Sendmail (IP maybe forged)

Posted on 2008-06-17
Last Modified: 2013-12-17
I have an email server running on Fedora Core 7 version 8.13.14. The server is working fine, but i have a problem with one of our networks in other city.

If connect to the server via Telnet from that network and type ehlo, i received a message saying "customer-xxx-xx-xxx-xx.somedomain [] (maybe forged), pleased to meet you"
Then the problem is that no matter what computer or account im trying to send from does not work. If i put the network on SPAM CONTROL (access), the address can send emails to external accounts like hotmail, yahoo, but not local delivery, i don't receive any bounce back messages from the server. I searched on google and experts-exchange, and it seems to be a problem with dns, i also checked my domain and ip address on, and it seems to be ok, th ptr points to my mailserver.

Any ideas.
Question by:DoradoITTeam
  • 6
  • 4
  • 2
  • +1
LVL 13

Expert Comment

ID: 21827687
Hello DoradoITTeam

Put simply,  After sendmail does a hostname look-up on the IP address of the connecting client, the IP addresses of that hostname are looked up. If the client IP address does not appear in that list, then the may be forged tag is added.

LVL 26

Expert Comment

ID: 21830885
Based on the format of your hostname (customer-xxx-xx-xxx-xx.somedomain), it looks very generic if not dynamic. Having your IP address embedded in your hostname is going to cause problems with sending email. It looks dynamic to many spam filters and therefore your mail will get tagged, put in spam folders or rejected. You should ask your isp to change it to something specific like or If they wont, it probably means you're on a residential or non-commercial connection and probably shouldn't be sending mail anyway.

Kenfcamp is right though, you get the "(may be forged)" because your DNS forward and reverse records don't match:

customer-xxx-xx-xxx-xx.somedomain points to but doesn't point to customer-xxx-xx-xxx-xx.somedomain

Author Comment

ID: 21832108
The reverse DNS on the server side matches, but i have particular problems on the other network not being able to send emails:

Server Network                                                                              Network with problems

IP = ---------------  (INTERNET) -------------------    Public IP: yyy.yy.yyy.yy
Domain:                                                                NAT: zzz.zzz.zzz.z
I can send email from every other network but this network, i tried adding the network to spam control and allow relay to that specific network but does not work.

LVL 26

Expert Comment

ID: 21832159
post your file so we can see how sendmail on the nonworking server is configured.

Author Comment

ID: 21832234
Here is

dnl #

dnl # This is the sendmail macro config file for m4. If you make changes to

dnl # /etc/mail/, you will need to regenerate the

dnl # /etc/mail/ file by confirming that the sendmail-cf package is

dnl # installed and then performing a

dnl #

dnl #     make -C /etc/mail

dnl #


VERSIONID(`setup for Red Hat Linux')dnl


dnl #

dnl # default logging level is 9, you might want to set it higher to

dnl # debug the configuration

dnl #

define(`confLOG_LEVEL', `14')dnl

dnl #

dnl # Uncomment and edit the following line if your outgoing mail needs to

dnl # be sent out through an external mail server:

dnl #

dnl define(`SMART_HOST',`')

dnl #FEATURE(`authinfo',`hash -o /etc/mail/authinfo')

dnl #


dnl define(`confAUTO_REBUILD')dnl

define(`confTO_CONNECT', `1m')dnl




define(`ALIAS_FILE', `/etc/aliases')dnl

define(`STATUS_FILE', `/var/log/mail/statistics')dnl

define(`UUCP_MAILER_MAX', `2000000')dnl

define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

dnl #

dnl # The following allows relaying if the user authenticates, and disallows

dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links

dnl #

dnl #

dnl # PLAIN is the preferred plaintext authentication method and used by

dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do

dnl # use LOGIN. Other mechanisms should be used if the connection is not

dnl # guaranteed secure.

dnl # Please remember that saslauthd needs to be running for AUTH.

dnl #




dnl #

dnl # Rudimentary information on creating certificates for sendmail TLS:

dnl #     cd /usr/share/ssl/certs; make sendmail.pem

dnl # Complete usage:

dnl #     make -C /usr/share/ssl/certs usage

dnl #





dnl #

dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's

dnl # slapd, which requires the file to be readble by group ldap

dnl #

dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl

dnl #

dnl define(`confTO_QUEUEWARN', `4h')dnl

dnl define(`confTO_QUEUERETURN', `5d')dnl

dnl define(`confQUEUE_LA', `12')dnl

dnl define(`confREFUSE_LA', `18')dnl

define(`confTO_IDENT', `0')dnl




FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl





dnl #

dnl # The following limits the number of processes sendmail can fork to accept

dnl # incoming messages or process its message queues to 12.) sendmail refuses

dnl # to accept connections once it has reached its quota of child processes.

dnl #

dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl

dnl #

dnl # Limits the number of new connections per second. This caps the overhead

dnl # incurred due to forking new sendmail processes. May be useful against

dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address

dnl # limit would be useful but is not available as an option at this writing.)

dnl #

dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl

dnl #

dnl # The -t option will retry delivery if e.g. the user runs over his quota.

dnl #

FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl



dnl #

dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment

dnl # the following 2 definitions and activate below in the MAILER section the

dnl # cyrusv2 mailer.

