Prohibit certain accounts from sending email

[Jonah2]

I'm trying to trace an email problem that keeps landing me in the CBL blacklist (http://cbl.abuseat.org/lookup.cgi?ip=72.29.67.66), and to narrow it down I need to prohibit certain local senders. I know I can prohibit email delivery by editing /etc/localdomains , but how do I prohibit certain accounts from sending? My extensive Googling of the issues hasn't turned up any easy solutions: the best I've found is a fairly hairy-sounding fix involving smarthost and netfilter.

Thanks! -Jonah

P.S. The issue, according to CBL, is that (I quote)

Your IP connects to one of our servers and issues the HELO as though it were the server it is connecting to. To make this a little more clear, imagine one of our servers was ebay (this is just as an example because I can't give away the identity of our source). Your IP connects and goes "HELO ebay.com" which is not how the HELO parameter is supposed to work, and is a 99.999999% sign of spam.

 

[markhard]

hei Jonah2, i got the same problem with you. my server ip is being listed by CBL. i check on CBL website and your ip is not listed. do you already have a solution for the problem? can you share with me? thanks

 

[Jonah2]

After many many different tries, my datacenter finally found a solution. I'll post all of their relevant emails below, in which they explain (after I asked a few times) how they fixed it. And yes, they did fix it. -Jonah
-----

EXCERPTS FROM EMAILS FROM NOC:

I am going to look into blocking this issue at the firewall, and only allowing exim to access port 25 on remote machines. This would least ensure that as long as your mail server is not part of the cause, then the issue will not occur again, and I can set it to log when somebody attempts to violate the rules.

I have instituted the blocks. Please do not touch apf on this server as it will overwrite my settings. As it stands, the rules I instituted are as follows:

---
iptables -A OUTPUT -j RETURN -p tcp --match owner --uid-owner 0 -o eth0
iptables -A OUTPUT -j RETURN -p tcp --match multiport --dport 25 --match owner --uid-owner 8 -o eth0
iptables -A OUTPUT -j RETURN -p tcp --match multiport --dport 25 --match owner --uid-owner 47 -o eth0
iptables -A OUTPUT -j LOG -p tcp --match multiport --dport 25 -o eth0
iptables -A OUTPUT -j DROP -p tcp --match multiport --dport 25 -o eth0
---

This means root can do anything he wants, the users {mailnull,mail,mailman} can access port 25 on any IP via the eth0 interface, and all attempts by other users will be dropped and logged.

The way it works is any script which tries to send an email directly (i.e. connect to the remote MX and try to sent the SMTP session for the mail) will be blocked, and logged into /var/log/messages (or dmesg from the shell for a quick look). However, if they attempt to send email to the localhost's SMTP server, via 127.0.0.1, it should be accepted without issue. This way, any mail filtering you have for outgoing mail can be applied to block (if you ever decide to implement such a feature).

I recommend you notify your users to route email through 127.0.0.1 as the outgoing SMTP server for your machine, and everything should be fine. Then you can at least have logs and such as to where emails are going, and get us that much closer to determining who is sendmail the emails.

 

[markhard]

thanks Jonah for sharing, i'll try it first