[Esd-l] Re: Procmail/Sanitizer Question
Karl L. Dunn
kdunn at hiwaay.net
Tue Nov 19 13:19:01 PST 2002
Jack:
I set up two machines to test a solution for you: a PC running FreeBSD
4.3 with sendmail 8.11.3 (different OS, nearly the same sendmail as for
you), and a DEC Multia/UDB (Alpha 166MHz) running RedHat Linux 6.0 alpha
with sendmail 8.9.3 (similar OS but older sendmail than for you). Both
have perl 5.005-03.
There is a third PC on the net, running FreeBSD 4.3, that I usually use as
a DNS server, mail gateway, Samba server, and a firewall. I co-opted it
to set up a different net and domain, with routing set up on all three
machines, so I had a test bed. There was no mail gateway; the first PC
and the Multia had direct access to the "internet" simulated by the
co-opted firewall PC.
I sent messages from a user to itself, user to another user, user to a
different domain, different domain to a local user, and tried out
.forwards and non-local aliases. It all seems to work as you desire.
Underscore on "seems" -- I'm fairly confident but not 100% certain. I
did not try a mailing list, nor very many cases.
Mail should go through the /etc/procmailrcs/filterrc script no matter
where it's going or where it comes from. It may go through it more than
once -- for example, if local user A mails to local user B, it goes
through filterrc twice: once when sendmail gets it from A for
transmission, and once when another instance of sendmail hands it to the
local delivery agent to give it to B. Notice that procmail is doing the
filtering, because of the rules added to ruleset 98. In your case, the
local delivery is also done by procmail. These are two different
definitions for mailers in sendmail.cf. The local delivery instance of
procmail does not do any filtering (although it does, apparently, for
your current setup; see below). Notice further that sendmail in this
example runs four times; once when it gets A's message and sends it
through filterrc because of ruleset 98, once because the lines at the end
of filterrc send it back through sendmail where ruleset 98 undoes the name
tag it attached the first time and transmits the message, and a similar
two invocations for delivering to B.
I have a residual mystery: mail coming into the Multia from elsewhere,
either the local domain or another one, goes through the filter (procmail)
twice (sendmail four times). That does not happen for the PC. I don't
know why this happens. If it doesn't happen to you, I'll forget about it.
(I didn't forget about the magic file, so that's not the explanation --
read on).
Your current situation seems to me to be that you have put the filter
script (named procmailrc) in the magic place, probably /etc for RedHat.
It's /usr/local/etc for FreeBSD. If you do that, the local mailer
instance of procmail (and any other procmail for that matter) will use it,
with its ownership; see the man page on procmail. Therefore, the filters
work if and only if the mail is to be delivered locally (or some user
invokes it explicitly) -- otherwise procmail does not run. What you
wanted, as I understand you, is for procmail to filter ALL mail. To do
that, sendmail has to be told explicitly to use a different mailer
definition (also procmail); that is what the P class definition and the
additional rules for ruleset 98 are for. You then can and must get rid of
the /etc/procmailrc file; rename it at least -- otherwise every instance
of procmail will run that too, causing you a lot of confusion.
Be careful editing sendmail.cf -- tabs and spaces mean different things.
That's why I sent you patch files.
Since I don't have RH 7.2, and I don't have the exact sendmail you have,
my test sendmail.cf files are NOT what you have, although I took care to
make them functionally the same. I did follow the procedures below, just
to make sure they work, at least on my own RH 6.0 system.
Please let us know if this works or not, and what tweaks you needed to
apply, as I'll bet you will.
BTW: I apologize for possibly making this far too detailed. I think it's
safe to assume that you know most of this.
