Re: Open Mail Relay

[John Levine]

 Assume, as Mr. Bonomi suggests, that some bad guy has installed some
type of additional mailer on the machine or another machine that's
allowed to relay mail.  How would I go about locating that other mailer?

Another popular hack is uploading a PHP script using bugs in a CMS or wiki.

Once you have a message with accurate timestamps in the headers, check the
web logs at those times, too.

R's,
John
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Robert Bonomi]

 Date: Sun, 15 Aug 2010 07:57:23 -0400
 To: freebsd-questions@freebsd.org
 From: pe...@vfemail.net
 Subject: Re: Open Mail Relay

 At 05:13 PM 8/14/2010, Robert Bonomi wrote:
  Date: Sat, 14 Aug 2010 09:29:54 -0400
  To: freebsd-questions@freebsd.org
  From: pe...@vfemail.net
  Subject: Open Mail Relay
 
 
  I have a machine running FreeBSD, sendmail and majordomo.  I have someone 
  who is on one of those majordomo lists complaining that they are receiving 
  spam from me.  The complainer says I have an open mail relay that I need 
  to fix.  
 
  I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html 
  to test the machine using its IP address.  Abuse.net gives a clean bill of 
  health, saying relaying was denied in 17 separate tests.  
 
  I've reviewed my mail logs for the past couple of days and I can't find 
  any entries for any mail addressed to the complainer's domain name except 
  mail that should have been sent.  
 
  Is Abuse.net's test adequate to rule out an open mail relay problem?  
 
 
 There are -several- possible sources of spam to that list user.
 
 The abusenet open-relay tests check only one of them.
 
 The machine ay be compromised (ie.e 'owned') andthe bad guys have
 installed their -own- mail-sending software on it. the logs that
 show activity from _your_ mail-sending software would, obviously,
 *not* show the activity of this other software.
 
 In additon, whatever mailinglist said user is subscribed to _may_ be set
 to take messaes from 'anybody', not just confirmed members of the list.
 
 Thirdly, some folks sign up for a list _just_ to send their off-topic
 commercial messages to it.
 
 NONE of those three scenarios are an 'open relay', but they all result
 in spam showing up in the list-subscriber's mailbox, that got there by
 _from_ your machine.

 Thank you everyone for your many comments and suggestions.  The level of 
 talent and responsiveness on this list is nothing less than stunning.  

 I've requested copies of the offensive messages, and I'm hopeful the 
 complainer will send me copies.  I believe I have control over the majordomo 
 lists -- postings are restricted to list members, postings are monitored, and 
 many lists are moderated.  

 Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of 
 additional mailer on the machine or another machine that's allowed to relay 
 mail.  How would I go about locating that other mailer?  


*IF* the machine has been comrpomised, then you're going to have a -very-
difficult time finding it, using any tools _on_ the box.  It's not uncommon
for the bad guys to install 'modified' (to use a polite word for it) 
versions of system utilities, and/or run-time-loading system libraries, 
that selectively 'edit out' information that they don't want you to see.
e.g., a modified ps(1) will -not- show the 'bot' process that is spewing 
mail.

A _second_ machine, on the same LAN, using something like 'tcpdump' to 
monitor outboud port 25 traffic from the first box, can show you if there 
are 'things happening' that are not being reported in the log files.

_Finding_ the offending code, after you've established that it *is* happening,
is a whole nuther can of worms.  _if_ you have something like an up-to-date
'tripwire' database, with fingerprints of every installed executable, you
can boot from alternate media (say the 'live CD' image), and look for things
where the fingerprint has changed.

If you establish a compromise -has- occurred, about the only way to *ensure*
that the machine is 'trustworthy' again is to back up all application *data*,
wipe the drive(s) {as in 'dd if=/dev/zero of=/dev/ad??'}, and re-install 
everything FROM SCRATCH.

NOTE: This _is_ a 'worst case' scenario.  Odds are that when you see the
'full headers' on the 'offending' messages, it will turn out to be something
else entirely.

Comment:  someone who _knows_ what they're talking about would not simply
make the bald assertation 'you have an open relay' -- they would *know*
that that statement _alone_ is insufficient to get to the root of the problem
and fix it.  They would, at a minimum, identify the _type_ of traffic that
was being relayed (e.g. 'from is spoofed as your domain'), or would provide
several copies of the offending traffic, _before_ being asked.   Based on
this, the 'quality' of the original complainant's is somewhat suspect itself,


Probably the most _common_ situation is a spammer signs up to a mailing list,
*NOT* to spam _through_ it, but to collect the email addresses of those who
post _to_ the mailing list.  And they then send junk email to those people
directly.  Now, if somebody is using a 'unique' email address for that 
mailing list, they *can* jump to te onclusion that 'anything' to that address
must jave come from/through your servers.  I haven't seen anybody doing this
kind of thing 'smart enough' so as to make it appear (in received headers)
that it originated from the mailing-list server; it's

Re: Open Mail Relay

[Robert Bonomi]

 From owner-freebsd-questi...@freebsd.org  Sun Aug 15 15:15:43 2010
 Date: Sun, 15 Aug 2010 22:15:57 +0200
 From: Erik Norgaard norga...@locolomo.org
 To: freebsd-questions@freebsd.org
 Subject: Re: Open Mail Relay

 On 15/08/10 13.57, pe...@vfemail.net wrote:

  Assume, as Mr. Bonomi suggests, that some bad guy has installed some type 
  of additional mailer on the machine or another machine that's allowed to 
  relay mail.  How would I go about locating that other mailer?

