Re: Open Mail Relay
Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? Another popular hack is uploading a PHP script using bugs in a CMS or wiki. Once you have a message with accurate timestamps in the headers, check the web logs at those times, too. R's, John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
Date: Sun, 15 Aug 2010 07:57:23 -0400 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Re: Open Mail Relay At 05:13 PM 8/14/2010, Robert Bonomi wrote: Date: Sat, 14 Aug 2010 09:29:54 -0400 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Open Mail Relay I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? There are -several- possible sources of spam to that list user. The abusenet open-relay tests check only one of them. The machine ay be compromised (ie.e 'owned') andthe bad guys have installed their -own- mail-sending software on it. the logs that show activity from _your_ mail-sending software would, obviously, *not* show the activity of this other software. In additon, whatever mailinglist said user is subscribed to _may_ be set to take messaes from 'anybody', not just confirmed members of the list. Thirdly, some folks sign up for a list _just_ to send their off-topic commercial messages to it. NONE of those three scenarios are an 'open relay', but they all result in spam showing up in the list-subscriber's mailbox, that got there by _from_ your machine. Thank you everyone for your many comments and suggestions. The level of talent and responsiveness on this list is nothing less than stunning. I've requested copies of the offensive messages, and I'm hopeful the complainer will send me copies. I believe I have control over the majordomo lists -- postings are restricted to list members, postings are monitored, and many lists are moderated. Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? *IF* the machine has been comrpomised, then you're going to have a -very- difficult time finding it, using any tools _on_ the box. It's not uncommon for the bad guys to install 'modified' (to use a polite word for it) versions of system utilities, and/or run-time-loading system libraries, that selectively 'edit out' information that they don't want you to see. e.g., a modified ps(1) will -not- show the 'bot' process that is spewing mail. A _second_ machine, on the same LAN, using something like 'tcpdump' to monitor outboud port 25 traffic from the first box, can show you if there are 'things happening' that are not being reported in the log files. _Finding_ the offending code, after you've established that it *is* happening, is a whole nuther can of worms. _if_ you have something like an up-to-date 'tripwire' database, with fingerprints of every installed executable, you can boot from alternate media (say the 'live CD' image), and look for things where the fingerprint has changed. If you establish a compromise -has- occurred, about the only way to *ensure* that the machine is 'trustworthy' again is to back up all application *data*, wipe the drive(s) {as in 'dd if=/dev/zero of=/dev/ad??'}, and re-install everything FROM SCRATCH. NOTE: This _is_ a 'worst case' scenario. Odds are that when you see the 'full headers' on the 'offending' messages, it will turn out to be something else entirely. Comment: someone who _knows_ what they're talking about would not simply make the bald assertation 'you have an open relay' -- they would *know* that that statement _alone_ is insufficient to get to the root of the problem and fix it. They would, at a minimum, identify the _type_ of traffic that was being relayed (e.g. 'from is spoofed as your domain'), or would provide several copies of the offending traffic, _before_ being asked. Based on this, the 'quality' of the original complainant's is somewhat suspect itself, Probably the most _common_ situation is a spammer signs up to a mailing list, *NOT* to spam _through_ it, but to collect the email addresses of those who post _to_ the mailing list. And they then send junk email to those people directly. Now, if somebody is using a 'unique' email address for that mailing list, they *can* jump to te onclusion that 'anything' to that address must jave come from/through your servers. I haven't seen anybody doing this kind of thing 'smart enough' so as to make it appear (in received headers) that it originated from the mailing-list server; it's
Re: Open Mail Relay
