Monday, December 05, 2005

Hunting down spammers

In this work-in-process guide, I aim to show you to hunt down bastard spammers who have been using your server.


USE AT OWN RISK. I AM STILL WORKING ON IT


Once again we will start with log files in /var/log/, especially /var/log/secure

Dec 4 05:59:07 ensim xinetd[1556]: START: pop3 pid=25338 from=216.12.192.107

#A start session will look something like:
4 06:23:35 ensim xinetd[1556]: START: pop3 pid=29758 from=216.12.192.107


# Log all spammers start sessions
grep -ir "START: pop3" /var/log/secure* >> /designerz/security/

TIP
# A FTP (proftpd) brute force attack attempt will look like this
# to ban this install BFD (brute force detection)
Dec 4 06:42:10 ensim proftpd[32688]: ensim.hostingandbeyond.com (dpc67475022.direcpc.com[67.47.5.22]) - USER travis: no such user found from dpc67475022.direcpc.com [67.47.5.22] to SRVERIP:21



Terminology:

MTA : Mail Transfer Agents (Proper Email Routing Between Servers (Most complex) exim) See RFC 974 (Mail Routing and DNS)
RTFM: Read the fucking manual
MUA: Mail User Agent (Reading + Writing + Editing)
MDA: Mail Delivery Agent (Intermediary: MUA and MTA) (procmail / mail.local)
IBE: In-bound email
Mailbox: traditionally a directory of files or a single file for storage of IBE
MIME (Multipurpose Internet Mail Extensions, See RFCs 2045 - 2049, RFC 2045 and RFC 2046,

MTP: Mail Transfer Protocols
SMTP (Simple Mail Transfer Protocol) 7-bit protocol (low-order 7-bits) "If the 8th (high) bit of a byte is set, SMTP dictates that the bit must be zeroed out" [1] RFC 821 and section 5 RFC 1123
ESMTP: 8-bit SMTP: RFC 1869 extended for internationalization
RFC 1652
8BITMIME. Allows 8-bit data transfer RFC 1652 "If a transfer agent has a message containing 8-bit data and it cannot negotiate the proper transfer of that data, it must either encode the message into 7-bit data using MIME, or return the message to the sender indicating the reason for the return" [1]
MX Records: Mail eXchanger records
UUCP (Unix-to-Unix copy)

Configuration Files:
SpamAssassin Prefs File = /etc/MailScanner/spam.assassin.prefs.conf


# Set where to find the messages that are delivered to the sender,
# when they have sent a message that was detected as spam and caused the
# "bounce" action to happen. This message is sent with its envelope
# constructed so that the message cannot bounce.
#
# There are 3 reports:
# Sender Spam Report - sent when a message triggers both a Spam
# List and SpamAssassin,
# Sender Spam List Report - sent when a message triggers a Spam List,
# Sender SpamAssassin Report - sent when a message triggers SpamAssassin.
#
# These can also be the filenames of rulesets.
Sender Spam Report = /etc/MailScanner/reports/en/sender.spam.report.txt
Sender Spam List Report = /etc/MailScanner/reports/en/sender.spam.rbl.report.txt
Sender SpamAssassin Report = /etc/MailScanner/reports/en/sender.spam.sa.report.txt


Incoming Queue Dir = /var/spool/mqueue.in /home/virtual/site*/fst home/virtual/site*/fst/var/spool/mqueue



# Set where to store infected and message attachments (if they are kept)
# This can also be the filename of a ruleset.
Quarantine Dir = /var/spool/MailScanner/quarantine

# Set where to store the process id number so you can stop MailScanner
PID file = /var/run/MailScanner.pid

# Set where to find the messages that are delivered to the sender, when they
# sent an email containing either an error, a banned filename or a virus
# infection.
# These can also be the filenames of rulesets.
Sender Error Report = /etc/MailScanner/reports/en/sender.error.report.txt
Sender Bad Filename Report = /etc/MailScanner/reports/en/sender.filename.report.txt
# Template to send virus report
Sender Virus Report = /etc/MailScanner/reports/en/sender.virus.report.txt

[5] Usage options for cmq

#  Delete messages that have been in the queue for 5 or more days
cmq -d '5 days ago'

# Delete all messages in error state or that failed delivery 15 or more times
cmq -e -r 15

# Delete zero-byte queue messages and messages in error state
cmq -z -e

# Hot clean example.com and my.example.com of messages more than 3 days old
cmq -H -d '4 days ago' -D example.com,my.example.com

# Delete orphaned transcript / data files
cmq -o



from [6]

As of sendmail version 8.9, forwarding of SMTP messages is not permitted by default. For example, if you are on site A.COM, you will not accept mail from B.NET destined for C.ORG without special arrangements. These instructions assume that you are using the M4 technique for creating your sendmail.cf files; if you are not, you are on your own.

