open relay

[ianare]

I seem to be sending out spam as an open relay. I know my users are not sending these out.

Oct 4 10:27:32 mail sendmail[30486]: k945IL4F020395: to=<akhandjtiwari@gmail.com>, delay=09:09:08, xdelay=00:00:02, mailer=esmtp, pri=933892, relay=alt1.gmail-smtp-in.l.google.com. [66.249.93.114], dsn=4.2.1, stat=Deferred: 450-4.2.1 The Gmail user you are trying to contact is receiving
Oct 4 10:27:33 mail sendmail[30486]: k945IL4F020395: to=<akhandjtiwari@gmail.com>, delay=09:09:09, xdelay=00:00:03, mailer=esmtp, pri=933892, relay=gsmtp163.google.com. [64.233.163.27], dsn=4.2.1, stat=Deferred: 450-4.2.1 The Gmail user you are trying to contact is receiving
Oct 4 10:27:34 mail sendmail[30486]: k945IL4F020395: to=<akhandjtiwari@gmail.com>, delay=09:09:10, xdelay=00:00:04, mailer=esmtp, pri=933892, relay=gsmtp183.google.com. [64.233.183.27], dsn=4.2.1, stat=Deferred: 450-4.2.1 The Gmail user you are trying to contact is receiving
Oct 4 10:29:35 mail sendmail[30486]: k9455Y6b019914: to=<bulletinbeatify@royaloakhomes.com>, delay=09:23:59, xdelay=00:02:00, mailer=esmtp, pri=1041188, relay=royaloakhomes.com. [66.116.109.62], dsn=4.0.0, stat=Deferred: Connection timed out with royaloakhomes.com.
Oct 4 10:29:58 mail sendmail[30486]: k941Tlg1013123: to=<billiard@1-sovetnik.com>, delay=13:00:07, xdelay=00:00:23, mailer=esmtp, pri=1292776, relay=mxs.valuehost.ru. [217.112.42.216], dsn=4.3.0, stat=Deferred: 451 bad reverse DNS
Oct 4 10:30:03 mail sendmail[30486]: k941Tlg1013123: to=<billiard@1-sovetnik.com>, delay=13:00:12, xdelay=00:00:28, mailer=esmtp, pri=1292776, relay=mxs2.valuehost.ru. [217.112.42.216], dsn=4.3.0, stat=Deferred: 451 bad reverse DNS

And we don't have any dealings with Taiwan or Russia:

[root@mail ~]# lsof -i :25
sendmail 31902 root 4u IPv4 5850588 TCP localhost.localdomain:smtp (LISTEN)
sendmail 31903 root 8u IPv6 5850684 TCP my.FQDN.com:50377->mx3.valuehost.ru:smtp (SYN_SENT)
omsmtpd 8615 root 30u IPv4 5826001 TCP my.FQDN.com:smtp->61-62-4-2-adsl-tpe.dynamic.so-net.net.tw:1819 (ESTABLISHED)

my /var/opt/scalix/sys/smtpd.cfg :

Code: Select all

EXTENSIONS=AUTH,DSN,8BITMIME
GREETING=SMTPD
SMTPFILTER=TRUE
RELAY accept 127.0.0.1
RELAY accept my.FQDN.com
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*


my /etc/mail/sendmail.mc (I did not include the lines starting with 'dnl'):

Code: Select all

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl

define(`confDEF_USER_ID',``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTO_COMMAND', `2m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `goaway,noreceipts')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confDOUBLE_BOUNCE_ADDRESS', `')dnl

define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl

define(`confCONNECTION_RATE_THROTTLE', 5)dnl

FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

FEATURE(`dnsbl', `relays.ordb.org', `"550 Email rejected due to sending server misconfiguration - see http://www.ordb.org/faq/\#why_rejected"')dnl

define('confINPUT_MAIL_FILTERS', 'clmilter')
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav-milter/clamav.sock, F=, T=S:4m;R:4m')dnl
define('confINPUT_MAIL_FILTERS', 'spamassassin')
INPUT_MAIL_FILTER(`spamassassin',`S=local:/var/run/spamass-milter/spamass-milter.sock, F=, T=C:10s;S:10s;R:30s;E:2m')dnl

MAILER(smtp)dnl
MAILER(procmail)dnl


Any suggestions? Thanks in Advance.

[ScalixSupport]

I doubt you are acting as a relay has you have this line:

RELAY Log_Reject ALL

in your smtpd.cfg file.

I'd be happier if this line

RELAY accept my.FQDN.com

was really more like

RELAY accept .domain.com

Note the leading dot. Be sure to restart smtpd after making changes to smtd.cfg.

Then you should edit your /etc/mail/local-host-names to read like:

# cat /etc/mail/local-host-names
# local-host-names - include all aliases for your machine here.
host_name.domain.com

and restart sendmail.

Thanks,
Don

[ianare]

Ok I did that, but checking my mail log I'm still seeing stuff like:

Oct 6 17:31:25 mail sendmail[3296]: k96LVHdd003290: to=<pttpnftdvfturgifoezfbyjuynp@ms63.hinet.net>, delay=00:00:08, xdelay=00:00:05, mailer=esmtp, pri=123573, relay=ms63a.hinet.net. [168.95.5.63], dsn=2.0.0, stat=Sent (FAA28498 Message accepted for delivery)

Is this normal? Have I been owned? Sorry total newb to mail serving.

[dkelly]

And we don't have any dealings with Taiwan or Russia:

[root@mail ~]# lsof -i :25
sendmail 31902 root 4u IPv4 5850588 TCP localhost.localdomain:smtp (LISTEN)
sendmail 31903 root 8u IPv6 5850684 TCP my.FQDN.com:50377->mx3.valuehost.ru:smtp (SYN_SENT)
omsmtpd 8615 root 30u IPv4 5826001 TCP my.FQDN.com:smtp->61-62-4-2-adsl-tpe.dynamic.so-net.net.tw:1819 (ESTABLISHED)

lsof is showing that you have 1 outgoing connection to mx3.valuehost.ru and 1 incoming connection from 61-62-4-2-adsl-tpe.dynamic.so-net.net.tw.

You haven't posted any of the "from" lines from the mail log file so I can't see who the originator of the message is.

It's likely that you are being spammed but it's not possible that you are an open relay unless you have made some major modifications to the smtpd.cfg file.

Cheers

Dave

[ianare]

OK, thank you for the reassurance. It just looked weird to me.

[Derek]

sendmail should not be listening on anything other than the lo interface. I had a huge problem with this. Correct me if I'm wrong, but doesn't the second line from the output of "lsof -i :25" indicate that he was in fact relaying?

The ONLY remedy I found for this was to remove the IPv6 address (again, look at lsof output) from my ethernet inferface. The problem instantaneously went away.

[ianare]

After going to smtps using these instructions:
http://www.scalix.com/community/viewtop ... ight=smtps

it finally stopped. Yay!