From owner-freebsd-questi...@freebsd.org Sun Aug 15 15:15:43 2010 Date: Sun, 15 Aug 2010 22:15:57 +0200 From: Erik Norgaard norga...@locolomo.org To: freebsd-questions@freebsd.org Subject: Re: Open Mail Relay On 15/08/10 13.57, pe...@vfemail.net wrote: Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? If the messages are indeed relayed through your server then you can see it in the logs and in the Received header field which host is sending the mail to your server. *IF* it is just a case of the 'intended to be used' mail server is mis- configured, and allowing relaying, that is correct. *IF*, OTOH, the machine has been broken-into/compromised/owned, then the 'bad guys' are fully capable of installing their _own_ mail-sending software --software that does *NOT* record anything in the normal log files. This kind of software is 'maliciously built' to leave *no* tracks with regard to incoming _or_ outgoing connections from/to other hosts. If somebody forges mail to appear to come from your domain, but not relayed through your server there is really not much you can do. Only the recipient server can reject the mails. Some servers support spf and you can help other servers know that mail from your domain must originate from your server by adding a txt entry in your dns. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
At 05:13 PM 8/14/2010, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Sat Aug 14 12:22:50 2010 Date: Sat, 14 Aug 2010 09:29:54 -0400 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Open Mail Relay I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? There are -several- possible sources of spam to that list user. The abusenet open-relay tests check only one of them. The machine ay be compromised (ie.e 'owned') andthe bad guys have installed their -own- mail-sending software on it. the logs that show activity from _your_ mail-sending software would, obviously, *not* show the activity of this other software. In additon, whatever mailinglist said user is subscribed to _may_ be set to take messaes from 'anybody', not just confirmed members of the list. Thirdly, some folks sign up for a list _just_ to send their off-topic commercial messages to it. NONE of those three scenarios are an 'open relay', but they all result in spam showing up in the list-subscriber's mailbox, that got there by _from_ your machine. Thank you everyone for your many comments and suggestions. The level of talent and responsiveness on this list is nothing less than stunning. I've requested copies of the offensive messages, and I'm hopeful the complainer will send me copies. I believe I have control over the majordomo lists -- postings are restricted to list members, postings are monitored, and many lists are moderated. Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On Aug 15, 2010, at 6:57 AM, pe...@vfemail.net wrote: I've requested copies of the offensive messages, and I'm hopeful the complainer will send me copies. I believe I have control over the majordomo lists -- postings are restricted to list members, postings are monitored, and many lists are moderated. Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? In my experiences if they were relaying through your machine you'd still see it on the logs. Look for the time/date of the emails you get from the complainant and see if anything matches up. Then use the IPs to track down who might be doing it. A little detective work can go a long way. -- Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On 15/08/2010 12:57, pe...@vfemail.net wrote: At 05:13 PM 8/14/2010, Robert Bonomi wrote: From owner-freebsd-questi...@freebsd.org Sat Aug 14 12:22:50 2010 Date: Sat, 14 Aug 2010 09:29:54 -0400 To: freebsd-questions@freebsd.org From: pe...@vfemail.net Subject: Open Mail Relay I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. I went tohttp://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? There are -several- possible sources of spam to that list user. The abusenet open-relay tests check only one of them. The machine ay be compromised (ie.e 'owned') andthe bad guys have installed their -own- mail-sending software on it. the logs that show activity from _your_ mail-sending software would, obviously, *not* show the activity of this other software. In additon, whatever mailinglist said user is subscribed to _may_ be set to take messaes from 'anybody', not just confirmed members of the list. Thirdly, some folks sign up for a list _just_ to send their off-topic commercial messages to it. NONE of those three scenarios are an 'open relay', but they all result in spam showing up in the list-subscriber's mailbox, that got there by _from_ your machine. Thank you everyone for your many comments and suggestions. The level of talent and responsiveness on this list is nothing less than stunning. I've requested copies of the offensive messages, and I'm hopeful the complainer will send me copies. I believe I have control over the majordomo lists -- postings are restricted to list members, postings are monitored, and many lists are moderated. Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? you need the headers, that's what they're there for! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07534206249 e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On 15/08/10 13.57, pe...@vfemail.net wrote: Assume, as Mr. Bonomi suggests, that some bad guy has installed some type of additional mailer on the machine or another machine that's allowed to relay mail. How would I go about locating that other mailer? If the messages are indeed relayed through your server then you can see it in the logs and in the Received header field which host is sending the mail to your server. If somebody forges mail to appear to come from your domain, but not relayed through your server there is really not much you can do. Only the recipient server can reject the mails. Some servers support spf and you can help other servers know that mail from your domain must originate from your server by adding a txt entry in your dns. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Open Mail Relay
