Sendmail (IP maybe forged)

Hello DoradoITTeam

Put simply,  After sendmail does a hostname look-up on the IP address of the connecting client, the IP addresses of that hostname are looked up. If the client IP address does not appear in that list, then the may be forged tag is added.

Based on the format of your hostname (customer-xxx-xx-xxx-xx.somedomain), it looks very generic if not dynamic. Having your IP address embedded in your hostname is going to cause problems with sending email. It looks dynamic to many spam filters and therefore your mail will get tagged, put in spam folders or rejected. You should ask your isp to change it to something specific like mail.youdomain.com or smtp.yourdomain.com. If they wont, it probably means you're on a residential or non-commercial connection and probably shouldn't be sending mail anyway.

Kenfcamp is right though, you get the "(may be forged)" because your DNS forward and reverse records don't match:

customer-xxx-xx-xxx-xx.somedomain points to xxx.xx.xxx.xx but xxx.xx.xxx.x doesn't point to customer-xxx-xx-xxx-xx.somedomain

The reverse DNS on the server side matches, but i have particular problems on the other network not being able to send emails:


Server Network                                                                              Network with problems

IP = xxx.xx.xxx.xx ---------------  (INTERNET) -------------------    Public IP: yyy.yy.yyy.yy
Domain: mydomain.com                                                                NAT: zzz.zzz.zzz.z
 
I can send email from every other network but this network, i tried adding the network to spam control and allow relay to that specific network but does not work.

post your sendmail.mc file so we can see how sendmail on the nonworking server is configured.

Here is sendmail.mc

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for Red Hat Linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
define(`confLOG_LEVEL', `14')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`mail.dorado-sf.com.mx')
dnl #FEATURE(`authinfo',`hash -o /etc/mail/authinfo')
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
define(`confAUTH_OPTIONS',`A')
TRUST_AUTH_MECH(`LOGIN PLAIN')
define(`confAUTH_MECHANISMS',`LOGIN PLAIN')
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
define(`confCACERT_PATH',`/etc/pki/tls/certs')
define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')
define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl # FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`localhost.localdomain')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(`local')
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl

Select allOpen in new window

I also have MailScanner with ClamAV installed on the server, but i have had it for a long time, but i thought it was important to post it. thanks

As mentioned above, that error is indicative of the forward and inverse DNS not matching.

If MailScanner picks up the message and marks it for quarantine, you should be able find that information in the logs and in the MailScanner quarantine directory.

Can you post the full log information for a sample connection.

Do i need to setup reverse DNS on the remote network even if its dynamic ip address? Where is the log file of MailScanner, can u help me?

You setup the forward and inverse DNS at the master authoritative servers.  They should match.  For example:

host 192.168.0.21
   21.0.168.192.in-addr.arpa domain name pointer example.domain.com

host example.domain.com
  example.domain.com has address 192.168.0.21

The MailScanner information is in /var/log/maillog

If you have a dynamic address, you may be blocked specifically because of that.

I'm kind of lost now, this is my DNS

> server 200.23.249.51
Default Server:  dns4.telnor.net
Address:  200.23.249.51

> mail.doradoranch.com.mx
Server:  dns4.telnor.net
Address:  200.23.249.51

Non-authoritative answer:
Name:    mail.doradoranch.com.mx
Address:  201.170.126.3

> set type=ptr
> 201.170.126.3
Server:  dns4.telnor.net
Address:  200.23.249.51

Non-authoritative answer:
3.126.170.201.in-addr.arpa      name = mail.century21baja.com.mx
3.126.170.201.in-addr.arpa      name = mail.doradoranch.com.mx

This is on server side,

this is a log of transfer on log file

 "Jun 5 09:41:48 ns1 sendmail[24565]: m55GfkVs024565: from=<dorado@doradoranch.com.mx>, size=1148, class=0, nrcpts=1, msgid=<000e01c8c72a$fb4b0250$c603000a@edm.local>, proto=ESMTP, daemon=MTA, relay=customer-201-134-92-195.uninet-ide.com.mx [201.134.92.195] (may be forged)"
 
 "Jun 5 09:41:59 ns1 sendmail[24608]: m55GfkVs024565: to=<josue.haros@doradoranch.com.mx>, ctladdr=<dorado@doradoranch.com.mx> (526/551), delay=00:00:12, xdelay=00:00:04, mailer=local, pri=121148, dsn=2.0.0, stat=Sent

It says SENT, but the mail never get to recipient. 201.134.92.195 is the remote network where the client is.

This nameserver is timing out:

dnsadm-interno.uninet.net.mx

All of the nameservers specified for your [ISP] domain should answer and answer authoritatively.  It doesn't appear that they are.

Did this message run through mailscanner?
Do you have this email in the quarantine -> /var/spool/MailScanner/quarantine/...
Check your aliases and virthusertable to make sure that the mail is not being incorrectly forwarded.

Sorry to ask these questions but i want to get all information right with no assumptions

  1. Checked aliases and virtuser tables, all seems to be ok, since i can receive emails from other network beside this one.
 
  2. I have a bunch of stuff in /var/spool/MailScanner/quarantine, but all of them are files that are being blocked by the server.

  3. Yes, the message transfer i posted, i retrieved it from /var/log/maillog file although i just see sendmail logs there, could not find MAILSCANNER tagged logs

  4. Dns stuff i don't completely understand, what do i need to do? how did u get this dnsadm-interno.uninet.net.mx? client network?