The simplest approach is to list the domains you are willing to relay in the file /etc/mail/relay-domains. Anything listed in this file will be accepted for relaying. N.B.: Sendmail must be restarted after this file is modified.

For more precise tuning, several FEATUREs have been added to control relaying:

  • FEATURE(relay_hosts_only). Normally domains are listed in /etc/mail/relay-domains; any hosts in those domains match. With this feature, each host in a domain must be listed.
  • FEATURE(relay_entire_domain). Setting this feature allows relaying of all hosts within your domain. For example, on the host gateway.A.COM, this feature allows mail to or from any host in the A.COM domain. More precisely, this relays any host listed in the $=m class. This is equivalent to listing the name of the domain in /etc/mail/relay-domains.
  • FEATURE(access_db). This enables the hash database /etc/mail/access to enable or disable access from individual domains (or hosts, if FEATURE(relay_hosts_only) is set). The database format is described below.
  • FEATURE(blacklist_recipients). If set, this feature looks up recipients as well as senders in the access database.
  • FEATURE(rbl). NOTE: Thie feature is obsolete. Use FEATURE(dnsbl) in newer versions of sendmail. Enables rejection of mail based on the Realtime Blackhole List maintained at mail-abuse.org.
  • FEATURE(dnsbl). Enables rejection of mail based on the Realtime Blackhole List maintained at mail-abuse.org.
  • FEATURE(accept_unqualified_senders). Normally, sendmail will not accept mail from a sender without a domain attached -- for example, user instead of user@B.NET. This feature allows such users.
  • FEATURE(accept_unresolvable_domains). Normally, sendmail will refuse to accept mail that has a return address with a domain that cannot be resolved using the regular host lookups (a technique commonly used by spammers). This feature permits acceptance of such addresses. Unresolvable domains can be selectively accepted using the access database.
  • FEATURE(relay_based_on_MX). Setting this feature permits relaying for any domain that is directed to your host.

Several other features are probably a bad idea, unless you are inside a firewall, because they make your system vulnerable to abuse by spammers:

  • FEATURE(relay_local_from). This feature allows relaying if the message claims to originate at your domain. Since forging this address is trivial, this is probably a bad idea.
  • FEATURE(loose_relay_check). This turns off checking for explicit routing through your host, such as target%C.ORG@A.COM.
  • FEATURE(promiscuous_relay). If you really want to forward all the spam on the net, this will turn off all checking for relaying.

The Access Database

The access database (normally in /etc/mail/access) allows a mail administrator to administratively allow access to the mail server by individual domains. Each database entry consists of a domain name or network number as the key and an action as the value.

Keys can be a fully or partly qualified host or domain name such as host.subdomain.domain.com, subdomain.domain.com, or domain.com. The last two forms match any host or subdomain under the specified domain. (If FEATURE(relay_hosts_only) is set, only the first form works.) Keys can also be a network address or subnetwork, e.g., 205.199.2.250, 205.199.2, or 205.199. The latter two forms match any host in the indicated subnetwork. Lastly, keys can be user@host.domain to reject mail from a specific user.

Values can be REJECT to refuse connections from this host, DISCARD to accept the message but silently discard it (the sender will think it has been accepted), OK to allow access (overriding other built-in checks), RELAY to allow access including relaying SMTP through your machine, or an arbitrary message to reject the mail with the customized message.

For example, a database might contain:

cyberpromo.com REJECT sendmail.org RELAY spam@buyme.com 550 Spammers shan't see sunlight here to reject all mail from any host in the cyberpromo.com domain, allow any relaying to or from any host in the sendmail.org domain, and reject mail from spam@buyme.com with a specific message.