I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On 14.08.2010 17:29, pe...@vfemail.net wrote: I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. You can try it yourself, with telnet and proper smtp commands. For example, telnet from outside of your organization to your mail server and issue: ehlo mydomain.com mail from: foo...@example.com rcpt to: foo...@example.org data test mail . You actually have to get error message about relay denied for you. If you don't - you're in trouble. If you do recieve such message - you relay is closed and probably you have spam worms who send emails from legit user, or something like that. Be well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On Aug 14, 2010, at 9:29 AM, pe...@vfemail.net wrote: I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? Peter, I usually attempt to send from a remote site myself directly before I sign off on closing that whole. In addition I always request that the complaint include a complete copy of all offending messages so that I can properly examine the headers. It is entirely conceivable that the complaint about an open relay is valid, but not from your server but an impostor. In that case you could try setting a SPF record in your DNS to help reduce such impersonations, although that is not a guarantee. If you have any questions ping me off list. Regards, Mikel King Senior Editor, BSD News Network Columnist, BSD Magazine CEO, Olivent Technologies ~because IT matters~ http://olivent.com 6 Alpine Court, Medford, NY 11763 o: 631.627.3055 http://www.linkedin.com/in/mikelking http://twitter.com/mikelking ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On 14/08/10 15.29, pe...@vfemail.net wrote: I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. When somebody complains that they receive spam via your relay they must the very least forward one of the offending mails to you so you can study the header. If they deleted the message simply instruct that the next spam mail is forwarded to you. In the header you can check the Received headers to see if it actually passed through your server first check ip hostname, then see if the message id appears in your logs. It is far to easy to forge a mail that appears to come from your server or domain. If so, the received fields will also show where the offending mail was sent from so you can act on it. If he's a subscriber to a list could it be that somebody send spam through the list? I went tohttp://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? I don't know about this site, but it should be easy to check your logs for their connections and see what action is taken. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On Sat, Aug 14, 2010 at 8:29 AM, pe...@vfemail.net wrote: I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. Insufficient data. The person reporting the spam needs to provide you with a copy of the mail, including all headers, so you can see if it came from your server, or who sent it through your server. Most likely suspects are another list member's infected machine sending out spam to the list, or an outright forgery that never went through your server. I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.html to test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. Then it's unlikely your server is an open relay. But you may need to add some spam filtering to your lists, or at least restrict posting to members only. -- Noel Jones ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On Sat, Aug 14, 2010 at 9:29 AM, pe...