Backscatter is a problem where if a mail server does not reply "User Unknown", then it is possible to use this as part of an attack.
Checking 128.32.48.150 shows:
29.04.2014 20:42 CEST listed 29.05.2014 17:25 CEST expired 18.10.2016 19:26 CEST listed
https://staff.ie.cuhk.edu.hk/~sfluk/wordpress/?p=1397 describes how to configure sendmail to avoid this problem.
For us, what we did is update /etc/mail/Makefile
to add all the aliases to /etc/mail/access.db
by reading various files in /etc/mail/
and then creating /etc/mail/access.db
We also disabled the expn
functionality. This probably does not matter, but it seemed worth a try.
Before the fix, the following test showed that there was a possibility that email to unknown-user@moog.eecs.berkeley.edu was not being handled properly:
[root@moog mail]# /usr/lib/sendmail -bt -d21.4 ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter> .D{client_addr}200.89.70.8 > .D{client_name}mx.uchile.cl > check_rcpt <cxhxxxxx@moog.eecs.berkeley.edu> check_rcpt input: < cxhxxxxx @ moog . eecs . ... rewritten as: < cxhxxxxx @ moog . eecs . berkeley . edu > $| @ RELAY rewritten as: RELAY Basic_check_rcpt returns: RELAY rewritten as: RELAY check_rcpt returns: RELAY >
After the fix, the last part was:
check_rcpt returns: $# error $@ 5 . 1 . 1 $: "550 User unknown"
Note that for this to work, the host must have a MX record to moog, not a CNAME.
Not:
;; ANSWER SECTION: robotics.EECS.Berkeley.EDU. 86400 IN CNAME moog.EECS.Berkeley.EDU.
But instead:
;; ANSWER SECTION: chess.EECS.Berkeley.EDU. 86400 IN SPF "v=spf1 ip4:128.32.48.150 ?all" chess.EECS.Berkeley.EDU. 86400 IN TXT "v=spf1 ip4:128.32.48.150 ?all" chess.EECS.Berkeley.EDU. 86400 IN MX 5 moog.EECS.Berkeley.EDU. chess.EECS.Berkeley.EDU. 86400 IN A 128.32.48.150