Email
The next thing I set up was email for some domains that are kinda play domains. I have had one domain for several years now and get a good amount of mail there (well really it's mostly just spam). Additionally, the .org, and .net versions of xigole are on my home machine.

I wanted all this mail to, for now, go to a single UNIX account. You might think that having all the email from seven domains go to one account would be alot, but really only one of the domains actually gets any volume of mail.

I started out trying to configure sendmail as that's is what comes with Solaris. Man, was that a waste of time. I have programmed "C" for many years, and Java for many years, but cannot understand how a person can consider a file in which all lines of note must end with the characters "dnl" to be even slightly good. Sendmail uses the even older m4 to make it "simple" to configure sendmail or you can modify the even more intuitive /etc/mail/sendmail.cf directly where you too can try to figure out what

R$+ < @ $=w . >	    $: < $(virtuser $1 @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+ + $* < @ $* . >
            $: < $(virtuser $1 + * @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ + $* < @ $* . >
            $: < $(virtuser $1 @ $3 $@ $1 $: @ $) > $1 + $2 < @ $3 . >
R<@> $+ < @ $+ . >  $: < $(virtuser @ $2 $@ $1 $: @ $) > $1 < @ $2 . >
R<@> $+		$: $1
R< error : $- $+ > $*	$#error $@ $(dequote $1 $) $: $2
R< $+ > $+ < @ $+ > $: $>97 $1

means. My $0.02 worth - Eric Allman, one of the original authors of sendmail, should retire to Florida. He's done the net a wonderful service getting the original sendmail to work, but with code like this, who need Microsoft? When the most of the things listed on sendmail.org are security related, you may as well not have a firewall!

After a little digging I settled on using Postfix for my MTA (mail transfer agent). I read what it took to configure it and I liked the fact that it had a much more intelligent architecture (mostly by having seperate process for different tasks - it limits the collateral damage that a single process can do). There are other MTAs out there but Postfix has been great for me.

Postfix configuration
My Postfix configuration is also pretty simple. As I said, I host seven domains on my machine, though only one of them ever really gets email. Only my internal network is allowed to send mail through Postfix. Something that convinced me that I had done the right thing was the ease of configuration that Postfix has. My setup uses three files, all in /etc/postfix. The file main.cf is, well, the main one. Additionally I use a file for virtual hosts and another one for the IP address of spammers.

Important Saftey Note #1 - when you install Postfix it includes by default a program named "sendmail" that is placed into the /usr/lib directory. This overwrites the existing one that came with Solaris. If you want to go back to the default configuration you will need to make a backup of that file.

Important Saftey Note #2 - if you do like me and install a Solaris patch cluster, it's likely that it will include a Sendmail patch (as there are so many bugs in Sendmail). The Solaris patch process will overwrite the Postfix sendmail with it's own. The solution is to remove the sendmail patch from your patch cluster before you start applying the cluster. You could, of course, also just make a backup of the Postfix /usr/lib/sendmail, install the cluster, and copy yours back over. Either way, be careful with cluster patches!

Configuring main.cf was very simple. I won't include the entire file here but will give you the highlights of mine. The Postfix documentation is very well done and I was able to find almost everything I needed there.

I set myhostname to a host that exists within my private DNS and that
exists outside of the firewall.

myhostname = smtp.xigole.net

The default value of myorigin is the hostname specified above.  I liked
it better if it was just the domain.

myorigin = $mydomain


All this does is set the networks that are trusted to deliver mail.  Remember above that my
firewall won't let traffic from either of these two networks in or out.

mynetworks = 192.168.1.0/24, 127.0.0.0/8

I use a very simple virtual hosting setup.  This gets it going then see below for the actual
file and how to use it

virtual_maps = dbm:/etc/postfix/virtual

I use the services of ordb.org to drastically
reduce the amount of spam I get.  Ordb.org maintains a database of open SMTP relays.  These are
mail servers that can easily used by spammers to send email to whoever they want and hide their
identity in the process.  I only once lost a real email because of this service but given that
it blocks about 20 a day it is well worth the risk.