@vfemail.net wrote: I have a machine running FreeBSD, sendmail and majordomo. I have someone who is on one of those majordomo lists complaining that they are receiving spam from me. The complainer says I have an open mail relay that I need to fix. I went to http://www.abuse.net/relay.htmlhttp://www.abuse.net/relay.htmlto test the machine using its IP address. Abuse.net gives a clean bill of health, saying relaying was denied in 17 separate tests. I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. Is Abuse.net's test adequate to rule out an open mail relay problem? In previous weeks , I have received continuously messages about sending spam messages from my IP . They started by sending messages about undelivered mails which claimed to be originated from my computer . Later , they started to send me suggestions about how to remove proxy server acquired in my computer which is sending bulk spam messages . All of their text suggestions were complete executable codes . All of the messages were using faked names of my ISP officials . They tried very hard to infect my computer . At the end I have send a complaint message to my ISP authorities . After that , even I have received many such messages . In those days they are not sending such messages , or they are prevented by my ISP systems , I do not know . Based on such an experience , please be careful about such claims , and do not try to decompose their message attachments because their names of message attachments are also not related to content they contain . Use programs to dissect such messages without making any harm to your systems , for example convert their extensions to .txt and try to read them by a text editor . If they are really texts , they should be readable . Even , content of some messages were completely executable binary . I think some criminals started to perform such a ploy to infect computers by persuading users to try to clean their computers by applying their advices based on generated fear on attacked persons . Thank you very much . Mehmet Erol Sanliturk ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Open Mail Relay
On 8/14/10 11:05 AM, Mikhail wrote: On 14.08.2010 17:29, pe...@vfemail.net wrote: I've reviewed my mail logs for the past couple of days and I can't find any entries for any mail addressed to the complainer's domain name except mail that should have been sent. You can try it yourself, with telnet and proper smtp commands. For example, telnet from outside of your organization to your mail server and issue: ehlo mydomain.com mail from: foo...@example.com rcpt to: foo...@example.org data test mail . You actually have to get error message about relay denied for you. If you don't - you're in trouble. If you do recieve such message - you relay is closed and probably you have spam worms who send emails from legit user, or something like that. The basic test, but hardly sufficient to determine if all the known ways of fooling an smtp server are accounted for. Recall from the OP's description: saying relaying was denied in 17 separate tests. The above also can be an issue if you do the test from an IP address that the SMTP server has been configured to treat as trusted. --Jon Radel j...@radel.com
Re: Open Mail Relay
Is Abuse.net's test adequate to rule out an open mail relay problem? It's pretty thorough, and most MTAs have default configurations that don't permit relay, so it's much less of a problem than it was when I wrote the tester many years ago. I don't try to check for weak SMTP AUTH passwords, a hole that some spamware exploits, so if you do AUTH, it's conceivable that could be it. In your case, though, I would wait for the complainer to forward you a message or two with headers so you can figure out where is spam is coming from. Regards, John Levine, postmas...@abuse.net, http://www.abuse.net, Trumansburg NY abuse.net postmaster ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
open mail relay with ipv6??
Is this an open relay using ipv6? If so how to block the ipv6 relay. I thought after sendmail v8.9, all relay action was blocked by default. maillog entry Nov 10 15:01:11 hostname sm-mta[8989]: mAAL021C008989: from=[EMAIL PROTECTED], size=4825, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, relay=localhost [IPv6:::1] Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: ruleset=check_mail, arg1=[EMAIL PROTECTED], relay=localhost [IPv6:::1], reject=451 4.1.8 Domain of sender address [EMAIL PROTECTED] does not resolve Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: from=[EMAIL PROTECTED], size=3880, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, relay=localhost [IPv6:::1] sockstat -6 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 8284 5 tcp6 *:25 *:* root sshd 1520 3 tcp6 *:5960*:* root ntpd 1010 5 udp6 *:123 *:* root ntpd 1010 9 udp6 fe80:6::1:123 *:* root ntpd 1010 10 udp6 ::1:123 *:* root syslogd927 6 udp6 *:514 *:* ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: open mail relay with ipv6??
