Using DCC with forwarding?

Gary Mills mills@cc.UManitoba.CA
Mon May 20 03:50:45 UTC 2002

On Sun, May 19, 2002 at 06:39:48PM -0600, Vernon Schryver wrote:
> From: mills@cc.UManitoba.CA
> >
> > How do I arrange for bulk mail rejection and logging to happen at
> > the destination server?  Right now, it happens where incoming mail
> > first arrives.  The problem with this is that users will have logs
> > at two places.  Is there a way for dccm to exempt mail that is being
> > redirected to a specific destination with the assurance that it will
> > be checked again when it gets there?
> How about whitelisting the addresses that don't want the filtering
> or logging?  It might be a hassle to whitelist them explicitly.
> On the other hand, if you run `dccm -W` and explicitly list those
> targets that should be filtered, the counts will be doubled because
> the messages that are exempt from filtering by -W will still be counted.

I'd better give an example:  When mail for `'
arrives at our main mail server, sendmail maps that virtual alias to
`'.  This is a local address, so it's delivered
locally.  However, when mail for `' arrives,
the alias is mapped to `'.  This mail is relayed
to the staff mail server, and delivered there.

There are thousands of those virtual aliases.  The database is rebuilt
every night.  According to the new-style DCC log files, sendmail has
resolved the aliases by the time it connects to dccm.  I can see from
there which are local and which are not.  I don't want to build a
whitelist when sendmail already has the information.  I had hoped that
there was a nicer way to discriminate between local and relayed mail.

> I suspect it would be easier and cleaner to move all of the logs to one
> system.  One obvious way is an rdist cron job.  Perhaps a better way
> would be to have only one real set of log directories on one of the
> two machines and to NFS mount them on the other machine.

There are different user names on each system.  Combining them
wouldn't help.  I want to get the right log files on the right system.

> How are you making the logs visible to users without letting all users
> see all logs?  Are you using the new per-user logging and whitelisting
> in 1.1.0?

I just upgraded to 1.1.2, but I'm not using the per-user logs.  I'm in
the midst of writing a perl script that will read the standard DCC logs
and build per-recipient daily summaries of bulk mail.  Each one would
be an HTML table, with one row per message.  This is the first step in
allowing users to know about bulk mail addressed to them that was
rejected by DCC.  It would also allow them to request additions to
the central whitelist.  I haven't designed the web interface or
authentication portions yet.

> I've been thinking about sample scripts and HTML to be used with Apache
> show how one might let users control their individual 1.1.0-style white
> lists and log files.  The big question I have is how to handle user
> authentication.  The poor best idea I've come up with is a script that
> users htpasswd.  How do you let users see the log files?

This is certainly a problem.  In our case, with about 30 000 accounts,
we wouldn't want separate passwords for this function.  I'll probably
use an apache module that authenticates via PAM.  The CGI script would
have the responsibility for displaying only the user's data.  As I said,
I haven't put these pieces together yet.

> Am I wasting my time working on such spam scripts?  I suspect as much,
> because I suspect anyone who might use them has already solved the
> web-access-to-user-files problem.

If it's solved, I haven't heard about it.  Both of our mail servers
are `sealed servers', running Cyrus IMAP.  Users have no direct access
to them.  Much as I'd like to, I can't move DCC out of logging-only mode
until users have a way to see what DCC is doing.  A web page seems to
be the way to do it.

-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

More information about the DCC mailing list

Contact by mail or use the form.