Possibly Open Relay Problem?

[Mysterious]

Hi,

my maillog shows me up many logs like this:

Code: Select all

Dec 10 09:34:11 scalix sendmail[2343]: lB8BeHIg004259: to=<jr.shaw@gpcvb.org>, delay=1+20:53:54, xdelay=00:00:00, mailer=esmtp, pri=4210281, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:11 scalix sendmail[2343]: lB8BeeEH004289: to=<jr.shaw@gpcvb.org>, delay=1+20:53:31, xdelay=00:00:00, mailer=esmtp, pri=4210302, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:11 scalix sendmail[2343]: lB8BfKvK004324: to=<jr.shaw@gpcvb.org>, delay=1+20:52:51, xdelay=00:00:00, mailer=esmtp, pri=4210329, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:11 scalix sendmail[2343]: lB8Bg1RU004359: to=<jr.shaw@gpcvb.org>, delay=1+20:52:10, xdelay=00:00:00, mailer=esmtp, pri=4210415, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:11 scalix sendmail[2343]: lB8Bffsx004341: to=<jr.shaw@gpcvb.org>, delay=1+20:52:30, xdelay=00:00:00, mailer=esmtp, pri=4210468, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:12 scalix sendmail[2343]: lB8Bf0HK004306: to=<jr.shaw@gpcvb.org>, delay=1+20:53:12, xdelay=00:00:00, mailer=esmtp, pri=4210501, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:13 scalix sendmail[2343]: lB8ABORq008648: to=<ggibelin@clickcashmarketing.com>, delay=1+22:22:49, xdelay=00:00:01, mailer=esmtp, pri=4420975, relay=mx15.comingsoon.namescout.com. [199.85.4.231], dsn=4.0.0, stat=Deferred: Connection refused by mx15.comingsoon.namescout.com.
Dec 10 09:34:13 scalix sendmail[2343]: lB7N3Fcl004958: to=<jr.shaw@gpcvb.org>, delay=2+09:30:58, xdelay=00:00:00, mailer=esmtp, pri=5380010, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:13 scalix sendmail[2343]: lB7N3sWK004992: to=<jr.shaw@gpcvb.org>, delay=2+09:30:19, xdelay=00:00:00, mailer=esmtp, pri=5380052, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:13 scalix sendmail[2343]: lB7N3YjH004975: to=<jr.shaw@gpcvb.org>, delay=2+09:30:39, xdelay=00:00:00, mailer=esmtp, pri=5380070, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:13 scalix sendmail[2343]: lB7N4fZ2005077: to=<jr.shaw@gpcvb.org>, delay=2+09:29:32, xdelay=00:00:00, mailer=esmtp, pri=5380103, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:13 scalix sendmail[2343]: lB7N4EIL005010: to=<jr.shaw@gpcvb.org>, delay=2+09:29:59, xdelay=00:00:00, mailer=esmtp, pri=5380172, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:14 scalix sendmail[2343]: lB7N2t2V004921: to=<jr.shaw@gpcvb.org>, delay=2+09:31:19, xdelay=00:00:00, mailer=esmtp, pri=5380178, relay=gpcvb.org., dsn=4.0.0, stat=Deferred: Connection timed out with gpcvb.org.
Dec 10 09:34:15 scalix sendmail[2343]: lB76f3Qh026319: to=<byung@infoback.com>, delay=3+01:53:12, xdelay=00:00:01, mailer=esmtp, pri=6993509, relay=no.com. [204.13.161.20], dsn=4.0.0, stat=Deferred: Connection refused by no.com.
Dec 10 09:34:15 scalix sendmail[2343]: lB70I3it023257: to=<a.colino@actionpawn.com>, delay=3+08:16:12, xdelay=00:00:00, mailer=esmtp, pri=7538983, relay=mail.actionpawn.com. [64.232.29.82], dsn=4.0.0, stat=Deferred: Connection reset by mail.actionpawn.com.
Dec 10 09:35:16 scalix sendmail[2343]: lB6NVkD7022272: to=<mihail@currentmail.com>, delay=3+09:03:30, xdelay=00:01:00, mailer=esmtp, pri=7627531, relay=h1.mcisi.net. [65.57.173.34], dsn=4.0.0, stat=D


I tried out some Open Relay tests which all said, no openrelay found on ths server. The Server is newly installed on centos5.

What config do you need to give me an hint about fixing this problem?

Greetings Mysterious

Atachment:

Code: Select all


###############################################################################
# SMTP Relay Configuration
# ########################
#
# For details please see Scalix Overview - Security
#
###############################################################################

###############################################################################
# Relay Configuration
# ###################
#
# EXTENSIONS      These extensions will be advertised by the EHLO reply
# DOMAIN_NAME     Local host FQDN
# LOCAL_NAMES     Local aliases of DOMAIN_NAME
# MAX_HOP_COUNT   If the number of Received: header lines in a message sent to
#                 the relay exceed this number then the message will be
#                 rejected by the relay. The default value is zero and any
#                 non-positive value is interpreted as infinity. The default
#                 value means that no loop detection is done by the relay,
#                 any loop detection will only be done by sendmail.
# GREETING        This is the text after the 220 on the connection
#                 greeting line some tokens can be used:
#                 %F - FQDN, %P - protocol, %N program name,
#                 %V - version, %D date
# LISTEN          Comma separated host:port to listen to eg.
#                 LISTEN=mail.example.com:25,10.100.100.1:smtp
#
###############################################################################