maps_rbl_domains = relays.ordb.org

This is tied to the maps_rbl_domains parameter to block open relays.
Additionally, I've added a list of domains and IP addresses that are not open relays but from which
I still have gotten spam.  I'll show you the spampigs file in a little bit.

smtpd_client_restrictions = dbm:/etc/postfix/spampigs, reject_maps_rbl

The default timeout is 5 minutes.  I don't need resources tied up that long.  If I can't
respond or the sender can't communicate within 30 seconds then, well, tough.

smtpd_timeout = 30s


The default is to allow clients to not send the SMTP HELO command.  I figure if they can't
even do that then I don't want to talk to them anyhow :)

smtpd_helo_required = yes

OK, I have to get on a soapbox for a second.  I wanted to reject email from hosts that didn't
have a reverse DNS entry.  I figured that "legitimate" businesses would have a proper
DNS set up, right?  Wrong.  You'd be amazed at the number of companies that don't have this right.
Big companies, like The Gap and Eddie Bauer.  So much spam comes in that doesn't come
from an IP address with a reverse record that I was hoping that by forcing the sender to have
reverse DNS record I would get rid of alot of spam.  Well, I did, but I got rid of more that
I wanted to.  So I had to not use this but continue to contact online merchants who don't have
the reverse DNS record.  Of course, as soon as I do get all the merchants I use to have this,
all the spammers will get theirs set up too and it'll be a moot point.

#unknown_hostname_reject_code = 554
#smtpd_helo_restrictions = reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname

Virtual Domains
The next file that I had to configure was the virtual file for Postfix. This file configures my virtual domains. A virtual domain is simply a mapping from email addresses in one domain to addresses in another. The important entries in mine look like this:

xigole.net	nothing
@xigole.net	scott

xigole.org	nothing
@xigole.org	scott

All this says is that anything that is destined for xigole.net should be sent to the operating system account "scott". This is my Unix login. Pretty simple, huh? If I need to change this then the following needs to be run:

cd /etc/postfix
postmap virtual
postfix reload

Additional Spam Handling
My main.cf file has some spam handling in it. Primarily this is tied to the stanza that references ordb.org. Additionally, I maintain a list of IP address who have spammed me. These IP address are not permited to deliver email to any address. The only controversial part of my "spampigs" list (besides its name of course) is that I've given up and decided to block roughly half the population of the planet from sending me email. I've blocked most of Asia. I was getting 10-15 spams a day from Chinese netblocks and was never getting a response back when I complained. No, you're correct. I don't speak or write Chinese and so I may not have been able to communicate my problem properly. However, I couldn't deal with the spam anymore and, since I don't know anybody in China or Korea (and others) I haven't lost any legitimate email. Your configuration does not have to use this list. Indeed, you don't need a list like my spampigs list at all. I chose to have it for mine, but you may not.

Update - November 15, 2002 - I've decided to remove my blind block from more than half of the planet. The reality is that I'm now getting more email from South America than from China, Taiwan, etc. I still don't get any email from these places, and I still get spam once in a while, but I will hand it to the admins - things have drastically improved! However, I've now added the entire 200 netblock - goodbye Latin America, the Caribbean, and South America. Brazil - I won't miss all the emails from you.

A part of my current list looks like this:

zone-2.dial.net.mx	554 Too much spam from this sub domain.
206.28.31.52 554 Tired of spam from this domain.  Consider getting a clue.
206.190.225.109 554 You cannot be serious - paid for spam? - what a stupid idea.
200 554 It is amazing to me that an entire continent doesn't know how to configure a mail server.

Notice that you can mix and match IP addresses, parts of IP addresses and parts of domain names. It is a very powerful mechanism. However, I still get 5-10 spams per day. Nothing is perfect but it is way better than it was.