Mark Busby wrote: Is this an open relay using ipv6? If so how to block the ipv6 relay. I thought after sendmail v8.9, all relay action was blocked by default. You haven't given sufficient information to say whether the machine is an open relay or not. We'd need to see the configuration files (well, the .mc file that is processed to produce the eventual sendmail.cf) plus potentially the contents of the access DB. However, you are correct: nowadays the default sendmail configuration is to block relaying, and you have to deliberately add configuration settings to enable any permitted relays. If you're using the default configuration shipped with FreeBSD, then it is not an open relay. maillog entry Nov 10 15:01:11 hostname sm-mta[8989]: mAAL021C008989: from=[EMAIL PROTECTED], size=4825, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, relay=localhost [IPv6:::1] Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: ruleset=check_mail, arg1=[EMAIL PROTECTED], relay=localhost [IPv6:::1], reject=451 4.1.8 Domain of sender address [EMAIL PROTECTED] does not resolve Nov 10 15:01:17 hostname sm-mta[8989]: mAAL021D008989: from=[EMAIL PROTECTED], size=3880, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, relay=localhost [IPv6:::1] This certainly doesn't indicate a message being inappropriately relayed. The attempt to send the message is rejected with a permanent error code (ie. tell the sender to bounce the message as undeliverable and not to re-queue it for another attempt at delivery later). I think it's also doing the correct thing and rejecting the e-mail during the SMTP dialog rather than accepting the message for delivery and then later sending a bounce-o-gram to the listed sender address. Google for 'backscatter spam' in order to understand why the latter course of action is a bad idea. sockstat -6 USER COMMANDPID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sendmail 8284 5 tcp6 *:25 *:* root sshd 1520 3 tcp6 *:5960*:* root ntpd 1010 5 udp6 *:123 *:* root ntpd 1010 9 udp6 fe80:6::1:123 *:* root ntpd 1010 10 udp6 ::1:123 *:* root syslogd927 6 udp6 *:514 *:* You've got sendmail listening on all interfaces for IPv6 connections. This is appropriate if you expect the machine to receive incoming e-mails. If that's not the case, then set sendmail_enable='NO' in /etc/rc.conf. This will give you a send-only configuration with a sendmail listener bound to the loopback address (typically both ::1 and 127.0.0.1) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
RE: Load balancing outgoing mail relay
Hello: -Original Message- From: [EMAIL PROTECTED] [mailto:owner-freebsd- [EMAIL PROTECTED] On Behalf Of freebsd Sent: Wednesday, January 17, 2007 2:34 AM To: FreeBSD Questions Subject: Load balancing outgoing mail relay Hi I have a simple question but googling does not lead to a valid/usable answer. I need to load balance OUTGOING emails. I have serveral smart hosts. I need my internal SMTP server to send mail using ALL of the smart hosts together, making some kind of load balancing (no need for wheighted one). Someone pointed out to use a name for the smart host, and have DNS to resolve that name to the IP of all the relays (multiple A records) but this turned out in doing failover, not load balancing. Anyone has a *working* idea for solving this apparently simple problem? Thanks PF will definitely do what you want via its round-robin and redirect features. You would redirect all inbound traffic on port 25 to your smart host group/table which would then load balance across all of your servers. In pf.conf, something like the following, with the understanding that there are other things you may need to do first before a pf config will work: $int_if=em1 # replace with the interface name from your machine $ext_if=em0 # replace with the interface name from your machine $smart_host_01=192.168.1.1 $smart_host_02=192.168.1.2 $smart_host_03=192.168.1.3 $mail_server_01=10.1.1.1 table smtp_roundrobin persist { \ $smart_host_01, \ $smart_host_02, \ $smart_host_03 \ } rdr on $int_if proto tcp from $mail_server_01 to any port 25 - smtp_roundrobin round-robin The configuration can become more granular (complex) by including NAT and ALTQ if you want to do rate-shaping. Regards, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Load balancing outgoing mail relay
Hi I have a simple question but googling does not lead to a valid/usable answer. I need to load balance OUTGOING emails. I have serveral smart hosts. I need my internal SMTP server to send mail using ALL of the smart hosts together, making some kind of load balancing (no need for wheighted one). Someone pointed out to use a name for the smart host, and have DNS to resolve that name to the IP of all the relays (multiple A records) but this turned out in doing failover, not load balancing. Anyone has a *working* idea for solving this apparently simple problem? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Load balancing outgoing mail relay
freebsd wrote: Hi I have a simple question but googling does not lead to a valid/usable answer. I need to load balance OUTGOING emails. I have serveral smart hosts. I need my internal SMTP server to send mail using ALL of the smart hosts together, making some kind of load balancing (no need for wheighted one). Someone pointed out to use a name for the smart host, and have DNS to resolve that name to the IP of all the relays (multiple A records) but this turned out in doing failover, not load balancing. Anyone has a *working* idea for solving this apparently simple problem? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] This (multiple A records) works for me, at least approximately. Both Bind and MS DNS will round robin when multiple A records exist for the same hostname. What is your setup? Charlie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Load balancing outgoing mail relay
