FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-13-2008, 02:32 PM
"David G. Miller"
 
Default close open relay

Jerry Geis <geisj@pagestation.com> wrote (with a few extraneous bits removed):


------------ Original Message ------------
>>>
>>>


>>>> Date: Wednesday, November 12, 2008 03:33:11 PM -0500
>>>> From: Jerry Geis <geisj@pagestation.com>
>>>> To: CentOS ML <centos@centos.org>
>>>> Subject: [CentOS] close open relay
>>>>
>>>> hi all, running centos 4.7 i686.
>>>>
>>>> I seem to have an o pen r elay sendmail server.
>>>> How do I close it?
>>>>
>>>> I have the STRAIGHT centos install sendmail.mc file.
>>>> Only thing I changed was:
>>>> dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>>>
>>>> so as to allow incoming email and not just localhost. however
>>>> this seems to relay everyone.
>>>>
>>>> I looked at http://www.sendmail.org/tips/relaying but it just
>>>> talks about (AFIKT)
>>>> enabling specific relays to occur - not how to CLOSE the
>>>> relaying.
>>>>
>>>> How do I close the relay?
>>>>
>>>> Jerry
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS@centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>
>>>>


>>> ------------ End Original Message ------------

....

Sure enough I tried your test and that looks good...

HOwever, when i run this test:
HELO example.com
MAIL From: TheBoss@example.com
RCPT To: geisj@pagestation.com
DATA
Subject: Think we're insecure...
I have a feeling our mail server is being abused...
..
QUIT

and paste that into port 25 of my server (telnet I'm talking)
I get the email and I should not ( I presume) as I am not example.com.

Jerry
The bottom of the file /etc/sendmail.mc should look like the following
(change my domain, davenjudy.org, to whatever is appropriate for your
domain). This won't get rid of any open relay problems but will at
least fix the "example.com" issue:


...
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
MASQUERADE_AS(`davenjudy.org')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com
as well

dnl #
FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(local.davenjudy.org)dnl
MASQUERADE_DOMAIN(davenjudy.org)dnl

As for possibly having an open relay, you also want to make sure that
the following line is commented out (has dnl at the beginning):


dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #

Finally, you'll need a line like:

FEATURE(`relay_entire_domain')dnl

DO NOT uncomment any of the other lines in sendmail.mc regarding relay
settings unless you know what you're doing. If you aren't sure what was
changed from the default, remove the sendmail-cf rpm and reinstall it to
get back to a clean, default sendmail.mc file. It's a good idea to
explicitly run make in /etc/mail and then bounce sendmail rather than
let the sendmail startup script decide something has changed since it's
easier to catch syntax errors that way. Finally, get a free mail
account at your provider of choice (Google, Hotmail, whoever) and use it
for testing both sending and receiving mail.


Cheers,
Dave

--
Politics, n. Strife of interests masquerading as a contest of principles.
-- Ambrose Bierce

