Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

Sendmail (IP maybe forged)

Posted on 2008-06-17
14
Medium Priority
?
839 Views
Last Modified: 2013-12-17
I have an email server running on Fedora Core 7 version 8.13.14. The server is working fine, but i have a problem with one of our networks in other city.

If connect to the server via Telnet from that network and type ehlo, i received a message saying "customer-xxx-xx-xxx-xx.somedomain [xxx.xx.xxx.xx] (maybe forged), pleased to meet you"
Then the problem is that no matter what computer or account im trying to send from does not work. If i put the network on SPAM CONTROL (access), the address can send emails to external accounts like hotmail, yahoo, but not local delivery, i don't receive any bounce back messages from the server. I searched on google and experts-exchange, and it seems to be a problem with dns, i also checked my domain and ip address on dnstuff.com, and it seems to be ok, th ptr points to my mailserver.

Any ideas.
0
Comment
Question by:DoradoITTeam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
14 Comments
 
LVL 14

Expert Comment

by:kenfcamp
ID: 21827687
Hello DoradoITTeam

Put simply,  After sendmail does a hostname look-up on the IP address of the connecting client, the IP addresses of that hostname are looked up. If the client IP address does not appear in that list, then the may be forged tag is added.

0
 
LVL 26

Expert Comment

by:jar3817
ID: 21830885
Based on the format of your hostname (customer-xxx-xx-xxx-xx.somedomain), it looks very generic if not dynamic. Having your IP address embedded in your hostname is going to cause problems with sending email. It looks dynamic to many spam filters and therefore your mail will get tagged, put in spam folders or rejected. You should ask your isp to change it to something specific like mail.youdomain.com or smtp.yourdomain.com. If they wont, it probably means you're on a residential or non-commercial connection and probably shouldn't be sending mail anyway.

Kenfcamp is right though, you get the "(may be forged)" because your DNS forward and reverse records don't match:

customer-xxx-xx-xxx-xx.somedomain points to xxx.xx.xxx.xx but xxx.xx.xxx.x doesn't point to customer-xxx-xx-xxx-xx.somedomain
0
 

Author Comment

by:DoradoITTeam
ID: 21832108
The reverse DNS on the server side matches, but i have particular problems on the other network not being able to send emails:


Server Network                                                                              Network with problems

IP = xxx.xx.xxx.xx ---------------  (INTERNET) -------------------    Public IP: yyy.yy.yyy.yy
Domain: mydomain.com                                                                NAT: zzz.zzz.zzz.z
 
I can send email from every other network but this network, i tried adding the network to spam control and allow relay to that specific network but does not work.




0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 26

Expert Comment

by:jar3817
ID: 21832159
post your sendmail.mc file so we can see how sendmail on the nonworking server is configured.
0
 

Author Comment

by:DoradoITTeam
ID: 21832234
Here is sendmail.mc
divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
define(`confLOG_LEVEL', `14')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`mail.dorado-sf.com.mx')
dnl #FEATURE(`authinfo',`hash -o /etc/mail/authinfo')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
define(`confAUTH_OPTIONS',`A')
TRUST_AUTH_MECH(`LOGIN PLAIN')
define(`confAUTH_MECHANISMS',`LOGIN PLAIN')
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
define(`confCACERT_PATH',`/etc/pki/tls/certs')
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')
define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl # FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(`local')
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

Open in new window

0
 

Author Comment

by:DoradoITTeam
ID: 21832392
I also have MailScanner with ClamAV installed on the server, but i have had it for a long time, but i thought it was important to post it. thanks
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21841728
As mentioned above, that error is indicative of the forward and inverse DNS not matching.

If MailScanner picks up the message and marks it for quarantine, you should be able find that information in the logs and in the MailScanner quarantine directory.

Can you post the full log information for a sample connection.
0
 

Author Comment

by:DoradoITTeam
ID: 21847761
Do i need to setup reverse DNS on the remote network even if its dynamic ip address? Where is the log file of MailScanner, can u help me?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21848249
You setup the forward and inverse DNS at the master authoritative servers.  They should match.  For example:

host 192.168.0.21
   21.0.168.192.in-addr.arpa domain name pointer example.domain.com

host example.domain.com
  example.domain.com has address 192.168.0.21

The MailScanner information is in /var/log/maillog

If you have a dynamic address, you may be blocked specifically because of that.
0
 

Author Comment

by:DoradoITTeam
ID: 21857273
I'm kind of lost now, this is my DNS

> server 200.23.249.51
Default Server:  dns4.telnor.net
Address:  200.23.249.51

> mail.doradoranch.com.mx
Server:  dns4.telnor.net
Address:  200.23.249.51

Non-authoritative answer:
Name:    mail.doradoranch.com.mx
Address:  201.170.126.3

> set type=ptr
> 201.170.126.3
Server:  dns4.telnor.net
Address:  200.23.249.51

Non-authoritative answer:
3.126.170.201.in-addr.arpa      name = mail.century21baja.com.mx
3.126.170.201.in-addr.arpa      name = mail.doradoranch.com.mx

This is on server side,

this is a log of transfer on log file

 "Jun 5 09:41:48 ns1 sendmail[24565]: m55GfkVs024565: from=<dorado@doradoranch.com.mx>, size=1148, class=0, nrcpts=1, msgid=<000e01c8c72a$fb4b0250$c603000a@edm.local>, proto=ESMTP, daemon=MTA, relay=customer-201-134-92-195.uninet-ide.com.mx [201.134.92.195] (may be forged)"
 
 "Jun 5 09:41:59 ns1 sendmail[24608]: m55GfkVs024565: to=<josue.haros@doradoranch.com.mx>, ctladdr=<dorado@doradoranch.com.mx> (526/551), delay=00:00:12, xdelay=00:00:04, mailer=local, pri=121148, dsn=2.0.0, stat=Sent

It says SENT, but the mail never get to recipient. 201.134.92.195 is the remote network where the client is.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21857590
This nameserver is timing out:

dnsadm-interno.uninet.net.mx

All of the nameservers specified for your [ISP] domain should answer and answer authoritatively.  It doesn't appear that they are.

Did this message run through mailscanner?
Do you have this email in the quarantine -> /var/spool/MailScanner/quarantine/...
Check your aliases and virthusertable to make sure that the mail is not being incorrectly forwarded.
0
 

Author Comment

by:DoradoITTeam
ID: 21857845
Sorry to ask these questions but i want to get all information right with no assumptions

  1. Checked aliases and virtuser tables, all seems to be ok, since i can receive emails from other network beside this one.
 
  2. I have a bunch of stuff in /var/spool/MailScanner/quarantine, but all of them are files that are being blocked by the server.

  3. Yes, the message transfer i posted, i retrieved it from /var/log/maillog file although i just see sendmail logs there, could not find MAILSCANNER tagged logs

  4. Dns stuff i don't completely understand, what do i need to do? how did u get this dnsadm-interno.uninet.net.mx? client network?
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 21883796
If I look up your IP address at the RIR, I can find the authoritative nameservers.  There are further delegations that identify servers that are expected to provde authoritative answers, as well.  The one machine listed above is timing out and I can verify that I had randomly hit it.

If a host wants to know that you are who you say you are, it will look up your inverse DNS information and compare it against the forward DNS.  If those two do not match, the host may choose to reject the mail.  And, those two not matching is the reason that you are seeing the "may be forged" in your log.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question