This (multiple A records) works for me, at least approximately. Both Bind and MS DNS will round robin when multiple A records exist for the same hostname. What is your setup? FreeBSD 6.2 with Sendmail (initially) and now postfix. MS DNS with round robin (and TTL set to 0 on the records). Resolving with nslookup gives something like: smarthost.domain.tld 192.168.0.1, 192.168.0.2, 192.168.0.3 If I kill 192.168.0.1 then it goes on the second one. But this is failover, and I need (approximately) load balancing. I understand this is related to the MTA and not to the OS, but hopefully someone solved this problem using Sendmail or Postifx that are both used on FreeBSD. Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Load balancing outgoing mail relay
FreeBSD 6.2 with Sendmail (initially) and now postfix. MS DNS with round robin (and TTL set to 0 on the records). Resolving with nslookup gives something like: smarthost.domain.tld 192.168.0.1, 192.168.0.2, 192.168.0.3 If I kill 192.168.0.1 then it goes on the second one. But this is failover, and I need (approximately) load balancing. Postfix will always internally shuffle equal-weight MX records (or multiple A records if there is no MX). I think sendmail does this also. This will not give strict round-robin use of the smarthosts, but over thousands of messages will give an equal share to each host. It sounds as if the host has primary/secondary MX records and you haven't disabled MX lookups for the relayhost. Use in main.cf relayhost = [smarthost.domain.tld] As documented, the brackets are required to disable MX lookups. You may want to adjust initial_destination_concurrency_limit and default_destination_concurrency_limit if your smarthosts will allow more than the default 20 connections. If sending small amounts of mail, postfix connection caching may interfere with observed load sharing. You may want to turn off smtp_connection_cache_on_demand if sending small amounts of mail, but leave it on if sending thousands of messages at a time. -- Noel Jones ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Load balancing outgoing mail relay
freebsd wrote: This (multiple A records) works for me, at least approximately. Both Bind and MS DNS will round robin when multiple A records exist for the same hostname. What is your setup? FreeBSD 6.2 with Sendmail (initially) and now postfix. MS DNS with round robin (and TTL set to 0 on the records). Resolving with nslookup gives something like: smarthost.domain.tld 192.168.0.1, 192.168.0.2, 192.168.0.3 If I kill 192.168.0.1 then it goes on the second one. But this is failover, and I need (approximately) load balancing. I understand this is related to the MTA and not to the OS, but hopefully someone solved this problem using Sendmail or Postifx that are both used on FreeBSD. Thanks What happens if you do multiple dig/nslookups for smarthost.domain.tld. Are the records returned in a different order each time? If not the problem may be at the NS. Charlie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Load balancing outgoing mail relay
On 1/17/07, Charles Trevor [EMAIL PROTECTED] wrote: What happens if you do multiple dig/nslookups for smarthost.domain.tld. Are the records returned in a different order each time? If not the problem may be at the NS. Nope. Postfix shuffles equal-weight MX records internally, so it doesn't matter what order the NS presents them. Multiple A records without an MX record (or when MX lookups are suppressed) are treated as equal-weight MX records per RFC. This is likely a postfix configuration problem. The original poster should seek further help on the postfix-users list. http://www.postfix.org/DEBUG_README.html#mail -- Noel Jones ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Not quite mail relay
I think I figured it out. The qmail-smtpd.c patch for SMTP AUTH had an exploit. It did require authentications, but it didn't care what credentials you threw at it, so long as you sent something. On that note, does anyone know of a way to get SMTP AUTH working with qmail without being an accidental relay? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Not quite mail relay
