I'm trying to configure sendmail to prevent it from allowing username enumeration through the RCPT TO: command.
I've been googling endlessly and, from what I can see, the best way to achieve this is by adding a catch all email account to the virtusertable.
So I generated a new sendmail.cf file, with this directive included:
FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl
To the virtusertable.db file, I then add:
@ubuntu test
and restart sendmail, but it doesn't work:
mail from:root@ubuntu
250 2.1.0 root@ubuntu... Sender ok
rcpt to:root
250 2.1.5 root... Recipient ok
rcpt to:fake
550 5.1.1 fake... User unknown
Am I going wrong somewhere? Or is there a better way to achieve this?
Thanks for any help
If you want to implement a catch-all address, do it like this:
Remember that the left hand side of the rules is separated by the right hand side with tabs. After updating your sendmail.mc with the above code run
sendmailconfig
However keep in mind that anything sent to the RCPT TO: command is checked via the check_rcpt rule set. To prevent username enumeration you may need to employ techniques like greylisting (I am using graymilter) and set proper values for greet_pause ClientConn and ClientRate.
A "catch all" address is not always a good solution. Think whether you want senders that typed the wrong address be informed of their mistake or not.