 If the messages are indeed relayed through your server then you can see 
 it in the logs and in the Received header field which host is sending 
 the mail to your server.

*IF* it is just a case of the 'intended to be used' mail server is mis-
configured, and allowing relaying, that is correct.

*IF*, OTOH, the machine has been broken-into/compromised/owned, then
the 'bad guys'  are fully capable of installing their _own_ mail-sending
software --software that does *NOT* record anything in the normal log files.
This kind of software is 'maliciously built' to leave *no* tracks with 
regard to incoming _or_ outgoing connections from/to other hosts.

 If somebody forges mail to appear to come from your domain, but not 
 relayed through your server there is really not much you can do. Only 
 the recipient server can reject the mails.

 Some servers support spf and you can help other servers know that mail 
 from your domain must originate from your server by adding a txt entry 
 in your dns.

 BR, Erik
 ___
 freebsd-questions@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[peter]

At 05:13 PM 8/14/2010, Robert Bonomi wrote:
 From owner-freebsd-questi...@freebsd.org  Sat Aug 14 12:22:50 2010
 Date: Sat, 14 Aug 2010 09:29:54 -0400
 To: freebsd-questions@freebsd.org
 From: pe...@vfemail.net
 Subject: Open Mail Relay


 I have a machine running FreeBSD, sendmail and majordomo.  I have someone 
 who is on one of those majordomo lists complaining that they are receiving 
 spam from me.  The complainer says I have an open mail relay that I need to 
 fix.  

 I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html 
 to test the machine using its IP address.  Abuse.net gives a clean bill of 
 health, saying relaying was denied in 17 separate tests.  

 I've reviewed my mail logs for the past couple of days and I can't find any 
 entries for any mail addressed to the complainer's domain name except mail 
 that should have been sent.  

 Is Abuse.net's test adequate to rule out an open mail relay problem?  


There are -several- possible sources of spam to that list user.

The abusenet open-relay tests check only one of them.

The machine ay be compromised (ie.e 'owned') andthe bad guys have
installed their -own- mail-sending software on it. the logs that
show activity from _your_ mail-sending software would, obviously,
*not* show the activity of this other software.

In additon, whatever mailinglist said user is subscribed to _may_ be set
to take messaes from 'anybody', not just confirmed members of the list.

Thirdly, some folks sign up for a list _just_ to send their off-topic
commercial messages to it.

NONE of those three scenarios are an 'open relay', but they all result
in spam showing up in the list-subscriber's mailbox, that got there by
_from_ your machine.

Thank you everyone for your many comments and suggestions.  The level of talent 
and responsiveness on this list is nothing less than stunning.  

I've requested copies of the offensive messages, and I'm hopeful the complainer 
will send me copies.  I believe I have control over the majordomo lists -- 
postings are restricted to list members, postings are monitored, and many lists 
are moderated.  

Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of 
additional mailer on the machine or another machine that's allowed to relay 
mail.  How would I go about locating that other mailer?  






___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Ryan Coleman]

On Aug 15, 2010, at 6:57 AM, pe...@vfemail.net wrote:

 I've requested copies of the offensive messages, and I'm hopeful the 
 complainer will send me copies.  I believe I have control over the majordomo 
 lists -- postings are restricted to list members, postings are monitored, and 
 many lists are moderated.  
 
 Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of 
 additional mailer on the machine or another machine that's allowed to relay 
 mail.  How would I go about locating that other mailer?  

In my experiences if they were relaying through your machine you'd still see it 
on the logs. Look for the time/date of the emails you get from the complainant 
and see if anything matches up. Then use the IPs to track down who might be 
doing it.

A little detective work can go a long way.

--
Ryan___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Paul Macdonald]

 On 15/08/2010 12:57, pe...@vfemail.net wrote:

At 05:13 PM 8/14/2010, Robert Bonomi wrote:

 From owner-freebsd-questi...@freebsd.org  Sat Aug 14 12:22:50 2010
Date: Sat, 14 Aug 2010 09:29:54 -0400
To: freebsd-questions@freebsd.org
From: pe...@vfemail.net
Subject: Open Mail Relay


I have a machine running FreeBSD, sendmail and majordomo.  I have someone who 
is on one of those majordomo lists complaining that they are receiving spam 
from me.  The complainer says I have an open mail relay that I need to fix.

I went tohttp://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to 
test the machine using its IP address.  Abuse.net gives a clean bill of health, 
saying relaying was denied in 17 separate tests.

I've reviewed my mail logs for the past couple of days and I can't find any 
entries for any mail addressed to the complainer's domain name except mail that 
should have been sent.

Is Abuse.net's test adequate to rule out an open mail relay problem?


There are -several- possible sources of spam to that list user.