Hello Derrick, Monday, September 15, 2003, 10:57:57 AM, you wrote: D I think I figured it out. The qmail-smtpd.c patch for SMTP AUTH had an D exploit. It did require authentications, but it didn't care what D credentials you threw at it, so long as you sent something. Yes, there are/were a few SMTP auth patches put up by people who did not fully give the correct instructions on how to install with regards to the smtpd run file. qmail by itself has never had a security breach. Chances are you have a misconfigured qmail-smtpd run file, which some of these sites for patches have put up erroneously, causing this error. an explanation and fix is in the thread of http://marc.theaimsgroup.com/?l=qmailm=105452174430616w=2 Or, you can do the following: If you have the current source code and the patch you applied, you should be able to use patch -R to apply the patch in reverse, which will essentially remove it from qmail. If you don't know what qmail patches you have, it's probably best to re-install from scratch, so in the future you know how your system is configured. It just takes a few minutes to install from source. D On that note, does anyone know of a way to get SMTP AUTH working with D qmail without being an accidental relay? See above link for probable fix, or Yes, install qmail from source, run make setup check, and pick a good auth patch from lifewithqmail.org A good one is http://members.elysium.pl/brush/qmail-smtpd-auth/index.html -- Best regards, Gary ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Not quite mail relay
I am looking for a way to further secure a mail server. It isn't an open rely, but when others try to use it as such with bad return addresses, a small flood of rejection mail end up on the bad addressed server. Ex. To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] hotmail ends up with a ton of bounce msgs and thinks the server is a relay. How would I go about just dropping those msgs completely? Qmail is the mail server, but I was hoping someone would have an idea. -Derrick ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Not quite mail relay
Hello Derrick, Saturday, September 13, 2003, 12:02:01 PM, you wrote: D I am looking for a way to further secure a mail server. A mail server is either secure or not, not half way... it's like being half pregnant. If you installed qmail properly and from lifewithqmail.org it is secure by default. D It isn't an open rely, but when others try to use it as such with bad D return addresses, a small flood of rejection mail end up on the bad D addressed server. Is it at your server? If not so .. Spammers forge return addresses all the time. This has nothing to do with qmail. If they are using a forged return address, they are not using your server. D Ex. D To: [EMAIL PROTECTED] D From: [EMAIL PROTECTED] D hotmail ends up with a ton of bounce msgs Bounces are a normal part of email life. D and thinks the server is a relay. No they don't. Email admims look at the last sender IP address in the headers, which is the only valid address, all others are usually forged. D How would I go about just dropping those msgs completely? Are you saying you are getting bounced messages from your domain, or are you getting messages from hotmail, just what are you saying.. Are they coming from one source, one From sender, what? D Qmail is the mail server, but I was hoping someone would have an idea. Yes, but you have to provide more info rather than speculate on what you are having a problem with. Are you an open relay? Check your logs? If so, something is not configured properly. If you are just getting bounces from your own domain, and someone is forging your domain as the sender or return address in their spam, that is called a Joe-Job. -- Best regards, Gary ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Not quite mail relay
D Ex. D To: [EMAIL PROTECTED] D From: [EMAIL PROTECTED] D hotmail ends up with a ton of bounce msgs Bounces are a normal part of email life. D and thinks the server is a relay. No they don't. Email admims look at the last sender IP address in the headers, which is the only valid address, all others are usually forged. What I am referring to is the unable to deliver email that qmail sends to hotmail has an unknown user. Hotmail then bounces the mail back to my brother's server as an undeliverable, and since it is then a double bounce, it lands in my brother's inbox (mailer-daemon goes to him). Today, he has received over 6000 bounced msgs. D Qmail is the mail server, but I was hoping someone would have an D idea. Yes, but you have to provide more info rather than speculate on what you are having a problem with. Are you an open relay? Check your logs? If so, something is not configured properly. If you are just getting bounces from your own domain, and someone is forging your domain as the sender or return address in their spam, that is called a Joe-Job. In the /var/qmail/control, only his domains are listed. In tcp.rules, only localhost can relay email. Normal clients can only send mail with SMTP-ATUH. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Not quite mail relay
