From: Craig Sanders (castaz.net.au)
Date: Mon Jun 30 2003 - 02:27:14 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jun 28, 2003 at 03:01:41PM +0200, Joris Benschop wrote:
> Can anyone point me to some help about how to tweak the infamous formmail
> script so that I don't become an open relay? The problem here is that we're
> maintinging almost 200 domains, which makes tweaking recipients rather
> difficult. Some mail we relay, some are POP3 boxes, some virtual
> anotherdomein.tld.

i started with the NMS version of formail and hacked it to:

1. read in a file called /etc/formmail.recipients and add them to the allowed
recipients list - so i can manually add recipient addresses and domains to the
allowed list.

2. read in the main config file for my virtual hosting system. add all domains
to the allowed recipients list (i.e. formmail can send mail to any domain if
the web site is hosted by the server)

3. use Net::DNS to check the NS and MX records for the recipient domain. if
the NS or MX records point to my nameservers or mail servers then the recipient
is allowed. i.e. formmail can send mail to any domain we host mail or dns for.

4. add various X- headers to help trace any abuse of formmail.

5. reject mail for all other recipient addresses.

i also banned any other version of formmail and similar scripts on our web
servers. all support staff and customers have been advised that if i find
non-compliant scripts then i will delete them without further notice.
actually, i usually fix them when i find them, or replace them with a symlink
to my version.....but if i'm busy, i just delete them.

every so often i go hunting for non-compliant versions. takes about a day once
every few months.
 

> Will changing referers to my IP address solve all problems?

no, referrer checks are worse than useless. any client can forge whatever
HTTP_REFERER header they like.

craig

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]