The abusenet open-relay tests check only one of them.

The machine ay be compromised (ie.e 'owned') andthe bad guys have
installed their -own- mail-sending software on it. the logs that
show activity from _your_ mail-sending software would, obviously,
*not* show the activity of this other software.

In additon, whatever mailinglist said user is subscribed to _may_ be set
to take messaes from 'anybody', not just confirmed members of the list.

Thirdly, some folks sign up for a list _just_ to send their off-topic
commercial messages to it.

NONE of those three scenarios are an 'open relay', but they all result
in spam showing up in the list-subscriber's mailbox, that got there by
_from_ your machine.

Thank you everyone for your many comments and suggestions.  The level of talent 
and responsiveness on this list is nothing less than stunning.

I've requested copies of the offensive messages, and I'm hopeful the complainer 
will send me copies.  I believe I have control over the majordomo lists -- 
postings are restricted to list members, postings are monitored, and many lists 
are moderated.

Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of 
additional mailer on the machine or another machine that's allowed to relay 
mail.  How would I go about locating that other mailer?






you need the headers, that's what they're there for!

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org



--
-
Paul Macdonald
IFDNRG Ltd
Web and video hosting
-
t: 0131 5548070
m: 07534206249
e: p...@ifdnrg.com
w: http://www.ifdnrg.com
-
IFDNRG
40 Maritime Street
Edinburgh
EH6 6SA
-

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Erik Norgaard]

On 15/08/10 13.57, pe...@vfemail.net wrote:


Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of 
additional mailer on the machine or another machine that's allowed to relay 
mail.  How would I go about locating that other mailer?


If the messages are indeed relayed through your server then you can see 
it in the logs and in the Received header field which host is sending 
the mail to your server.


If somebody forges mail to appear to come from your domain, but not 
relayed through your server there is really not much you can do. Only 
the recipient server can reject the mails.


Some servers support spf and you can help other servers know that mail 
from your domain must originate from your server by adding a txt entry 
in your dns.


BR, Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Open Mail Relay

[peter]

I have a machine running FreeBSD, sendmail and majordomo.  I have someone who 
is on one of those majordomo lists complaining that they are receiving spam 
from me.  The complainer says I have an open mail relay that I need to fix.  

I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to 
test the machine using its IP address.  Abuse.net gives a clean bill of health, 
saying relaying was denied in 17 separate tests.  

I've reviewed my mail logs for the past couple of days and I can't find any 
entries for any mail addressed to the complainer's domain name except mail that 
should have been sent.  

Is Abuse.net's test adequate to rule out an open mail relay problem?  




___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Mikhail]

On 14.08.2010 17:29, pe...@vfemail.net wrote:

I've reviewed my mail logs for the past couple of days and I can't
find any entries for any mail addressed to the complainer's domain
name except mail that should have been sent.


You can try it yourself, with telnet and proper smtp commands. For 
example, telnet from outside of your organization to your mail server 
and issue:


ehlo mydomain.com
mail from: foo...@example.com
rcpt to: foo...@example.org
data
test mail
.

You actually have to get error message about relay denied for you. If 
you don't - you're in trouble.
If you do recieve such message - you relay is closed and probably you 
have spam worms who send emails from legit user, or something like that.


Be well.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[mikel king]

On Aug 14, 2010, at 9:29 AM, pe...@vfemail.net wrote:



I have a machine running FreeBSD, sendmail and majordomo.  I have  
someone who is on one of those majordomo lists complaining that they  
are receiving spam from me.  The complainer says I have an open mail  
relay that I need to fix.


I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html 
 to test the machine using its IP address.  Abuse.net gives a clean  
bill of health, saying relaying was denied in 17 separate tests.


I've reviewed my mail logs for the past couple of days and I can't  
find any entries for any mail addressed to the complainer's domain  
name except mail that should have been sent.


Is Abuse.net's test adequate to rule out an open mail relay problem?



Peter,

	I usually attempt to send from a remote site myself directly before I  
sign off on closing that whole. In addition I always request that the  
complaint include a complete copy of all offending messages so that I  
can properly examine the headers. It is entirely conceivable that the  
complaint about an open relay is valid, but not from your server but  
an impostor. In that case you could try setting a SPF record in your  
DNS to help reduce such impersonations, although that is not a  
guarantee.


If you have any questions ping me off list.

Regards,
Mikel King
Senior Editor, BSD News Network
Columnist, BSD Magazine
CEO, Olivent Technologies
~because IT matters~
http://olivent.com
6 Alpine Court,
Medford, NY 11763
o: 631.627.3055
http://www.linkedin.com/in/mikelking
http://twitter.com/mikelking


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Erik Norgaard]

On 14/08/10 15.29, pe...@vfemail.net wrote:


I have a machine running FreeBSD, sendmail and majordomo.  I have someone who 
is on one of those majordomo lists complaining that they are receiving spam 
from me.  The complainer says I have an open mail relay that I need to fix.


When somebody complains that they receive spam via your relay they must 
the very least forward one of the offending mails to you so you can 
study the header. If they deleted the message simply instruct that the 
next spam mail is forwarded to you.


