Aaron Poffenberger

By now everyone and his dog know that Facebook are offering email addresses to their users. In an attempt to make their little walled garden that much more inclusive (and more AOL like) Facebook have rolled out their messaging platform that will pull all their users various email, text and other messages together in one happy place. Typically I wouldn't care that a given company is offering email to their users but Facebook are an interesting case. With their huge user base and walled-garden approach to the site a disturbing number of people are becoming evermore locked into the Facebook site. For those who want to fight back a bit or just voice their displeasure, here's a simple configuration change to sendmail that will reject Facebook email.

Sendmail is one of the most widely used MTAs in the world. It's installed by default on many Unix-like operating systems. Sendmail includes numerous configuration files for controlling its operation. One very powerful configuration option available is "access_db". Accessdb allows administrators to determine on a domain-by-domain, ip-by-ip or address-by-address basis who is permitted to deliver email to users on the system. If your sendmail install already includes accessdb, the process is quite simple. 1) modify the access file (often found in etc/mail), 2) rebuild access_db, and 3) signal sendmail to reload configuration files. The process may differ a bit by platform so review your sendmail documentation.

Warning: Mis-configuring sendmail can result in no email coming in or leaving server. Proceed with caution.

Once you've checked the process for your platform, as a user with sufficient privileges, edit the "access" file with your favorite text editor. Add the following lines:

facebook.com                    550 We do not accept mail from Facebook
invite+*@facebook.com           RELAY
update+*@facebook.com           RELAY

Access_db works on a very simple rules-application process. The last matching rule wins. Let's take the rules in order.

facebook.com                    550 We do not accept mail from Facebook

The first line rejects all email from facebook.com with a 550 error and the message "We do not accept email from Facebook". All email is rejected regardless whether it comes from the Facebook info bot, Mark Zuckerberg or your mother. If you're just wanting to block email from average Facebook users to make your point, however, this is too strict.

invite+*@facebook.com           RELAY

To open up the rules a bit, add lines like the above. The line above allows invite emails from friends and colleagues. Sometimes you'd like to know who's trying to invite you. The second rule is like it:

update+*@facebook.com           RELAY

This rule allows update notifications from Facebook after you've ignored an invite for a while. Taken together the rules block all Facebook emails but then allow a few emails in. Of course the same approach can be used to block email from any domain or user. Is "spammer@spamdomain.com" bothering you, add the following rule:

spammer@spamdomain.com           550 We do not accept mail from spammers

Note: depending on your sendmail configuration there may or may not be an entry in your maillog when emails are rejected. The default on OpenBSD is to log rejections. Use your log to monitor how many emails are being rejected. You may be surprised in the coming weeks and months.

Is it worth blocking Facebook to make a point? That's your call. Whatever you do, be careful when playing with access_db. While it's very powerful it can also cause you to miss important emails.