Note that the access database is a map and just as with all maps, the database must be generated using makemap. For example:

makemap hash /etc/mail/access < /etc/mail/access



FMIRTFM: For more information
[1] http://sendmail.org/email-explained.html
[2] How to use ORDB with sendmail and other programs.
[3] Test an open relay ORDB
[4] ORDB Home Page
[5] Many thanks to "perldork" for cmq and vmqinfo. Very useful tools for cleaning out the mail queue for virtual hosts. Works like a charm
[6] Controlled Relaying with sendmail

Configuration Files:
/etc/mail/local-host-names : # local-host-names - include all aliases for your machine here.
[2] /etc/MailScanner/rules/EXAMPLES - MailScanner examples



Examples
========

Here are a few ideas of how to implement features using this ruleset system.

1. Spam WhiteList

Set "Is Definitely Not Spam = /opt/MailScanner/etc/rules/whitelist.rules".
Set addresses to be whitelisted using rules such as
From: user@good.domain.com yes
From: *@friendly.domain.com yes
# Don't mark any internal message as spam
From: 123.234. yes
From: /^192\.168\.13[4567]\./ yes
FromOrTo: default no

2. Spam BlackList

Set "Is Definitely Spam = /opt/MailScanner/etc/rules/blacklist.rules".
Set addresses to be blacklisted using rules such as
From: user@nasty.domain.com yes
From: *@spammers.com yes
# Mark an entire network used by spammers
From: 123.231.3. yes
FromOrTo: default no

3. Only sign outgoing messages

Set "Sign Clean Messages = /opt/MailScanner/etc/rules/signing.rules".
If your messages come from "yourdomain.com", then try this:
From: 192.168. yes
FromOrTo: default no
where your network is the whole of 192.168.xxx.xxx.

4. Use different signatures for different domains

Set "Inline Text Signature = /opt/MailScanner/etc/rules/sig.text.rules" &
set "Inline HTML Signature = /opt/MailScanner/etc/rules/sig.html.rules".
Use rules for each file that look like this:
From: *@domain1.com /opt/MailScanner/etc/reports/domain1.sig.txt
From: *@domain2.com /opt/MailScanner/etc/reports/domain2.sig.txt
with equivalent rules in the "sig.html.rules" file.
5. Only virus scan some domains

Set "Virus Scanning = /opt/MailScanner/etc/rules/virus.scanning.rules".
FromOrTo: *@scanme.com yes
FromOrTo: *@scanme-too.com yes
FromOrTo: default no

6. Send system administrator notices to several people

Set "Notices To = /etc/MailScanner/rules/notices.to.rules".
To: @abc.com postmaster@me.com george@abc.com
To: @def.com postmaster@me.com bill@def.com
FromOrTo: default postmaster@me.com


[3] /etc/MailScanner/rules/quarantine.rules
FromOrTo: *@domain.com /home/virtual/siteX/fst/var/spool/mail.quarantine
[4] [See]
/etc/MailScanner/rules/virus-scan.rules yes
FromOrTo: *@domainname
[5] Clean quarantine files
Modify /etc/cron.daily/clean.quarantine and set disabled to 0
[6] When backing up MailScanner remember /usr/lib/MailScanner and /etc/MailScanner directories.
[7] See this post on how to upgrade MailScanner.
[8] Using Find commands
[9] Sendmail 8.13.5
[10] For big queues, run something like
[root@ensim:/usr/local/sbin]$ cmq -z -e >> /var/log/cmq.log.all &
[1] 4036

[11] Stop mail relay for a domain.
modify /etc/mail/access. then
makemap hash /etc/mail/access < /etc/mail/access
Examples (tab separated):
spammer.com REJECT
trusted.com RELAY
spam@spammer.com 550 Message to spammers
Keys can be
full or partially qualified
host, domain name or
IP address, or subnet address 192.168.3 and 192.168.1 will match all hosts in that subnet.
network address,
e-mail to reject e-mail from a specific user

[12] Find the spammers

#Entry looks like this in maillog
Dec 4 05:02:23 ensim sendmail[3973]: jB2Ggpf11056: to=, delay=1+17:19:32, xdelay=00:01:00, mailer=esmtp, pri=44587170, relay=mail.nettouch.com. [64.85.236.42], dsn=4.0.0, stat=Deferred: Connection timed out with mail.nettouch.com.