In the header you can check the Received headers to see if it actually 
passed through your server first check ip  hostname, then see if the 
message id appears in your logs. It is far to easy to forge a mail that 
appears to come from your server or domain.


If so, the received fields will also show where the offending mail was 
sent from so you can act on it.


If he's a subscriber to a list could it be that somebody send spam 
through the list?



I went tohttp://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to 
test the machine using its IP address.  Abuse.net gives a clean bill of health, 
saying relaying was denied in 17 separate tests.

I've reviewed my mail logs for the past couple of days and I can't find any 
entries for any mail addressed to the complainer's domain name except mail that 
should have been sent.

Is Abuse.net's test adequate to rule out an open mail relay problem?


I don't know about this site, but it should be easy to check your logs 
for their connections and see what action is taken.


BR, Erik
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Noel Jones]

On Sat, Aug 14, 2010 at 8:29 AM,  pe...@vfemail.net wrote:

 I have a machine running FreeBSD, sendmail and majordomo.  I have someone who 
 is on one of those majordomo lists complaining that they are receiving spam 
 from me.  The complainer says I have an open mail relay that I need to fix.


Insufficient data.  The person reporting the spam needs to provide you
with a copy of the mail, including all headers, so you can see if it
came from your server, or who sent it through your server.

Most likely suspects are another list member's infected machine
sending out spam to the list, or an outright forgery that never went
through your server.



 I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to 
 test the machine using its IP address.  Abuse.net gives a clean bill of 
 health, saying relaying was denied in 17 separate tests.

Then it's unlikely your server is an open relay.  But you may need to
add some spam filtering to your lists, or at least restrict posting to
members only.


  -- Noel Jones
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Mehmet Erol Sanliturk]

On Sat, Aug 14, 2010 at 9:29 AM, pe...@vfemail.net wrote:


 I have a machine running FreeBSD, sendmail and majordomo.  I have someone
 who is on one of those majordomo lists complaining that they are receiving
 spam from me.  The complainer says I have an open mail relay that I need to
 fix.

 I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.htmlto 
 test the machine using its IP address.  Abuse.net gives a clean bill of
 health, saying relaying was denied in 17 separate tests.

 I've reviewed my mail logs for the past couple of days and I can't find any
 entries for any mail addressed to the complainer's domain name except mail
 that should have been sent.

 Is Abuse.net's test adequate to rule out an open mail relay problem?





In previous weeks , I have received continuously messages about sending spam
messages from my IP . They started by sending messages about undelivered
mails which claimed to be originated from my computer . Later , they started
to send me suggestions about how to remove proxy server acquired in my
computer which is sending bulk spam messages . All of their text suggestions
were complete executable  codes .

All of the messages were using faked names of my ISP officials .

They tried very hard to infect my computer . At the end I have send a
complaint message to my ISP authorities . After that , even I have received
many such messages .

In those days they are not sending such messages , or they are prevented by
my ISP systems , I do not know .

Based on such an experience , please be careful about such claims , and do
not try to decompose their message attachments because their names of
message attachments are also not related to content they contain . Use
programs to dissect such messages without making any harm to your systems ,
for example convert their extensions to .txt and try to read them by a text
editor . If they are really texts , they should be readable  .

Even , content of some messages were completely executable binary .

I think some criminals started to perform such a ploy to infect computers by
persuading users to try to clean their computers by applying their advices
based on generated fear on attacked persons .


Thank you very much .


Mehmet Erol Sanliturk
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: Open Mail Relay

[Jon Radel]

On 8/14/10 11:05 AM, Mikhail wrote:


On 14.08.2010 17:29, pe...@vfemail.net wrote:

I've reviewed my mail logs for the past couple of days and I can't
find any entries for any mail addressed to the complainer's domain
name except mail that should have been sent.


You can try it yourself, with telnet and proper smtp commands. For
example, telnet from outside of your organization to your mail server
and issue:

ehlo mydomain.com
mail from: foo...@example.com
rcpt to: foo...@example.org
data
test mail
.

You actually have to get error message about relay denied for you. If
you don't - you're in trouble.
If you do recieve such message - you relay is closed and probably you
have spam worms who send emails from legit user, or something like that.


The basic test, but hardly sufficient to determine if all the known ways 
of fooling an smtp server are accounted for.  Recall from the OP's 
description: saying relaying was denied in 17 separate tests.


The above also can be an issue if you do the test from an IP address 
that the SMTP server has been configured to treat as trusted.


--Jon Radel
j...@radel.com

Re: Open Mail Relay

[John Levine]

Is Abuse.net's test adequate to rule out an open mail relay problem?  

It's pretty thorough, and most MTAs have default configurations that
don't permit relay, so it's much less of a problem than it was when I
wrote the tester many years ago.  I don't try to check for weak SMTP
AUTH passwords, a hole that some spamware exploits, so if you do AUTH,
it's conceivable that could be it.

In your case, though, I would wait for the complainer to forward you a
message or two with headers so you can figure out where is spam is
coming from.

Regards,
John Levine, postmas...@abuse.net, http://www.abuse.net, Trumansburg NY
abuse.net postmaster
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

open mail relay with ipv6??