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-13-2008, 06:03 PM
MHR
 
Default close open relay

On Wed, Nov 12, 2008 at 3:53 PM, Ross Walker <rswwalker@gmail.com> wrote:
>
> On Nov 12, 2008, at 5:08 PM, Jerry Geis <geisj@pagestation.com> wrote:
>
>>
>> lists-centos wrote:
>>>
>>> sorry, the start page is:
>>>
>>> <http://www.abuse.net/relay.html>
>>>
>>>
>>> look at the headers of the original messages (probably included as
>>> attachments) that sbcglobal is sending back. it's very possible that
>>> a spammer has forged an address from your machine on their outbound
>>> spam, and sbcglobal is bouncing that, (rather than rejecting,
>>> because they haven't a clue), generating scatter-back spam.
>>>
>>>
>>> - Rick
>>>
>>> ------------ Original Message ------------
>>>
>>>> Date: Wednesday, November 12, 2008 04:44:02 PM -0500
>>>> From: Jerry Geis <geisj@pagestation.com>
>>>> To: CentOS ML <centos@centos.org>
>>>> Subject: Re: [CentOS] close open relay
>>>>
>>>> lists-centos wrote:
>>>>
>>>>> You have to have changed more than just the sendmail.mc/cf to
>>>>> make a default centos sendmail setup an open mail relay.
>>>>>
>>>>> Your /etc/mail/access file is where things are defined as to what
>>>>> you relay for. The /etc/mail/local-host-names effects what you
>>>>> accept mail for.
>>>>>
>>>>> Make certain that what you're using to test that's it's an open
>>>>> relay is reporting things correctly. There's a difference between
>>>>> sendmail being "open" (accepting mail from the outside) and an
>>>>> "open relay". The former is expected from a mail server, the
>>>>> latter is a problem.
>>>>>
>>>>> I use:
>>>>>
>>>>> <http://verify.abuse.net/cgi-bin/relaytest>
>>>>>
>>>>> which runs through a range of tests. I tried it against your
>>>>> 24.123.23.170 mail server a few min. ago and all was fine.
>>>>>
>>>>> - Rick
>>>>>
>>>>> ------------ Original Message ------------
>>>>>
>>>>>> Date: Wednesday, November 12, 2008 03:33:11 PM -0500
>>>>>> From: Jerry Geis <geisj@pagestation.com>
>>>>>> To: CentOS ML <centos@centos.org>
>>>>>> Subject: [CentOS] close open relay
>>>>>>
>>>>>> hi all, running centos 4.7 i686.
>>>>>>
>>>>>> I seem to have an o pen r elay sendmail server.
>>>>>> How do I close it?
>>>>>>
>>>>>> I have the STRAIGHT centos install sendmail.mc file.
>>>>>> Only thing I changed was:
>>>>>> dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>>>>>
>>>>>> so as to allow incoming email and not just localhost. however
>>>>>> this seems to relay everyone.
>>>>>>
>>>>>> I looked at http://www.sendmail.org/tips/relaying but it just
>>>>>> talks about (AFIKT)
>>>>>> enabling specific relays to occur - not how to CLOSE the
>>>>>> relaying.
>>>>>>
>>>>>> How do I close the relay?
>>>>>>
>>>>>> Jerry
>>>>>> _______________________________________________
>>>>>> CentOS mailing list
>>>>>> CentOS@centos.org
>>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>>>
>>>>> ------------ End Original Message ------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>> When I run the following I get broken web page:
>>>>
>>>> http://verify.abuse.net/cgi-bin/relaytest
>>>>
>>>>
>>>> I am getting investigating all this as I am getting return emails
>>>> from sbcglobal that I am spam.
>>>>
>>>> Jerry
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS@centos.org
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>
>>>
>>> ------------ End Original Message ------------
>>>
>>>
>>>
>>>
>>
>> Sure enough I tried your test and that looks good...
>>
>> HOwever, when i run this test:
>> HELO example.com
>> MAIL From: TheBoss@example.com
>> RCPT To: geisj@pagestation.com
>> DATA
>> Subject: Think we're insecure...
>> I have a feeling our mail server is being abused...
>> .
>> QUIT
>>
>> and paste that into port 25 of my server (telnet I'm talking)
>> I get the email and I should not ( I presume) as I am not example.com.
>
> That's not relaying. A true test is if you telnet from a public ip to your
> SMTP port and try to send an email to a domain that isn't yours, like a
> gmail account, does it go through. It shouldn't, but it should if sent from
> an internal ip.
>
> Basically you need a file of hosts/networks allowed to relay to any domain
> (your internal hosts), and a file of domains that are allowed to be relayed
> by anyone (domains you handle).
>
> Can't remember their names, look in /etc/mail/Makefile for hints.
>
> -Ross
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

I submit that this email is an excellent example of both the needs to
bottom-post (ONLY) and edit postings to limit the content to the
relevant material (included in its entirety on purpose, and with
absolutely NO offense to Ross intended - seriously.)

'Nuff said.

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-13-2008, 06:20 PM
"Bernard 'Tux' Lheureux"
 
Default close open relay

Jerry Geis wrote:


It should be:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')

I changed it to this and restarted sendmail, re-ran the test and still
open.
To fix the OpenRelay, just edit your /etc/mail/access to have it
something like that:


8<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-C-U-T-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
localhost.localdomain RELAY # Loopback address
to enable local mails to be relayed
localhost RELAY # Loopback
address to enable local mails to be relayed
127.0.0.1 RELAY # Loopback
address to enable local mails to be relayed
212.63.24.21 RELAY # your Public IP
address
192.168.1. RELAY # Your
Internal LAN address (all mails coming from these IPs will be allowed)

yourdomain1.com RELAY # Your Domain number 1
yourdomain2.com RELAY # Your Domain
number 2 (if you have multiple domains)

8<=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-C-U-T-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Then save your file and type this:
[root@bluewall ~]# makemap hash /etc/mail/access < /etc/mail/access
To generate the database from the file /etc/mail/access and everytime
you make changes in the file /etc/mail/access, you need to retype this
command to enable the changes...


Like this only mails that will be touched by one of these conditions
will be allowed to be relayed and every other mail will be rejected

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org