- - - - -
With respect to your question about loading due to mailing lists:
You should have no load problem for just a few users. I had a similar
arrangement on an internal server, and on redundant gateways, for the
corporate mail system where I worked until I retired about a year ago. A
Sun IPX did the entire job for about 150 users until I replaced it in
early 2001. That Sun benches out about like a 486/25 PC, and it had about
64MB of memory -- not much horsepower. It handled on average about 100
messages per minute during working hours, sometimes approaching 100% CPU
load when the sanitizer was scanning a big Microsoft attachment for
macros. You probably don't have that slow or small a machine, so I don't
think you should worry about processing a message for each of a lot of
recipients on a list.
If you wind up someday with more than just a few accounts, you can afford
a gateway, and you should probably set one up anyway just to have a good
firewall (I did it for the company with FreeBSD's IPFW and TIS's proxy
software). The gateway can process incoming mail to users and to lists the
same way, and the list alias can spread things out on the host you have
now, without filtering.
- - - - -
These procedures work on RH 6.0. There WILL be differences for other
versions of Linux, even for RedHat Linux. Adjust as necessary.
To build the new sendmail.cf using the m4 method:
cd $HOME/work Get somewhere safe
Unpack the tarball. (e.g, gtar zxvf no-gate.tgz)
You should have two patch files, and my filterrc:
-rw-r--r-- kdunn/kdunn 1244 2002-11-18 20:24 cf.patch
-rw-r--r-- kdunn/kdunn 984 2002-11-18 20:29 mc.patch
-rw-r--r-- kdunn/kdunn 1116 1999-09-06 11:49 filterrc
(You should set up your own filterrc -- this one is just my test.)
cp -p /usr/lib/sendmail-cf/cf/redhat.mc . Copy the generic mc file
patch < mc.patch Make new -.mc (same name)
su - root Become superuser
cd /usr/lib/sendmail-cf/cf Get into the build directory
(If this doesn't work, rpm -ivh the sendmail-cf rpm from the RH CD)
cp -p ~kdunn/work/redhat.mc jg.mc Get the new -.mc with a new name
m4 jg.mc > /etc/jg.cf Create the new -.cf
cd /etc Go where you put it
diff sendmail.cf jg.cf Check it
mv sendmail.cf sm_cf_sma Save the old sendmail.cf
mv jg.cf sendmail.cf Install the new sendmail.cf
If you want to fix sendmail.cf directly (NOT recommended):
cd $HOME/work
patch < cf.patch Create new -.cf from the old one
su - root Become superuser
cd /etc Go where you put it
mv sendmail.cf sm_cf_sma Save the old sendmail.cf
cp ~yourself/work/sendmail.cf . Install the new -.cf
Then:
chown root.root sendmail.cf Set ownership
chmod 644 sendmail.cf Set privs
/etc/rc.d/init.d/sendmail stop Stop (kill) sendmail
/etc/rc.d/init.d/sendmail start Start a new one
cd /var/log Get into the log directory
touch procmail.log Create procmail.log
chmod 666 procmail.log Set loose privs on it
ls -Flag /var/log/procmail.log Check it
-rw-rw-rw- 1 root root 746 Nov 19 11:55 /var/log/procmail.log
ls -FlagR /etc/procmail* Check the procmail files
/etc/procmail:
total 5
drwxr-sr-x 2 root wheel 1024 May 27 16:38 ./
drwxr-xr-x 33 root root 3072 Nov 19 11:35 ../
-rw-r--r-- 1 root wheel 581 May 27 16:38 poisoned
/etc/procmailrcs:
total 59
drwxr-sr-x 2 root wheel 1024 May 26 23:19 ./
drwxr-xr-x 33 root root 3072 Nov 19 11:35 ../
-rw-r--r-- 1 root wheel 1116 Sep 6 1999 filterrc
-rw-r--r-- 1 root wheel 52688 May 26 23:19 html-trap.procmail
(There should be NO /etc/procmailrc file -- you don't want one)
Note carefully the ownerships and privs.
Test carefully!
--
Karl Dunn
k.l.dunn at ieee.org
On Sun, 17 Nov 2002, Jack Gryn wrote:
> Karl,
>
> Thanks for your reply.