[Mark Busby]

Is this an open relay using ipv6? If so how to block the ipv6 relay.
I thought after sendmail v8.9, all relay action was blocked by default.

maillog entry  
Nov 10 15:01:11 hostname sm-mta[8989]: mAAL021C008989: from=[EMAIL 
PROTECTED], size=4825, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, 
daemon=IPv6, relay=localhost [IPv6:::1]
Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: ruleset=check_mail, 
arg1=[EMAIL PROTECTED], relay=localhost [IPv6:::1], reject=451 4.1.8 Domain 
of sender address [EMAIL PROTECTED] does not resolve
Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: from=[EMAIL 
PROTECTED], size=3880, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, 
daemon=IPv6, relay=localhost [IPv6:::1]

 sockstat -6
USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   8284  5  tcp6   *:25  *:*
root sshd   1520  3  tcp6   *:5960*:*
root ntpd   1010  5  udp6   *:123 *:*
root ntpd   1010  9  udp6   fe80:6::1:123 *:*
root ntpd   1010  10 udp6   ::1:123   *:*
root syslogd927   6  udp6   *:514 *:*



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: open mail relay with ipv6??

[Matthew Seaman]

Mark Busby wrote:

Is this an open relay using ipv6? If so how to block the ipv6 relay.
I thought after sendmail v8.9, all relay action was blocked by default.


You haven't given sufficient information to say whether the machine is
an open relay or not.  We'd need to see the configuration files (well,
the .mc file that is processed to produce the eventual sendmail.cf) 
plus potentially the contents of the access DB.  However, you are 
correct: nowadays the default sendmail configuration is to block 
relaying, and you have to deliberately add configuration settings to
enable any permitted relays.  If you're using the default configuration  
shipped with FreeBSD, then it is not an open relay.


maillog entry  
Nov 10 15:01:11 hostname sm-mta[8989]: mAAL021C008989: from=[EMAIL PROTECTED], size=4825, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, relay=localhost [IPv6:::1]

Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: ruleset=check_mail, 
arg1=[EMAIL PROTECTED], relay=localhost [IPv6:::1], reject=451 4.1.8 Domain of sender 
address [EMAIL PROTECTED] does not resolve
Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: from=[EMAIL 
PROTECTED], size=3880, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, 
relay=localhost [IPv6:::1]


This certainly doesn't indicate a message being inappropriately 
relayed. The attempt to send the message is rejected with a permanent 
error code (ie. tell the sender to bounce the message as undeliverable 
and not to re-queue it for another attempt at delivery later).  I think 
it's also doing the correct thing and rejecting the e-mail during the 
SMTP dialog rather than accepting the message for delivery and then 
later sending a bounce-o-gram to the listed sender address.  Google for 
'backscatter spam' in order to understand why the latter course of 
action is a bad idea.



sockstat -6

USER COMMANDPID   FD PROTO  LOCAL ADDRESS FOREIGN ADDRESS
root sendmail   8284  5  tcp6   *:25  *:*
root sshd   1520  3  tcp6   *:5960*:*
root ntpd   1010  5  udp6   *:123 *:*
root ntpd   1010  9  udp6   fe80:6::1:123 *:*
root ntpd   1010  10 udp6   ::1:123   *:*
root syslogd927   6  udp6   *:514 *:*


You've got sendmail listening on all interfaces for IPv6 connections.  
This is appropriate if you expect the machine to receive incoming 
e-mails.  If that's not the case, then set sendmail_enable='NO' in
/etc/rc.conf. This will give you a send-only configuration with a 
sendmail listener bound to the loopback address (typically both ::1

and 127.0.0.1)

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
 Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
 Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

RE: Load balancing outgoing mail relay

[Michael K. Smith - Adhost]

Hello:

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:owner-freebsd-
 [EMAIL PROTECTED] On Behalf Of freebsd
 Sent: Wednesday, January 17, 2007 2:34 AM
 To: FreeBSD Questions
 Subject: Load balancing outgoing mail relay
 
 Hi
  I have a simple question but googling does not lead to a valid/usable
 answer.
 I need to load balance OUTGOING emails. I have serveral smart hosts. I
 need
 my internal SMTP server to send mail using ALL of the smart hosts
 together,
 making some kind of load balancing (no need for wheighted one).
 Someone pointed out to use a name for the smart host, and have DNS to
 resolve that name to the IP of all the relays (multiple A records) but
 this
 turned out in doing failover, not load balancing.
 Anyone has a *working* idea for solving this apparently simple
problem?
 Thanks
 

PF will definitely do what you want via its round-robin and redirect
features.  You would redirect all inbound traffic on port 25 to your
smart host group/table which would then load balance across all of your
servers.  In pf.conf, something like the following, with the
understanding that there are other things you may need to do first
before a pf config will work:

$int_if=em1  # replace with the interface name from your machine
$ext_if=em0  # replace with the interface name from your machine

$smart_host_01=192.168.1.1
$smart_host_02=192.168.1.2
$smart_host_03=192.168.1.3
$mail_server_01=10.1.1.1

table smtp_roundrobin persist { \
$smart_host_01, \
$smart_host_02, \
$smart_host_03 \
}

rdr on $int_if proto tcp from $mail_server_01 to any port 25 -
smtp_roundrobin round-robin 

The configuration can become more granular (complex) by including NAT
and ALTQ if you want to do rate-shaping.