dnl #

dnl define(`confLOCAL_MAILER', `cyrusv2')dnl

dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl

dnl #

dnl # The following causes sendmail to only listen on the IPv4 loopback address

dnl # and not on any other network devices. Remove the loopback

dnl # address restriction to accept email from the internet or intranet.

dnl #

dnl DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 587 for

dnl # mail from MUAs that authenticate. Roaming users who can't reach their

dnl # preferred sendmail daemon due to port 25 being blocked or redirected find

dnl # this useful.

dnl #

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 465, but

dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed

dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't

dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS

dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps

dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.

dnl #

dnl # For this to work your OpenSSL certificates must be configured.

dnl #

dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl #

dnl # The following causes sendmail to additionally listen on the IPv6 loopback

dnl # device. Remove the loopback address restriction listen to the network.

dnl #

dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl

dnl #

dnl # enable both ipv6 and ipv4 in sendmail:

dnl #

dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')

dnl #

dnl # We strongly recommend not accepting unresolvable domains if you want to

dnl # protect yourself from spam. However, the laptop and users on computers

dnl # that do not have 24x7 DNS do need this.

dnl #

dnl # FEATURE(`accept_unresolvable_domains')dnl

dnl #

dnl FEATURE(`relay_based_on_MX')dnl

dnl #

dnl # Also accept email sent to "localhost.localdomain" as local email.

dnl #


dnl #

dnl # The following example makes mail from this host and any additional

dnl # specified domains appear to be sent from

dnl #

dnl MASQUERADE_AS(`')dnl

dnl #

dnl # masquerade not just the headers, but the envelope as well

dnl #

dnl FEATURE(masquerade_envelope)dnl

dnl #

dnl # masquerade not just, but @* as well

dnl #

dnl FEATURE(masquerade_entire_domain)dnl

dnl #

dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl


dnl MASQUERADE_DOMAIN(mydomain.lan)dnl




dnl MAILER(cyrusv2)dnl

Open in new window


Author Comment

ID: 21832392
I also have MailScanner with ClamAV installed on the server, but i have had it for a long time, but i thought it was important to post it. thanks
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 28

Expert Comment

by:Jan Springer
ID: 21841728
As mentioned above, that error is indicative of the forward and inverse DNS not matching.

If MailScanner picks up the message and marks it for quarantine, you should be able find that information in the logs and in the MailScanner quarantine directory.

Can you post the full log information for a sample connection.

Author Comment

ID: 21847761
Do i need to setup reverse DNS on the remote network even if its dynamic ip address? Where is the log file of MailScanner, can u help me?
LVL 28

Expert Comment

by:Jan Springer
ID: 21848249
You setup the forward and inverse DNS at the master authoritative servers.  They should match.  For example:

host domain name pointer

host has address

The MailScanner information is in /var/log/maillog

If you have a dynamic address, you may be blocked specifically because of that.

Author Comment

ID: 21857273
I'm kind of lost now, this is my DNS

> server
Default Server:


Non-authoritative answer:

> set type=ptr

Non-authoritative answer:      name =      name =

This is on server side,

this is a log of transfer on log file

 "Jun 5 09:41:48 ns1 sendmail[24565]: m55GfkVs024565: from=<>, size=1148, class=0, nrcpts=1, msgid=<000e01c8c72a$fb4b0250$c603000a@edm.local>, proto=ESMTP, daemon=MTA, [] (may be forged)"
 "Jun 5 09:41:59 ns1 sendmail[24608]: m55GfkVs024565: to=<>, ctladdr=<> (526/551), delay=00:00:12, xdelay=00:00:04, mailer=local, pri=121148, dsn=2.0.0, stat=Sent

It says SENT, but the mail never get to recipient. is the remote network where the client is.
LVL 28

Expert Comment

by:Jan Springer
ID: 21857590
This nameserver is timing out:

All of the nameservers specified for your [ISP] domain should answer and answer authoritatively.  It doesn't appear that they are.

Did this message run through mailscanner?
Do you have this email in the quarantine -> /var/spool/MailScanner/quarantine/...
Check your aliases and virthusertable to make sure that the mail is not being incorrectly forwarded.

Author Comment

ID: 21857845
Sorry to ask these questions but i want to get all information right with no assumptions

  1. Checked aliases and virtuser tables, all seems to be ok, since i can receive emails from other network beside this one.
  2. I have a bunch of stuff in /var/spool/MailScanner/quarantine, but all of them are files that are being blocked by the server.

  3. Yes, the message transfer i posted, i retrieved it from /var/log/maillog file although i just see sendmail logs there, could not find MAILSCANNER tagged logs

  4. Dns stuff i don't completely understand, what do i need to do? how did u get this client network?
LVL 28

Accepted Solution

Jan Springer earned 500 total points
ID: 21883796
If I look up your IP address at the RIR, I can find the authoritative nameservers.  There are further delegations that identify servers that are expected to provde authoritative answers, as well.  The one machine listed above is timing out and I can verify that I had randomly hit it.

If a host wants to know that you are who you say you are, it will look up your inverse DNS information and compare it against the forward DNS.  If those two do not match, the host may choose to reject the mail.  And, those two not matching is the reason that you are seeing the "may be forged" in your log.

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Changing MX record and DNS cache 12 117
SMTP using .net w/o mail server 2 58
IIS6 Virtual SMTP server resends old email after reboot 13 50
Distribution groups exchange 2013 6 44
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now