EXTENSIONS=AUTH,DSN,8BITMIME

# Uncomment the following lines to enable the Submission and LMTP listeners
#SUBMIT=ON
#LMTP=ON

###############################################################################
# Catch-all recipients
# ####################
#
# Catch-all recipients are for catching email sent to unknown users, instead
# of non-delivering the email. More than one CATCH line can be used.
#
# CATCH PATTERN RECIPIENT
#
# PATTERN can be:
#    user* - any unknown address starting with user
#    @domain.com - any unknown address in domain.com
#    user*@domain.com - any unknown user starting with user in domain.com
# RECIPIENT
#    this is the recipient email address to redirect the email to. It can
#    be local or remote, but is subject to any relay rules if remote.
#
# Authentication and Anti-Spamming Measures
# #########################################
#
# Each line is of the form:
# EVENT ACTION PATTERN PATTERN...
# When an event happens the SMTP Relay checks for a matching event/pattern
# sequentially in this file. When it finds the first match, it takes the
# action specified.
#
# ######
# EVENTS
# ######
#
# AUTH_SUCCESS    An attempt is made to submit a
#                 successfully authenticated message.
#
# AUTH_MISMATCH   An attempt is made to submit a
#                 successfully authenticated message but
#                 the originator name does not match
#                 the authenticated name.
#
# ANONYMOUS       An attempt is made to submit a message
#                 sent without authentication or after
#                 failed authentication.
#
# SUBMIT          An attempt is made to submit a message from
#                 the host specified in pattern
#
# RELAY           An attempt is made to relay a message through the SMTP Relay
#
# ORIGINATOR      An attempt is made to submit a message from a user whose
#                 email address matches pattern
#
# RECIPIENT       An attempt is made to submit a message to a user whose
#                 email address matches pattern
#
# #######
# ACTIONS
# #######
#
# Accept         The message is unconditionally accepted and processed
#                normally.
#
# Defer          The message is deferred with a 400 code
#
# Discard        The message is accepted but then discarded
#
# Header         The message is accepted, but an extra header is inserted.
#
# Reject         The message is rejected with a 500 code
#
# If Log_ added to the start of an action, then the action is also recorded
# in the SMTP Relay log file.
#
# ########
# PATTERNS
# ########
#
# Hostname Patterns
#  - an IP address, eg 123.234.132.231
#  - an IP subnet and mask, eg 123.234.200.0/255.255.240.0
#  - a hostname, eg bert.loc.co.uk
#  - the end of a domain, eg .spammer.net
#  - the start of a domain, 123.234.
#  - the keyword ALL matches all hosts
#  - the keyword LOCAL matches all hosts that do not contain a .
#
# Email Patterns - used by ORIGINATOR and RECIPIENT
#  - *@*.spam.net
#
# DNSBL Patterns - These can be used by the SUBMIT EVENT to use DNS black
#                  list systems (See http://en.wikipedia.org/wiki/DNSBL )
#  - DNSBL,host,reply  eg DNSBL,bl.spamcop.net,ALL
#
###############################################################################

# NB Authenticated RELAYs are always allowed
SMTPFilter=TRUE
RELAY accept 127.0.0.1
RELAY accept .meinserver.de
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL



# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix


[Kris]

Out-of-office reply on a spam-message perhaps?

[Mysterious]

Ok, but no Domain or IP out of this log belongs to my server or domainname...

[PeterR]

Small question, do you see any "from=<..." lines in your log ?

What is the output of e.g "grep lB8BeHIg004259 /var/log/maillog*"

Greetings PeterR

[Mysterious]

This is the ouput of the above command.


[code]
Dec 9 04:30:13 scalix sendmail[10527]: lB8BeHIg004259: to=<jr.shaw@gpcvb.org>, delay=15:49:56, xdelay=00:00:00, mailer=esmt$
Dec 9 05:30:21 scalix sendmail[10782]: lB8BeHIg004259: to=<jr.shaw@gpcvb.org>, delay=16:50:04, xdelay=00:00:00, mailer=esmt$
Dec 9 06:30:21 scalix sendmail[11115]: lB8BeHIg004259: to=<jr.shaw@gpcvb.org>, delay=17:50:04, xdelay=00:00:00, mailer=esmt$

[PeterR]

This is the ouput of the above command.

Code: Select all

Dec  9 04:30:13 scalix sendmail[10527]: lB8BeHIg004259: to=<jr.shaw@gpcvb.org>, delay=15:49:56, xdelay=00:00:00, mailer=esmt$


Oky, I see only the recipient email a.k a. to=<jr.shaw@gpcvb.org>, but not the sender email adresse which should start with from=<*

So maybe your maillogs are compressed, perhaps this command:

zgrep lB8BeHIg004259 /var/log/maillog* | grep -i from

shows the original sender, if your maillogfiles gone back far enough.

Other question, is scalix the only one application running on this server?
There are no other webservices installed on this server, e.g a website with a formmailer script or a forum software or blogging software or any scripts/adminiscripts which are capable of sending email ?

Greetings PeterR

[Mysterious]

I shortly uploaded my last Logfile to the following location, to make it easier for you.

Code: Select all

http://myst81.my.funpic.de/maillog_mysterious.zip


[Mysterious]

Okay, finallly found my configuration error.

I had to add my maildomains to /etc/mail/local-host-names so sendmail could lookup this file for known hostnames.

Seems that if you set SMTFILTER=true to smtp.conf from scalix. Scalix sends all incoming messages first to sendmail without making an firstly lookup to his Database. Sendmail looks at /etc/mail/local-host-names for known mail domains ans if there is nothing in it reacts like an open relay. Could someone verify this?

After changing tihs settings the system seems to be setup correctly now.