Regards,

Mike

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Load balancing outgoing mail relay

[freebsd]

Hi
I have a simple question but googling does not lead to a valid/usable 
answer.
I need to load balance OUTGOING emails. I have serveral smart hosts. I need 
my internal SMTP server to send mail using ALL of the smart hosts together, 
making some kind of load balancing (no need for wheighted one).
Someone pointed out to use a name for the smart host, and have DNS to 
resolve that name to the IP of all the relays (multiple A records) but this 
turned out in doing failover, not load balancing.

Anyone has a *working* idea for solving this apparently simple problem?
Thanks

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Load balancing outgoing mail relay

[Charles Trevor]

freebsd wrote:

Hi
I have a simple question but googling does not lead to a valid/usable 
answer.
I need to load balance OUTGOING emails. I have serveral smart hosts. I 
need my internal SMTP server to send mail using ALL of the smart hosts 
together, making some kind of load balancing (no need for wheighted one).
Someone pointed out to use a name for the smart host, and have DNS to 
resolve that name to the IP of all the relays (multiple A records) but 
this turned out in doing failover, not load balancing.

Anyone has a *working* idea for solving this apparently simple problem?
Thanks

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
[EMAIL PROTECTED]


This (multiple A records) works for me, at least approximately. Both 
Bind and MS DNS will round robin when multiple A records exist for the 
same hostname. What is your setup?


Charlie

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Load balancing outgoing mail relay

[freebsd]

This (multiple A records) works for me, at least approximately. Both
Bind and MS DNS will round robin when multiple A records exist for the
same hostname. What is your setup?


FreeBSD 6.2 with Sendmail (initially) and now postfix.
MS DNS with round robin (and TTL set to 0 on the records).
Resolving with nslookup gives something like:
smarthost.domain.tld
192.168.0.1, 192.168.0.2, 192.168.0.3

If I kill 192.168.0.1 then it goes on the second one. But this is failover, 
and I need (approximately) load balancing.
I understand this is related to the MTA and not to the OS, but hopefully 
someone solved this problem using Sendmail or Postifx that are both used on 
FreeBSD.

Thanks


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Load balancing outgoing mail relay

[Noel Jones]

FreeBSD 6.2 with Sendmail (initially) and now postfix.
MS DNS with round robin (and TTL set to 0 on the records).
Resolving with nslookup gives something like:
smarthost.domain.tld
192.168.0.1, 192.168.0.2, 192.168.0.3

If I kill 192.168.0.1 then it goes on the second one. But this is failover,
and I need (approximately) load balancing.


Postfix will always internally shuffle equal-weight MX records (or
multiple A records if there is no MX).  I think sendmail does this
also.

This will not give strict round-robin use of the smarthosts, but over
thousands of messages will give an equal share to each host.

It sounds as if the host has primary/secondary MX records and you
haven't disabled MX lookups for the relayhost.  Use in main.cf
relayhost = [smarthost.domain.tld]
As documented, the brackets are required to disable MX lookups.

You may want to adjust initial_destination_concurrency_limit and
default_destination_concurrency_limit if your smarthosts will allow
more than the default 20 connections.

If sending small amounts of mail, postfix connection caching may
interfere with observed load sharing.  You may want to turn off
smtp_connection_cache_on_demand if sending small amounts of mail, but
leave it on if sending thousands of messages at a time.



--
Noel Jones
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Load balancing outgoing mail relay

[Charles Trevor]

freebsd wrote:

This (multiple A records) works for me, at least approximately. Both
Bind and MS DNS will round robin when multiple A records exist for the
same hostname. What is your setup?


FreeBSD 6.2 with Sendmail (initially) and now postfix.
MS DNS with round robin (and TTL set to 0 on the records).
Resolving with nslookup gives something like:
smarthost.domain.tld
192.168.0.1, 192.168.0.2, 192.168.0.3

If I kill 192.168.0.1 then it goes on the second one. But this is 
failover, and I need (approximately) load balancing.
I understand this is related to the MTA and not to the OS, but hopefully 
someone solved this problem using Sendmail or Postifx that are both used 
on FreeBSD.

Thanks



What happens if you do multiple dig/nslookups for smarthost.domain.tld. 
Are the records returned in a different order each time? If not the 
problem may be at the NS.


Charlie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Load balancing outgoing mail relay

[Noel Jones]

On 1/17/07, Charles Trevor [EMAIL PROTECTED] wrote:


What happens if you do multiple dig/nslookups for smarthost.domain.tld.
Are the records returned in a different order each time? If not the
problem may be at the NS.



Nope.  Postfix shuffles equal-weight MX records internally, so it
doesn't matter what order the NS presents them.  Multiple A records
without an MX record (or when MX lookups are suppressed) are treated
as equal-weight MX records per RFC.

