Preventing RCPT TO: username enumeration in sendmail on ubuntu

I'm trying to configure sendmail to prevent it from allowing username enumeration through the RCPT TO: command.

I've been googling endlessly and, from what I can see, the best way to achieve this is by adding a catch all email account to the virtusertable.

So I generated a new sendmail.cf file, with this directive included:

FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl     

To the virtusertable.db file, I then add:

@ubuntu test

and restart sendmail, but it doesn't work:

mail from:root@ubuntu
250 2.1.0 root@ubuntu... Sender ok
rcpt to:root 
250 2.1.5 root... Recipient ok
rcpt to:fake
550 5.1.1 fake... User unknown

Am I going wrong somewhere? Or is there a better way to achieve this?

Thanks for any help


If you want to implement a catch-all address, do it like this:

LOCAL_CONFIG
Kuser user -m -a.FOUND

LOCAL_RULE_0
R$- < $=w . > $*        $: $(user $1 $) < $2 . > $3
R$- . FOUND < $=w . > $*          $@ catch-all < $2 . > $3

Remember that the left hand side of the rules is separated by the right hand side with tabs. After updating your sendmail.mc with the above code run sendmailconfig

However keep in mind that anything sent to the RCPT TO: command is checked via the check_rcpt rule set. To prevent username enumeration you may need to employ techniques like greylisting (I am using graymilter) and set proper values for greet_pause ClientConn and ClientRate.

A "catch all" address is not always a good solution. Think whether you want senders that typed the wrong address be informed of their mistake or not.