 354 Enter mail, end with "." on a line by itself Subject: I Love Candy I really, really love good candy ... yummm! Send me some! . 250 UAA01234 Message accepted for delivery quit 221 efs closing connection Connection closed by foreign host.
After the . (ending the mail session), the proxy and mailer return to the state where the mailer expects a next message (starting with a MAIL FROM: command.
Note -Backslash \ and end-of-line denote command line continuation.
- © 2010, Oracle Corporation and/or its affiliates