This is likely a postfix configuration problem.  The original poster
should seek further help on the postfix-users list.
http://www.postfix.org/DEBUG_README.html#mail


--
Noel Jones
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Not quite mail relay

[Derrick Ryalls]

I think I figured it out.  The qmail-smtpd.c patch for SMTP AUTH had an
exploit.  It did require authentications, but it didn't care what
credentials you threw at it, so long as you sent something.

On that note, does anyone know of a way to get SMTP AUTH working with
qmail without being an accidental relay?


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Not quite mail relay

[Gary]

Hello Derrick,

Monday, September 15, 2003, 10:57:57 AM, you wrote:

D I think I figured it out.  The qmail-smtpd.c patch for SMTP AUTH had an
D exploit.  It did require authentications, but it didn't care what
D credentials you threw at it, so long as you sent something.

Yes, there are/were a few SMTP auth patches put up by people who did not
fully give the correct instructions on how to install with regards to the
smtpd run file. qmail by itself has never had a security breach.

Chances are you have a misconfigured qmail-smtpd run file, which some of
these sites for patches have put up erroneously, causing this error.

an explanation and fix is in the thread of

http://marc.theaimsgroup.com/?l=qmailm=105452174430616w=2

Or, you can do the following:

If you have the current source code and the patch you applied, you
should be able to use patch -R to apply the patch in reverse, which
will essentially remove it from qmail.

If you don't know what qmail patches you have, it's probably best
to re-install from scratch, so in the future you know how your system
is configured. It just takes a few minutes to install from source.

D On that note, does anyone know of a way to get SMTP AUTH working with
D qmail without being an accidental relay?

See above link for probable fix, or

Yes, install qmail from source, run make setup check, and pick a good auth
patch from lifewithqmail.org A good one is

http://members.elysium.pl/brush/qmail-smtpd-auth/index.html


-- 
Best regards,
 Gary 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Not quite mail relay

[Derrick Ryalls]

I am looking for a way to further secure a mail server.  It isn't an open
rely, but when others try to use it as such with bad return addresses, a
small flood of rejection mail end up on the bad addressed server.
 
Ex.
 
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
 
hotmail ends up with a ton of bounce msgs and thinks the server is a relay.
How would I go about just dropping those msgs completely?
 
Qmail is the mail server, but I was hoping someone would have an idea.
 
-Derrick
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Not quite mail relay

[Gary]

Hello Derrick,

Saturday, September 13, 2003, 12:02:01 PM, you wrote:

D I am looking for a way to further secure a mail server.

A mail server is either secure or not, not half way... it's like being
half pregnant.  If you installed qmail properly and from lifewithqmail.org
it is secure by default.

D It isn't an open rely, but when others try to use it as such with bad
D return addresses, a small flood of rejection mail end up on the bad
D addressed server.

Is it at your server?  If not so ..

Spammers forge return addresses all the time. This has nothing to do with
qmail.  If they are using a forged return address, they are not using your
server.

D Ex.
 
D To: [EMAIL PROTECTED]
D From: [EMAIL PROTECTED]
 
D hotmail ends up with a ton of bounce msgs

Bounces are a normal part of email life.

D  and thinks the server is a relay.

No they don't. Email admims look at the last sender IP address in the
headers, which is the only valid address, all others are usually forged.

D How would I go about just dropping those msgs completely?

Are you saying you are getting bounced messages from your domain, or are
you getting messages from hotmail, just what are you saying.. Are they
coming from one source, one From sender, what?
 
D Qmail is the mail server, but I was hoping someone would have an idea.

Yes, but you have to provide more info rather than speculate on what you
are having  a problem with.  Are you an open relay? Check your logs? If
so, something is not configured properly.  If you are just getting bounces
from your own domain, and someone is forging your domain as the sender or
return address in their spam, that is called a Joe-Job.

-- 
Best regards,
 Gary 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Not quite mail relay

[Derrick Ryalls]

 
 D Ex.
  
 D To: [EMAIL PROTECTED]
 D From: [EMAIL PROTECTED]
  
 D hotmail ends up with a ton of bounce msgs
 
 Bounces are a normal part of email life.
 
 D  and thinks the server is a relay.
 
 No they don't. Email admims look at the last sender IP 
 address in the headers, which is the only valid address, all 
 others are usually forged.

What I am referring to is the unable to deliver email that qmail sends
to hotmail has an unknown user.  Hotmail then bounces the mail back to
my brother's server as an undeliverable, and since it is then a double
bounce, it lands in my brother's inbox (mailer-daemon goes to him).
Today, he has received over 6000 bounced msgs.

  
 D Qmail is the mail server, but I was hoping someone would have an 
 D idea.
 
 Yes, but you have to provide more info rather than speculate 
 on what you are having  a problem with.  Are you an open 
 relay? Check your logs? If so, something is not configured 
 properly.  If you are just getting bounces from your own 
 domain, and someone is forging your domain as the sender or 
 return address in their spam, that is called a Joe-Job.

In the /var/qmail/control, only his domains are listed.  In tcp.rules,
only localhost can relay email.  Normal clients can only send mail with
SMTP-ATUH.