# Full details
grep -ir "relay" /var/log/maillog | awk 'BEGIN {FS="relay=";} {print $2}' | sort | uniq
# Just the hosts used
grep -ir "relay" /var/log/maillog | awk 'BEGIN {FS="relay=";} {print $2}' | awk 'BEGIN {FS=" ";} {print $1} ' | sort | uniq


How to modify sendmail.mc properly
#Copy files
cp /etc/sendmail.cf /etc/sendmail.cf.old
#Change directory
cd /usr/lib/opcenter/sendmail/install/
#Copy
/usr/lib/opcenter/sendmail/install/sendmail.mc /usr/lib/opcenter/sendmail/install/sendmail.mc.working
# Edit
vi /usr/lib/opcenter/sendmail/install/sendmail.mc
# Apply changes
m4 /usr/lib/opcenter/sendmail/install/sendmail.mc > /etc/sendmail.cf
# service sendmail restart
# OR service MailScanner restart
# OR /etc/init.d/sendmail restart

[13] Something very important you need to do is to modify the sendmail.mc and enable dnsbl

--------------
FEATURE(`dnsbl', `relays.ordb.org', `Rejected - see http://ordb.org/')dnl
FEATURE(dnsbl, `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?" $&{client_addr}')dnl
FEATURE(`dnsbl', `dev.null.dk', `Rejected - SPAM - Complain To http://www.null.dk/')dnl




