topic Re: Realying with sendmail8.11 in Operating System - HP-UX

Realying with sendmail8.11

Lora Ganeva — Mon, 09 Dec 2002 13:56:56 GMT

I have a problem with my mail relay:if anyone pretends to be from a local domain, he could send mail to my local domains:
for example:
mail from: kjkjk@btc.bg
rcpt to: jhjhj@btc.bg
Message is accepted although the sender is not actually in btc.domain but only pretends to be.

Re: Realying with sendmail8.11

benoit Bruckert — Mon, 09 Dec 2002 16:11:48 GMT

Hi,
Edit /etc/mail/access file,
CHeck all the RELAY line, and remove unwanted one (like * RELAY),
Then remap the file :
makemap -v hash /etc/mail/access if your map is in this format. Or stop/start sendmail ....
hth
Benoit

Re: Realying with sendmail8.11

Lora Ganeva — Tue, 10 Dec 2002 08:34:44 GMT

That's not the problem-my relaying is okay but if someone from the outdside pretends to be from the inside mail is accepted.

Re: Realying with sendmail8.11

benoit Bruckert — Tue, 10 Dec 2002 09:26:30 GMT

Hi,
In access file, the "name" check the link with IP address, and if the ip address is not from your network, then you cannot send mail. You cazn easily pretend you are from a local domain with smtp commands, but it's more difficult to spoof an address
If you try by hand trough telnet 25 :
Make the test from an internal IP address, you can send...
Then try a telnet 25 to your HP frame from an internet connection, and test it . If relay is denied, then you cannot send mail.

hth
Benoit
_________
"L'art d'??crire pr??c??de la pens??e."
Emile Chartier, dit Alain, Propos de litt??rature

Re: Realying with sendmail8.11

U.SivaKumar_2 — Tue, 10 Dec 2002 12:07:21 GMT

Hi,

you cannot just block the mail with sender domain btc.org. Then your mail relay will not accept mails from internal servers to relay.

What is needed is rule in sendmail filters like milter etc.

sender address: *@btc.org
destination address: *@btc.org
Action: REJECT

regards,
U.SivaKumar

Re: Realying with sendmail8.11

Lora Ganeva — Tue, 10 Dec 2002 12:23:04 GMT

I have tried and the message was accepted, I tried form an ioutside host pretending to be from inside

Re: Realying with sendmail8.11

benoit Bruckert — Tue, 10 Dec 2002 13:06:17 GMT

I made a check,
And to deny relaying you have also to define the relay-domains ;
in sendmail.cf :
FR-o /etc/mail/relay-domains

And in this file, you specify the name (DNS) of the network for which you accept relay...or only hosts, or anything...

Can you make the test with this file to check relay..
By default relay is denied in sendmail 8.11, I think you should have comment something in the sendmail.cf to disable it !!

hth
Benoit

Re: Realying with sendmail8.11

Lora Ganeva — Wed, 11 Dec 2002 13:07:19 GMT

I have tried this but it doesn't work..sorry

Re: Realying with sendmail8.11

Christopher Caldwell — Wed, 11 Dec 2002 13:18:31 GMT

When relaying mail, an appropriately configured sendmail will verify that a sender's domain (e.g. btc.bg) exists and looks up in DNS, but sendmail will _not_ verify that the actual account exists.

If sendmail thinks btc.bg is local, sendmail won't pass the mail through the relay rulesets (since the mail is local), so the access database isn't in play, per se. sendmail _might_ verify that the recipient address exists, depending on your configuration.

Users can set the From: address to be just about anything with little ramification, unless
1) the domain of the sender doesn't exist
or
2) the domain of the sender (and the client IP/domain) isn't consider local, and the recipient address isn't considered local (e.g. relay.

In the case of #2, modern versions of sendmail require that relaying be specifically enabled - relaying is off by default. You use the access database to control relaying.

Re: Realying with sendmail8.11

benoit Bruckert — Wed, 11 Dec 2002 14:05:47 GMT

Hi,
Christopher gave the proper answer, about relaying, and sendmail 8.11 should deny relay by default !!
I think that the best thing to do is to start from nothing with sendmail and build your config !
You can do that from sources, or from a binary. In the last case, I don't know if the anti relay is enable or not !! (it's just an sendmail.cf config !!)
From sources, there's a cf /cf subdirectory with mc files that you can use to build the cf ! (It's the best way.)
hth
Benoit

Re: Realying with sendmail8.11

Lora Ganeva — Wed, 11 Dec 2002 14:20:45 GMT

The problem is not relaying..as I say.

Re: Realying with sendmail8.11

benoit Bruckert — Wed, 11 Dec 2002 14:47:31 GMT

You are right Lora,
I've read again this thread and the trouble question is that the rcpt to is going to the same domain as the from.
I.E. anti relay works when you do somthing like that :
mail from:dddd@btc.com
rcpt to :dddd@otherdomain.com
For your, the rcpt is OK, then no anti relay mechanism is working.
I.E.
You receive an email from otherdomain to your domain (standard behavior)
mail from ddd@otherdomain.com
rcpt to:ddd@btc.com
In this case it works, by default sendmail doesn't make any check on the ip address of the sender. By the way it's possible to place any sender domain.
Some smtp products add the control with a reverse lookup of the ip address of the sender in order to test if the from sender domain is the sam e as the IP !!!
But by this way a lot of mails will be stopped because many domains doesn't registered the reverse lookup, or the sender (legal one) may use a backup line from aonther provider with of course another ip not linked with the domain !!!
I don't know how to activate it in sendmail :
See may be
FEATURE(relay_based_on_MX)

And also U.SHIVA proposal could be used...
Sorry to not give a better answer and all the time lost because I didn't read properly your first post !

hth
Benoit

Re: Realying with sendmail8.11

Christopher Caldwell — Wed, 11 Dec 2002 15:30:48 GMT

> The problem is not relaying..as I say.

Right - you aren't hitting the relay rulesets, so sendmail doesn't examine the from address at all

_and_

even if you where hitting the relay rulesets, (if you've go this turned on) sendmail only verifies that the domain porition of the From address looks up in DNS (i.e. returns an MX) -- sendmail doesn't care user part of the address.