From: Rob Hill (robhill at domain indigo.ie)
Date: Tue 09 Nov 1999 - 10:44:29 GMT
Hi all -
I was dismayed yesterday to find that we were running an open mail
relay, despite the fact that it had been checked previously and found
not to relay (as the stock RH6.0 install is supposed to install a non-relaying
sendmail - which it does).
Linuxconf (ptahh!!) is, I suspect the perpetrator(sp?) of this henious sendmail.cf
fcuk up - just out of curiosity, I checked up on 2 other recently-setup servers,
one which had had a few things installed/changed and one which hadn't (it also
hadn't run linuxconf). Another open relay, and one closed one (the one that hadn't
run linuxconf).
Now, it's not definately linuxconf that is the problem, but I like to blame it
when things go wrong.
Anyway, telnet to your mailserver, port 25, type 'ehlo somedomain.com'<sendmail replies>, type 'mail from:luser at domain luserdomain.com'<sendmail replies>, type
'rcpt to:luser at domain somewhere.else.com' - if you get a message like 'we do not relay'
everything is ok (unless you then run linuxconf ;o). If you get a message like
'recepient ok....' then you're in trouble - go to ....damn i can't find the link.
Here's what I did.....
add these lines to your sendmail.cf, (just over 'Special Macros' and just under
'CPREDIRECT' in mine) and create (touch) the appropriate files in
/etc/mail....
# file containing IP numbers of machines which can use our relay
F{LocalIP} /etc/mail/ip_allow
# file containing names of machines which can use our relay
F{LocalNames} /etc/mail/name_allow
# file containing names we relay to
F{RelayTo} /etc/mail/relay_allow
now.....right down the bottom of your sendmail.cf.....obey the thing about
the blanks......
Scheck_rcpt
# make sure you have TABs here, not BLANKs! sendmail will complain otherwise...
# first: get client addr
R$+ $: $(dequote "" $&{client_addr} $) $| $1
R0 $| $* $ at domain ok no client addr: directly invoked
R$={LocalIP}$* $| $* $ at domain ok from here
# not local, check rcpt
R$* $| $* $: $>3 $2
# remove local part, maybe repeatedly
R$+ $:$>remove_local $1
# still something left?
R$*< at domain $*>$* $#error $ at domain 5.7.1 $: 550 we do not relay
Sremove_local
# remove RelayTo part (maybe repeatedly)
R$*< at domain $*$={RelayTo}.>$* $>3 $1 $4
R$*< at domain $=w.>$* $: $>remove_local $>3 $1 $3
R$*< at domain $*>$* $ at domain $1< at domain $2>$3
# dequote local part
R$- $: $>3 $(dequote $1 $)
R$*< at domain $*>$* $: $>remove_local $1< at domain $2>$3
here's what a session with a non-relaying server should look like
(excuse the expletives).....
pain: [~] > telnet some.mailserver.ie 25
Trying 194.125.xxx.xxx...
Connected to some.mailserver.ie.
Escape character is '^]'.
220 some.mailserver.ie ESMTP Sendmail 8.9.3/8.8.7; Tue, 9 Nov 1999 10:19:55 GMT
ehlo linux.ie
250-some.mailserver.ie Hello pain.med.umn.edu [160.94.105.39], pleased to meet you
250-EXPN
250-VERB
250-8BITMIME
250-SIZE 2000000
250-DSN
250-ONEX
250-ETRN
250-XUSR
250 HELP
mail from:shit at domain shitter.com
250 shit at domain shitter.com... Sender ok
rcpt to:robhill at domain indigo.ie
550 robhill at domain indigo.ie... we do not relay
quit
221 some.mailserver.ie closing connection
Connection closed by foreign host.
pain: [~] > logout
disclaimer - don't do any of the above ;o) unless you know what you're doing.
This (for me anyway) is a quick fix - this is my last day here before I'm
off to Oz, and was a bit pissed to find this was going on.
Anyway, Ideally, I'd get rid of linuxconf, but it does some pretty neat things
with virtual mail domains....and you're generally ok if you stay away from the
sendmail stuff, and have your sendmail.cf backed up.....
If anyone has anything to add to this, or indeed, say how terrible it is, i'd be
glad to hear it.....
Rob.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:51 GMT