Dec 5 20:43:33 ensim sendmail[29409]: jB61hWr29409: ruleset=check_relay, arg1=24-180-180-138.dhcp.mdsn.wi.charter.com, arg2=24.180.180.138, relay=24-180-180-138.dhcp.mdsn.wi.charter.com [24.180.180.138], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?24.180.180.138
Dec 5 20:44:28 ensim sendmail[29426]: jB61iSr29426: ruleset=check_relay, arg1=[211.238.30.2], arg2=211.238.30.2, relay=[211.238.30.2], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?211.238.30.2
Dec 5 20:45:25 ensim sendmail[29824]: jB61jPr29824: ruleset=check_relay, arg1=[198.65.204.57], arg2=198.65.204.57, relay=[198.65.204.57], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?198.65.204.57
Dec 5 20:47:11 ensim sendmail[30021]: jB61lBr30021: ruleset=check_relay, arg1=[61.72.63.89], arg2=61.72.63.89, relay=[61.72.63.89], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?61.72.63.89
Dec 5 20:48:46 ensim sendmail[1157]: jB61mkr01157: ruleset=check_relay, arg1=static-151-204-225-105.bos.east.verizon.net, arg2=151.204.225.105, relay=static-151-204-225-105.bos.east.verizon.net [151.204.225.105], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?151.204.225.105
Dec 5 20:50:03 ensim sendmail[32321]: jB61o2r32321: ruleset=check_relay, arg1=24-176-175-74.static.snlo.ca.charter.com, arg2=24.176.175.74, relay=24-176-175-74.static.snlo.ca.charter.com [24.176.175.74], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?24.176.175.74
Dec 5 20:53:33 ensim sendmail[9934]: jB61rXr09934: ruleset=check_relay, arg1=24-48-162-28.sbtnvt.adelphia.net, arg2=24.48.162.28, relay=24-48-162-28.sbtnvt.adelphia.net [24.48.162.28], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?24.48.162.28
Dec 5 21:00:36 ensim sendmail[12510]: jB620ar12510: ruleset=check_relay, arg1=[211.182.232.161], arg2=211.182.232.161, relay=[211.182.232.161], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?211.182.232.161
Dec 5 21:01:41 ensim sendmail[13178]: jB621fr13178: ruleset=check_relay, arg1=[69.60.98.5], arg2=69.60.98.5, relay=[69.60.98.5], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?69.60.98.5
Dec 5 21:03:09 ensim sendmail[13187]: jB6239r13187: ruleset=check_relay, arg1=mail.imemperor.com, arg2=209.172.61.46, relay=mail.imemperor.com [209.172.61.46], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?209.172.61.46
Dec 5 21:03:40 ensim sendmail[13190]: jB623er13190: ruleset=check_relay, arg1=69-173-240-207.clvdoh.adelphia.net, arg2=69.173.240.207, relay=69-173-240-207.clvdoh.adelphia.net [69.173.240.207], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?69.173.240.207
Dec 5 21:04:15 ensim sendmail[13206]: jB624Fr13206: ruleset=check_relay, arg1=210-58-16-76.cm.dynamic.apol.com.tw, arg2=210.58.16.76, relay=210-58-16-76.cm.dynamic.apol.com.tw [210.58.16.76], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?210.58.16.76
Dec 5 21:07:31 ensim sendmail[13811]: jB627Vr13811: ruleset=check_relay, arg1=hb529.xvinject42.com, arg2=66.63.173.8, relay=hb529.xvinject42.com [66.63.173.8], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?66.63.173.8
Dec 5 21:11:29 ensim sendmail[15898]: jB62BTr15898: ruleset=check_relay, arg1=[203.162.246.162], arg2=203.162.246.162, relay=[203.162.246.162], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?203.162.246.162
Dec 5 21:18:59 ensim sendmail[16664]: jB62Ixr16664: ruleset=check_relay, arg1=n2a.bullet.dcn.yahoo.com, arg2=216.155.203.222, relay=n2a.bullet.dcn.yahoo.com [216.155.203.222], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?216.155.203.222
Dec 5 21:19:05 ensim sendmail[16668]: jB62J4r16668: ruleset=check_relay, arg1=out202.outpeake.com, arg2=66.227.57.222, relay=out202.outpeake.com [66.227.57.222], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?66.227.57.222
Dec 5 21:26:37 ensim sendmail[19435]: jB62Qbr19435: ruleset=check_relay, arg1=ip68-226-216-170.lf.br.cox.net, arg2=68.226.216.170, relay=ip68-226-216-170.lf.br.cox.net [68.226.216.170], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?68.226.216.170
Dec 5 21:28:38 ensim sendmail[19482]: jB62Scr19482: ruleset=check_relay, arg1=eps41.earnpaisa.com, arg2=67.15.188.41, relay=eps41.earnpaisa.com [67.15.188.41] (may be forged), reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?67.15.188.41
Dec 5 21:29:36 ensim sendmail[19519]: jB62Tar19519: ruleset=check_relay, arg1=hb530.xvinject42.com, arg2=66.63.173.9, relay=hb530.xvinject42.com [66.63.173.9], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?66.63.173.9
Dec 5 21:33:18 ensim sendmail[21608]: jB62XIr21608: ruleset=check_relay, arg1=edl157.edealfind.com, arg2=64.69.32.157, relay=edl157.edealfind.com [64.69.32.157] (may be forged), reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?64.69.32.157
Dec 5 21:34:28 ensim sendmail[21632]: jB62YSr21632: ruleset=check_relay, arg1=[206.161.68.11], arg2=206.161.68.11, relay=[206.161.68.11], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?206.161.68.11
Dec 5 21:36:36 ensim sendmail[22243]: jB62aar22243: ruleset=check_relay, arg1=210.213.122.195.pldt.net, arg2=210.213.122.195, relay=210.213.122.195.pldt.net [210.213.122.195] (may be forged), reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?210.213.122.195
Dec 5 21:37:50 ensim sendmail[22276]: jB62bnr22276: ruleset=check_relay, arg1=c-67-168-48-38.hsd1.wa.comcast.net, arg2=67.168.48.38, relay=c-67-168-48-38.hsd1.wa.comcast.net [67.168.48.38], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?67.168.48.38
Dec 5 21:39:36 ensim sendmail[22325]: jB62dar22325: ruleset=check_relay, arg1=pool-71-107-130-218.lsanca.dsl-w.verizon.net, arg2=71.107.130.218, relay=pool-71-107-130-218.lsanca.dsl-w.verizon.net [71.107.130.218], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?71.107.130.218
Dec 5 21:41:01 ensim sendmail[24244]: jB62f1r24244: ruleset=check_relay, arg1=c-24-5-240-209.hsd1.ca.comcast.net, arg2=24.5.240.209, relay=c-24-5-240-209.hsd1.ca.comcast.net [24.5.240.209], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?24.5.240.209
Dec 5 21:41:02 ensim sendmail[24245]: jB62f2r24245: ruleset=check_relay, arg1=c-24-5-240-209.hsd1.ca.comcast.net, arg2=24.5.240.209, relay=c-24-5-240-209.hsd1.ca.comcast.net [24.5.240.209], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?24.5.240.209
Dec 5 21:43:13 ensim sendmail[24438]: jB62hDr24438: ruleset=check_relay, arg1=OFSfb-01p3-45.ppp11.odn.ad.jp, arg2=211.1

