Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sendmail Relay Issue 2

Status
Not open for further replies.
ppuddick

ppuddick

ISP
Nov 15, 2002
56
GB
Hi Everyone. I’ve posted a message similar to this on this forum before butthis is a slightly different issue. I’m running rh7.3 with Sendmail 8.11.6 behind a Cisco Pix501 firewall on a 2mb DSL connection. I can send and receive mail internally, I can also send mail externally. The problem is receiving. My ISP tells me that my Sendmail box is acting as an open relay. I’ve looked at numerous forums on the Internet and flicked through a thousand pages of a thousand books (well, that’s what it seems like).

I’ve posted my /etc/mail/sendmail.mc file if that helps. What confuses me is that in the /etc/mail/access file I have put in the domain name and also the individual IP addresses (40 of them) of the machines that will use the mail server. If I send an email from a machine with an IP in the access file I can send out. If I send from a machine with an IP not in the access file then I get error 550 thrown back at me informing me that there is an IP address lookup failure and that relaying is not allowed. Maybe I’m wrong, but I think this tells me that there is no relaying allowd for IP’s other than those specified in /etc/mail/access. I’ve looked on the sendmail site and I’ve scoured through mail-abuse. I’m stumped!

divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
dnl Uncomment and edit the following line if your mail needs to be sent out
dnl through an external mail server:
dnl define(`SMART_HOST',`my ISP's mail server')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl The '-t' option will retry delivery if e.g. the user runs over his quota.
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl FEATURE(promiscuous_relay)dnl
dnl FEATURE(`relay_local_from')dnl
FEATURE(`relay_hosts_only')dnl
Cwmycompaniesdomainname.co.uk


Thank you in advance

 
Sort by date Sort by votes
Common issue..

There are 2 solutions that make this issue for the most part a thing of the past.

1)Pop-Before-SMTP -
2)SMTP AUTH -
I use #1 [pop before smtp] and can honestly it's painless to get running, and works ! (bot don't forget do remove the entries in your relaydomains file !!

#2 I havn't used, but have heard it works just as well (basicly it's upto you)

What happens, is that everyone is blocked from relaying with the exception for those who have been authenticated (this is done by checking your email) once you have authenticated yourself, you (or anyone w/ a valid account) has a pre-determined window (30 min is the usual default) to send mail, after which your IP is removed, and you are blocked again. [ until you check your email ]

Good luck

KC
 
Upvote 0 Downvote

There's a bit more to the problem than what BitFuzzy has talked about.

Having the access file full of IP Address's is OK if not a bit harsh and lots of maintenance work! All you need in the access file is basically your domain and the word relay - you might also want to allow local host to relay..

yourdomain.com RELAY

The 550 message is comming back to you due to the fact that you've enabled the FEATURE(`relay_hosts_only')dnl - what this command does it o look at your /etc/hosts file and check the IP there. If it's there, relay, if not - 550! This overides your access file as well for relaying for some strange reason which is why you could be having issues receiving mail. Mail is comming in for youdomain.com from an IP that it doesn know about and causing you grief. I'd remove all the IP's from the access file and the relay_hosts_only feature and you should be OK there!

If your ISP is telling you that you've got an open relay then I suggest you take a look at your firewall as well - Just the fact that they can get to your Mail server behind the firewall suggests that the SMTP port (25) is open the public. If so then you're in deep trouble as this port is very often used by hackers to gain access to company systems. We're running a 515E Pix and have that locked down.

You'll need a line in your config on the PIX that looks like 'fixup protocol smtp 25' - this will stop people being able to log into your smtp server and see the commands available and be able to use it as a relay.

I'd also lock down the IP Address access in the access lists so that port 25 is only open to your IP address of your mail server from the outside just incase you have any other machines that are running SMTP services such as IIS.

Another thing you might want to think about is to use a mail relay in a DMZ in front of your firewall acting as an extra barrier for security. The outside world and the DNS records will point at that machine, this machine in turn points through your firewall to the Interal Mail machine which means that you only need to open up port 25 to the DMZ machine from the outside world. If you can lock down that machine good enough, then they shouldn't be able to use that as a mail relay server.

Have a look in the FAQ section and the one that I wrote a while back on this. Should point you in the right direction I hope. If not, then mail back your queries and we'll see what we can do for ya

Hope it helps! :)




~ Remember - Nothing is Fool Proof to a Talented Fool ~
 
Upvote 0 Downvote
Hi TalentedFool, thanks for your reply. Guess what? It's working a treat. I followed your advice to a degree and removed all IP's from the /etc/mail/access file and put in only 192.168.0. RELAY (The LAN IP). I also removed the relay_hosts_only feature. The last thing I did was to create a file in /etc/mail/ called relay-domains. I did this after reading numerous posts on this and other help forums which kept referring to /etc/mail/relay-domains. In this file I put the name of the domain which can relay -i.e. the domain suffix given out by /etc/dhcpd.conf. I tried to send a mail out from a machine from within a different domain (we have 2 Win2000 Domains here), and guess what I got 550 back. I sent an email from a machine within the correct domain and bang! - it works!

We have located the line in the PIX config you spoke and locked down port 25. Hey Presto! We can now send and receive email by using Sendmail on a Linux box. Wonderful!

I think I might have made the problem sound much worse than it was. Thanks for your help mate. Sweet as a nut!

 
Upvote 0 Downvote

No Problem - Glad to be of help!

Do me a favour and mark the post as helpfull so if other people get the same problem then they can find it quicker

Have a good weekend!

~ Remember - Nothing is Fool Proof to a Talented Fool ~
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mikheil
  • Locked
  • Question
SMF Forum - sendmail not working
Replies
0
Views
3K
Mikheil
Mikheil
kitaman
  • Locked
  • Question
sendmail -bv
Replies
0
Views
3K
kitaman
kitaman
gwak1193
  • Locked
  • Question
sendmail smarthost
Replies
0
Views
2K
gwak1193
gwak1193
lolodirezo
  • Locked
  • Question
detect unused sendmail mailboxes in order to delete these boxes
Replies
0
Views
2K
lolodirezo
lolodirezo
cjtucker1976
  • Locked
  • Question
Sendmail- can only send mail to external domains
Replies
0
Views
2K
cjtucker1976
cjtucker1976

Part and Inventory Search

Sponsor

Back
Top