Subject: using procmail to filter messages (long)
From: Mike Barsalou (mbarsalou@aidea.org)
Date: Wed Apr 03 2002 - 16:43:38 AKST
I have recently had the chance to setup a mailserver that acts as a gateway
to a mailserver inside the firewall. The point of this was to move an
Exchange server behind the firewall and also allow for processing of mail
prior to it reaching the exchange server.
I have now accomplished this with the help of Mike Tibor and Arthur Corliss.
Obviously you want to backup the sendmail.mc and sendmail.cf files before
you begin this process.
THE SETUP
There are a few assumptions that are being made here. We are limiting
certain functions so that the explanation can be less complicated.
We setup a mail gateway using sendmail...(do I hear groaning already?) We
used Webmin to configure the sendmail server, and it was easy as pie.
The sendmail server's only function is to receive inbound mail for the
domain test.org (this is a fake domain name) and route it to the internal
Exchange server mailserver.test.org. (192.168.1.20).
Two of the benefits of a setup like this is we can reject any mail that
doesn't have a valid domain name and reject folks trying to use us as a
relay.
Webmin steps:
In the sendmail webmin(0.92) interface we added test.org in the
Relay-Domains box. In addition we added an entry to the Domain Routing
section. It looked like this:
.test.org relay [192.168.1.20]
Notice the period before test.org. The brackets around the IP number avoid
any for MX lookups.
Thats it!
Procmail steps:
To configure sendmail to use procmail for all incoming messages you must
include some local rules so as not to create a mailloop. Below are the ones
that I used to do my initial testing.
LOCAL_RULE_0
Rtestuser < @ test . org . > $*\t$#procmail $@/etc/procmailrcs/test.rc
$:testuser@test.org.procmail
R$* < @ $* . procmail > $*\t$1 < @$2 > $3
You have to remove the \t and replace it with an actual tab character. THIS
IS CRITICAL! Also note that you have to type the R lines including all the
spaces....they are not there for readability.
Create the procmail rc /etc/procmailrcs/test.rc to look like this:
SENDER = "<$1>"
SHIFT = 1
:0 c
/mail/backup
:0 w
! -oi -f "$SENDER" "$@"
It will create a copy of the message going to testuser@test.org and put it
into the file /mail/backup and then forward the message to the testuser.
At the bottom of this message is pretty much a default mc file that is
created with the webmin interface. I added the LOCAL_RULE section at the
bottom.
For sendmail to use the new mc file you need create the sendmail.cf file
like this:
m4 < /etc/mail/sendmail.mc > /etc/sendmail.cf # The file locations may be
different on your installation
You can then test the new sendmail.cf file by doing:
sendmail -bt
It will give you a prompt then you can type:
3,0 testuser@test.org
The end result should be something like this:
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> 3,0 testuser@test.org
canonify input: testuser @ aidea . org
Canonify2 input: testuser < @ test . org >
Canonify2 returns: testuser < @ test . org . >
canonify returns: testuser < @ test . org . >
parse input: testuser < @ test . org . >
Parse0 input: testuser < @ test . org . >
Parse0 returns: testuser < @ test . org . >
ParseLocal input: testuser < @ test . org . >
ParseLocal returns: $# procmail $@ / etc / procmailrcs / test . rc $:
testuser @ test . org . procmail
parse returns: $# procmail $@ / etc / procmailrcs / test . rc $:
testuser @ test . org . procmail
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> 3,0 nontestuser@test.org
canonify input: nontestuser @ test . org
Canonify2 input: nontestuser < @ test . org >
Canonify2 returns: nontestuser < @ test . org . >
canonify returns: nontestuser < @ test . org . >
parse input: nontestuser < @ test . org . >
Parse0 input: nontestuser < @ test . org . >
Parse0 returns: nontestuser < @ test . org . >
ParseLocal input: nontestuser < @ test . org . >
ParseLocal returns: nontestuser < @ test . org . >
Parse1 input: nontestuser < @ test . org . >
Mailertable input: < test . org > nontestuser < @ test . org . >
Mailertable input: test . < org > nontestuser < @ test . org . >
Mailertable returns: nontestuser < @ test . org . >
Mailertable returns: nontestuser < @ test . org . >
MailerToTriple input: < > nontestuser < @ test . org . >
MailerToTriple returns: nontestuser < @ test . org . >
Parse1 returns: $# esmtp $@ test . org . $: nontestuser < @ test .
org . >
parse returns: $# esmtp $@ test . org . $: nontestuser < @ test .
org . >
Hopefully this is as clear as mud. If you want to add more individual users
you can add another Rule line to the LOCAL_RULE section. Like this:
LOCAL_RULE_0
Rtestuser < @ test . org . > $* $#procmail $@/etc/procmailrcs/test.rc
$:testuser@test.org.procmail
Ranotheruser < @ test . org . > $* $#procmail
$@/etc/procmailrcs/test.rc $:anotheruser@test.org.procmail
R$* < @ $* . procmail > $* $1 < @$2 > $3
Finally, if you want to have procmail to work for all the users, this may
work (not tested):
LOCAL_RULE_0
R$* < @ test . org . > $* $#procmail $@/etc/procmailrcs/test.rc
$:$1@test.org.procmail $2
Ranotheruser < @ test . org . > $* $#procmail
$@/etc/procmailrcs/test.rc $:anotheruser@test.org.procmail
R$* < @ $* . procmail > $* $1 < @$2 > $3
I hope this works for you like it did for me...
Thanks to everyone that provided feedback from my procmail recipe questions.
Mike Barsalou
divert(-1)
dnl This is the sendmail macro config file. If you make changes to this
file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`genericstable', hash -o /etc/mail/genericstable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
LOCAL_RULE_0
Rtestuser < @ test . org . > $* $#procmail $@/etc/procmailrcs/test.rc
$:testuser@test.org.procmail
R$* < @ $* . procmail > $* $1 < @$2 > $3
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Wed Apr 03 2002 - 16:45:47 AKST