[14] Collect spammer names (needs to be filtered)
grep -ir "relay" /var/log/maillog | awk 'BEGIN {FS="relay=";} {print $2}' | awk 'BEGIN {FS=" ";} {print $1} ' | sort | uniq >> /var/log/spammer.relays
#Taiwan
grep -ir "relay" /var/log/maillog | awk 'BEGIN {FS="relay=";} {print $2}' | awk 'BEGIN {FS=" ";} {print $1} ' | sort | uniq | grep "\.tw"
#
[15] Collect Relay hosts from a specific country and block'em

grep -ir "relay" /var/log/maillog | awk 'BEGIN {FS="relay=";} {print $2}' | awk 'BEGIN {FS=" ";} {print $1 "\tREJECT" } ' | sort | uniq | grep "\.jp" >> /etc/mail/access
[16] Savemail panic: [here]
In /etc/aliases, ensure the following exists
#
# >>>>>>>>>> The program "newaliases" must be run after
# >> NOTE >> this file is updated for any changes to
# >>>>>>>>>> show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon: postmaster
postmaster: root

Rebuild aliases
newaliases
sendmail -bi
Test
sendmail -bv MAILER-DAEMON
sendmail -bv postmaster
"lost messages
mailq -qL
[17] Block an email address with 550 error
[18] verify an email address instead of domain
[19] Check in sendmail.cf
[root@ensim:/usr/lib/opcenter/sendmail/install]$ grep '^[FC]w' /etc/sendmail.cf
Cwlocalhost localhost.localdomain
Fw/etc/mail/local-host-names
Cwlocalhost.localdomain
[20] Thanks:
Run this
sendmail -bt, $=w
[21] trouble sending email
[22] sendmail tuning
[23] View sendmail version and see what sendmail has been compiled with
[root@ensim:/usr/local/sbin]$ sendmail -bt -d0.1

[24] Test your mail server for open relay
[25] View Rule matching / How mail routing is being done (debug level 21.2)

/usr/lib/sendmail -bt -d21.12
WARNING: Ruleset Local_check_rcpt has multiple definitions
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter

> 3,11 me@me.com
canonify input: me @ me . com

[26] For debug rule (see [25] these can be used Thanks

#
3,11 me@me.com
# where is mail going
3,0,4 me@me.com

[27] Check syntax of poprelay.conf
[root@ensim:/usr/local/sbin]$ perl /etc/mail/poprelay.conf
[28] use a test message to lint spamassassin rules
spamassassin -D --lint

[29] Local tests only
spamassassin -L

[30] process sendmail queue every hour
sendmail -q1h
[31] Backup sendmail config
cp /etc/sendmail.cf /etc/sendmail.cf.old
[32] sendmail directory on ensim
cd /usr/lib/opcenter/sendmail/install/
[33] Apply sendmail configurations
m4 sendmail.mc > /etc/sendmail.cf
[34] Where is the dead email stored?
/root/dead.letter
[35] Where is the mail queue stored?
/home/virtual/site93/fst/var/spool/mqueue/
[36] Making changes to mail/access
vi /etc/mail/access
makemap hash /etc/mail/access < /etc/mail/access [37] sendmail domain map /etc/virtualhosting/mappings/sendmail.domainmap [38] Recently I had an issue where mail was being accepted by the server but wasn't being delivered. If you keep getting "unknown user" error by sendmail or your mail is accepted by sendmail and not delivered: 1. Try editing the site using Ensim Webppliance and saving it without any changes 2. restart webppliance. 3. Check /etc/mail/local-host-names and ensure nothing wrong is there. 4. Check /etc/mail/access and make sure nothing like following (wrong syntax)
.co.jp REJECT
.jp REJECT
.tw REJECT
.cn REJECT
5. apply changes and restart MailScanner
makemap hash /etc/mail/access < /etc/mail/access
[37] Sendmail Features
[38] Enable SpamCop
[39] SpamAssassin Apache