Hi Derrick, --On Saturday, September 13, 2003 05:10:17 PM -0700 Derrick Ryalls [EMAIL PROTECTED] wrote: No they don't. Email admims look at the last sender IP address in the headers, which is the only valid address, all others are usually forged. What I am referring to is the unable to deliver email that qmail sends to hotmail has an unknown user. If it is his qmail server, then someone is probably relaying through him. He can determine this through his logs. If someone is just using one of his email addresses, and he is not a relay, then he is getting Joe-Jobbed.. You have not determined this yet. Hotmail then bounces the mail back to my brother's server as an undeliverable, and since it is then a double bounce, it lands in my brother's inbox (mailer-daemon goes to him). Today, he has received over 6000 bounced msgs. Okay, if your question is only - how do I stop double bounces from getting into my system, then here is the answer. 1. Change the /var/qmail/control/doublebounceto file to read only one line saying obvilion (without the quotes) 2. Set up an alias in the /var/qmail/alias dir, and make a file called .qmail-obvilion 3. Edit the file and put in a # (no quotes) on one line by itself. Now, all double bounces with be directed to nowhere, and dissappear. Yes, but you have to provide more info rather than speculate on what you are having a problem with. Are you an open relay? Check your logs? If so, something is not configured properly. If you are just getting bounces from your own domain, and someone is forging your domain as the sender or return address in their spam, that is called a Joe-Job. In the /var/qmail/control, only his domains are listed. That would be /var/qmail/control/rcpthosts file. If he does not have that file, he is an open relay and sitting duck. In tcp.rules, only localhost can relay email. Normal clients can only send mail with SMTP-ATUH. There is no tcp.rules file in qmail. The local file is called /var/qmail/control/locals, and local host and his domain(s) should be listed there, but not virtual domains. As above, if he does not check his logs, and read his headers, he has no way of knowing if he is relaying, or suffering from a Joe-Job. There are other ways spammers try to get in, and if he is running a web server, have him also check to make sure he is not running formmail.cgi or pl -- Gary ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Mail relay
How do I stop mail relaying with Apache? My mail server has been black listed. Dan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Mail relay
someone is probably using formmail.pl - pull it! or hard code the address the form info is sent to within the formmail script. On Fri, 30 May 2003, DanB wrote: How do I stop mail relaying with Apache? My mail server has been black listed. Dan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Somewhat OT - authenticating sendmail to the verizon mail relay
Hey all. I'm having a strange time getting mail out to the FreeBSD list. It was fine before, until I moved to a DSL connection. So far as I can tell, the only real difference is that my new IP doesn't resolve to anything. Thanks to zoneedit.com, however, my domain does resolve to my IP. Here's what I have in sendmail.cf: OSTYPE(freebsd4) DOMAIN(generic) dnl undefine(`UUCP_RELAY') dnl undefine(`BITNET_RELAY') define(`confBIND_OPTS',`-DNSRCH -DEFNAMES') dnl define(`confTO_IDENT',`0') define(`confTRUSTED_USER', `cyrus') define(`confLOCAL_MAILER', `cyrus') DAEMON_OPTIONS(`M=u') FEATURE(`accept_unresolvable_domains') FEATURE(`accept_unqualified_senders') FEATURE(access_db, `hash -TTMPF /etc/mail/access') dnl FEATURE(blacklist_recipients) FEATURE(local_lmtp) FEATURE(relay_based_on_MX) FEATURE(virtusertable, `hash -o /etc/mail/virtusertable') FEATURE(`nocanonify') dnl FEATURE(`always_add_domain') define(`SMART_HOST', `smtp:outgoing.verizon.net') MASQUERADE_AS(outgoing.verizon.net) FEATURE(masquerade_envelope) FEATURE(`authinfo', `hash -o /etc/mail/authinfo') . . . I'm sure it has to do with the fact that Verizon's outgoing mail server requires a username and password to do relaying. I know Sendmail can do this, but I can't understand the sendmail README info on it. I've gotten as far as the `authinfo' FEATURE, but I don't think I'm creating the authinfo correctly. I put the following entry in /etc/mail/authinfo: AuthInfo:outgoing.verizon.net U:MyUserID P:MyPW and I don't think I'm creating the hash correctly: makemap hash /etc/mail/authinfo but that just hung. Something's bogus somewhere and I can't quite find it. Until I can get this fixed, I'll probably have trouble from time to time with some of the more tightly configured MTAs, because I've commented out the last four lines there (dnl). Unfortunately, I think the FreeBSD list is one of them - so I'm stuck with Netscape for now. Any help is greatly appreciated. TIA Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ What the scientists have in their briefcases is terrifying. -- Nikita Khruschev To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message