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

RE: Not quite mail relay

[Gary]

Hi Derrick,

--On Saturday, September 13, 2003 05:10:17 PM -0700 Derrick Ryalls 
[EMAIL PROTECTED] wrote:

No they don't. Email admims look at the last sender IP
address in the headers, which is the only valid address, all
others are usually forged.
What I am referring to is the unable to deliver email that qmail sends
to hotmail has an unknown user.
If it is his qmail server, then someone is probably relaying through him. 
He can determine this through his logs.

If someone is just using one of his email addresses, and he is not a relay, 
then he is getting Joe-Jobbed.. You have not determined this yet.

Hotmail then bounces the mail back to
my brother's server as an undeliverable, and since it is then a double
bounce, it lands in my brother's inbox (mailer-daemon goes to him).
Today, he has received over 6000 bounced msgs.
Okay, if your question is only - how do I stop double bounces from getting 
into my system, then here is the answer.

1. Change the /var/qmail/control/doublebounceto file to read only one line 
saying obvilion (without the quotes)

2. Set up an alias in the /var/qmail/alias dir, and make a file called
.qmail-obvilion
3. Edit the file and put in a # (no quotes) on one line by itself.

Now, all double bounces with be directed to nowhere, and dissappear.

Yes, but you have to provide more info rather than speculate
on what you are having  a problem with.  Are you an open
relay? Check your logs? If so, something is not configured
properly.  If you are just getting bounces from your own
domain, and someone is forging your domain as the sender or
return address in their spam, that is called a Joe-Job.

In the /var/qmail/control, only his domains are listed.
That would be /var/qmail/control/rcpthosts file. If he does not have that 
file, he is an open relay and sitting duck.

In tcp.rules,
only localhost can relay email.  Normal clients can only send mail with
SMTP-ATUH.
There is no tcp.rules file in qmail. The local file is called 
/var/qmail/control/locals, and local host and his domain(s) should be 
listed there, but not virtual domains.

As above, if he does not check his logs, and read his headers, he has no 
way of knowing if he is relaying, or suffering from a Joe-Job. There are 
other ways spammers try to get in, and if he is running a web server, have 
him also check to make sure he is not running formmail.cgi or pl

--
Gary
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Mail relay

[DanB]

How do I stop mail relaying  with Apache?  My mail server has been black
listed.

Dan

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: Mail relay

[Stephen Hovey]

someone is probably using formmail.pl - pull it! or hard code the address
the form info is sent to within the formmail script.

On Fri, 30 May 2003, DanB wrote:

 How do I stop mail relaying  with Apache?  My mail server has been black
 listed.
 
 Dan
 
 ___
 [EMAIL PROTECTED] mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-questions
 To unsubscribe, send any mail to [EMAIL PROTECTED]
 

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Somewhat OT - authenticating sendmail to the verizon mail relay

[Louis LeBlanc]

Hey all.  I'm having a strange time getting mail out to the FreeBSD
list.  It was fine before, until I moved to a DSL connection.  So far
as I can tell, the only real difference is that my new IP doesn't
resolve to anything.  Thanks to zoneedit.com, however, my domain does
resolve to my IP.

Here's what I have in sendmail.cf:

OSTYPE(freebsd4)
DOMAIN(generic)

dnl undefine(`UUCP_RELAY')
dnl undefine(`BITNET_RELAY')

define(`confBIND_OPTS',`-DNSRCH -DEFNAMES')
dnl define(`confTO_IDENT',`0')
define(`confTRUSTED_USER', `cyrus')
define(`confLOCAL_MAILER', `cyrus')

DAEMON_OPTIONS(`M=u')

FEATURE(`accept_unresolvable_domains')
FEATURE(`accept_unqualified_senders')
FEATURE(access_db, `hash -TTMPF /etc/mail/access')
dnl FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(relay_based_on_MX)
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')
FEATURE(`nocanonify')
dnl FEATURE(`always_add_domain')

define(`SMART_HOST', `smtp:outgoing.verizon.net')
MASQUERADE_AS(outgoing.verizon.net)
FEATURE(masquerade_envelope)
FEATURE(`authinfo', `hash -o /etc/mail/authinfo')

. . .

I'm sure it has to do with the fact that Verizon's outgoing mail 
server requires a username and password to do relaying.  I know 
Sendmail can do this, but I can't understand the sendmail README info 
on it.  I've gotten as far as the `authinfo' FEATURE, but I don't 
think I'm creating the authinfo correctly.  I put the following entry 
in /etc/mail/authinfo:

AuthInfo:outgoing.verizon.net U:MyUserID P:MyPW

and I don't think I'm creating the hash correctly:
makemap hash /etc/mail/authinfo
but that just hung.  Something's bogus somewhere and I can't quite 
find it.

Until I can get this fixed, I'll probably have trouble from time to
time with some of the more tightly configured MTAs, because I've
commented out the last four lines there (dnl).  Unfortunately, I think 
the FreeBSD list is one of them - so I'm stuck with Netscape for now.

Any help is greatly appreciated.

TIA

Lou
-- 
Louis LeBlanc   [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ

What the scientists have in their briefcases is terrifying.
 -- Nikita Khruschev


To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message