HPE Community
Operating System - HP-UX
1820620 Members
1949 Online
109626 Solutions
New Discussion юеВ

Re: Realying with sendmail8.11

 
SOLVED
Go to solution
Lora Ganeva
Regular Advisor

тАО12-09-2002 05:56 AM

тАО12-09-2002 05:56 AM

Realying with sendmail8.11

I have a problem with my mail relay:if anyone pretends to be from a local domain, he could send mail to my local domains:
for example:
mail from: kjkjk@btc.bg
rcpt to: jhjhj@btc.bg
Message is accepted although the sender is not actually in btc.domain but only pretends to be.
0 Kudos
Reply
12 REPLIES 12
benoit Bruckert
Honored Contributor

тАО12-09-2002 08:11 AM

тАО12-09-2002 08:11 AM

Solution

Re: Realying with sendmail8.11

Hi,
Edit /etc/mail/access file,
CHeck all the RELAY line, and remove unwanted one (like * RELAY),
Then remap the file :
makemap -v hash /etc/mail/access if your map is in this format. Or stop/start sendmail ....
hth
Benoit

Une application mal pans├йe aboutit ├а une usine ├а gaze (GHG)
Reply
Lora Ganeva
Regular Advisor

тАО12-10-2002 12:34 AM

тАО12-10-2002 12:34 AM

Re: Realying with sendmail8.11

That's not the problem-my relaying is okay but if someone from the outdside pretends to be from the inside mail is accepted.
0 Kudos
Reply
benoit Bruckert
Honored Contributor

тАО12-10-2002 01:26 AM

тАО12-10-2002 01:26 AM

Re: Realying with sendmail8.11

Hi,
In access file, the "name" check the link with IP address, and if the ip address is not from your network, then you cannot send mail. You cazn easily pretend you are from a local domain with smtp commands, but it's more difficult to spoof an address
If you try by hand trough telnet 25 :
Make the test from an internal IP address, you can send...
Then try a telnet 25 to your HP frame from an internet connection, and test it . If relay is denied, then you cannot send mail.

hth
Benoit
_________
"L'art d'??crire pr??c??de la pens??e."
Emile Chartier, dit Alain, Propos de litt??rature
Une application mal pans├йe aboutit ├а une usine ├а gaze (GHG)
Reply
U.SivaKumar_2
Honored Contributor

тАО12-10-2002 04:07 AM

тАО12-10-2002 04:07 AM

Re: Realying with sendmail8.11

Hi,

you cannot just block the mail with sender domain btc.org. Then your mail relay will not accept mails from internal servers to relay.

What is needed is rule in sendmail filters like milter etc.

sender address: *@btc.org
destination address: *@btc.org
Action: REJECT

regards,
U.SivaKumar
Innovations are made when conventions are broken
Reply
Lora Ganeva
Regular Advisor

тАО12-10-2002 04:23 AM

тАО12-10-2002 04:23 AM

Re: Realying with sendmail8.11

I have tried and the message was accepted, I tried form an ioutside host pretending to be from inside
0 Kudos
Reply
benoit Bruckert
Honored Contributor

тАО12-10-2002 05:06 AM

тАО12-10-2002 05:06 AM

Re: Realying with sendmail8.11

I made a check,
And to deny relaying you have also to define the relay-domains ;
in sendmail.cf :
FR-o /etc/mail/relay-domains

And in this file, you specify the name (DNS) of the network for which you accept relay...or only hosts, or anything...

Can you make the test with this file to check relay..
By default relay is denied in sendmail 8.11, I think you should have comment something in the sendmail.cf to disable it !!

hth
Benoit

Une application mal pans├йe aboutit ├а une usine ├а gaze (GHG)
Reply
Lora Ganeva
Regular Advisor

тАО12-11-2002 05:07 AM

тАО12-11-2002 05:07 AM

Re: Realying with sendmail8.11

I have tried this but it doesn't work..sorry
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО12-11-2002 05:18 AM

тАО12-11-2002 05:18 AM

Re: Realying with sendmail8.11

When relaying mail, an appropriately configured sendmail will verify that a sender's domain (e.g. btc.bg) exists and looks up in DNS, but sendmail will _not_ verify that the actual account exists.

If sendmail thinks btc.bg is local, sendmail won't pass the mail through the relay rulesets (since the mail is local), so the access database isn't in play, per se. sendmail _might_ verify that the recipient address exists, depending on your configuration.

Users can set the From: address to be just about anything with little ramification, unless
1) the domain of the sender doesn't exist
or
2) the domain of the sender (and the client IP/domain) isn't consider local, and the recipient address isn't considered local (e.g. relay.

In the case of #2, modern versions of sendmail require that relaying be specifically enabled - relaying is off by default. You use the access database to control relaying.
0 Kudos
Reply
benoit Bruckert
Honored Contributor

тАО12-11-2002 06:05 AM

тАО12-11-2002 06:05 AM

Re: Realying with sendmail8.11

Hi,
Christopher gave the proper answer, about relaying, and sendmail 8.11 should deny relay by default !!
I think that the best thing to do is to start from nothing with sendmail and build your config !
You can do that from sources, or from a binary. In the last case, I don't know if the anti relay is enable or not !! (it's just an sendmail.cf config !!)
From sources, there's a cf /cf subdirectory with mc files that you can use to build the cf ! (It's the best way.)
hth
Benoit
Une application mal pans├йe aboutit ├а une usine ├а gaze (GHG)
0 Kudos
Reply
Lora Ganeva
Regular Advisor

тАО12-11-2002 06:20 AM

тАО12-11-2002 06:20 AM

Re: Realying with sendmail8.11

The problem is not relaying..as I say.
0 Kudos
Reply
benoit Bruckert
Honored Contributor

тАО12-11-2002 06:47 AM

тАО12-11-2002 06:47 AM

Re: Realying with sendmail8.11

You are right Lora,
I've read again this thread and the trouble question is that the rcpt to is going to the same domain as the from.
I.E. anti relay works when you do somthing like that :
mail from:dddd@btc.com
rcpt to :dddd@otherdomain.com
For your, the rcpt is OK, then no anti relay mechanism is working.
I.E.
You receive an email from otherdomain to your domain (standard behavior)
mail from ddd@otherdomain.com
rcpt to:ddd@btc.com
In this case it works, by default sendmail doesn't make any check on the ip address of the sender. By the way it's possible to place any sender domain.
Some smtp products add the control with a reverse lookup of the ip address of the sender in order to test if the from sender domain is the sam e as the IP !!!
But by this way a lot of mails will be stopped because many domains doesn't registered the reverse lookup, or the sender (legal one) may use a backup line from aonther provider with of course another ip not linked with the domain !!!
I don't know how to activate it in sendmail :
See may be
FEATURE(relay_based_on_MX)

And also U.SHIVA proposal could be used...
Sorry to not give a better answer and all the time lost because I didn't read properly your first post !

hth
Benoit
Une application mal pans├йe aboutit ├а une usine ├а gaze (GHG)
0 Kudos
Reply
Christopher Caldwell
Honored Contributor

тАО12-11-2002 07:30 AM

тАО12-11-2002 07:30 AM

Re: Realying with sendmail8.11

> The problem is not relaying..as I say.

Right - you aren't hitting the relay rulesets, so sendmail doesn't examine the from address at all

_and_

even if you where hitting the relay rulesets, (if you've go this turned on) sendmail only verifies that the domain porition of the From address looks up in DNS (i.e. returns an MX) -- sendmail doesn't care user part of the address.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.