>
> I've attached my sendmail.cf file; there are no modifications to what I
> am actually using.
>
> I am running sendmail-8.11.6-3 on RedHat Linux 7.2 w/Kernel 2.4.16
> and perl-5.6.1-26.72.3
>
> I have not been using m4 to generate the config files.
>
> (note: I'm not much of an expert on sendmail configuration, I only run a
> few discussion e-mail lists and have accounts set up for about a few
> users - mainly with .forward files, and some that check e-mail using
> POP3, nothing for corporate use, so I haven't really worked to tweak any
> of the settings)
>
> The sanitizer does not appear to filter ANY user with a .forward file
> (unless that .forward explicitly calls procmail); as for aliases that are
> not filtered, any address (in an alias) that is local to the system that
> does not have a .forward file will get filtered ok, any address in an
> alias that points to an outside domain does not get processed.
>
> A typical .forward file would be a single line similar to
> user at abcdef.com
>
> A typical alias entry (in /etc/aliases) would be
>
> listname: localuser1, localuser2, outsideuser at blah.com, localuser3, outside2 at hello.com
>
> Where the localusers with .forward files and the outsideusers will not
> have their e-mail filtered, the rest will.
>
> I have tried (just to see if it makes a difference) the modifications for
> incoming and outgoing mail server; but upon noticing that it didn't help,
> I reverted these changes.
>
> Anyway, I appreciate your help. I'm sure I'm not the only one with this
> issue.
>
> BTW, on a related note, do you think it might be possible to have procmail
> run once on each alias/mailing list rather than for each individual on the
> list? It may be more efficient to process things that way.
>
> Thanks for your help.
>
> Get back to me when you get a chance.
>
> Jack
>
> On Sun, 17 Nov 2002, Karl L. Dunn wrote:
>
> > On Sat, 16 Nov 2002, Jack Gryn wrote:
> >
> > > Hello,
> > >
> > > I'm a user of John Hardin's Procmail sanitizer; I am asking you this
> > > question because you seem to know sendmail configuration well.
> > >
> > > I have procmail set up as the local mailer on my system; and I would like
> > > it to run for all incoming mail received (for any user or /etc/aliases
> > > mailing list).
> > >
> > > The problem is this. There are users who have .forward files pointing
> > > to outside addresses; also non-local users listed in my /etc/aliases file.
> > > Apparently, procmail does not filter any e-mail that goes through my
> > > system destined for an outside address. My system is not setup as a mail
> > > relay; so anything coming to my system is either a local user or mailing
> > > list.
> > >
> > > Any ideas on how I can get the sanitizer working for these users?
> > >
> > > Let me know, I would much appreciate it.
> > >
> > > Thanks.
> > >
> > > Jack G.
> >
> > Jack:
> >
> > I think you should be able to do what you want by setting up procmail and
> > the sanitizer AS IF the system were a gateway -- that's how it behaves,
> > at least to some extent, if you have .forwards and aliases that point to a
> > domain that's not yours.
> >
> > I may be confused (read that as wrong) though. If you want me to try to
> > "fix" your setup, please tell me:
> >
> > what version of sendmail you are using
> > what OS and version is running
> > what version of perl you use
> > the content of your -.mc file from which you built sendmail.cf along
> > with any other m4 files you may have customized
> > if you did not make sendmail.cf that way, send me sendmail.cf
> > some examples of user .forwards and aliases for which no filtering
> > happens
> >
> > I realize you might not want to send some of this in the clear through
> > email. If that's the case, clean it somewhat first (replace your domain
> > name with something else, make generic failure examples, and so on) and
> > tell me where you cleaned it.
> >
> > Don't expect a speedy answer -- I am slow, but I will get there: I'll
> > troubleshoot it on a three-node local net.
[demime 0.98e removed an attachment of type APPLICATION/OCTET-STREAM which had a NAME of no-gate.tgz]
More information about the esd-l
mailing list