Solved

Sendmail (IP maybe forged)

Posted on 2008-06-17
14
774 Views
Last Modified: 2013-12-17
I have an email server running on Fedora Core 7 version 8.13.14. The server is working fine, but i have a problem with one of our networks in other city.

If connect to the server via Telnet from that network and type ehlo, i received a message saying "customer-xxx-xx-xxx-xx.somedomain [xxx.xx.xxx.xx] (maybe forged), pleased to meet you"
Then the problem is that no matter what computer or account im trying to send from does not work. If i put the network on SPAM CONTROL (access), the address can send emails to external accounts like hotmail, yahoo, but not local delivery, i don't receive any bounce back messages from the server. I searched on google and experts-exchange, and it seems to be a problem with dns, i also checked my domain and ip address on dnstuff.com, and it seems to be ok, th ptr points to my mailserver.

Any ideas.
0
Comment
Question by:DoradoITTeam
  • 6
  • 4
  • 2
  • +1
14 Comments
 
LVL 13

Expert Comment

by:kenfcamp
ID: 21827687
Hello DoradoITTeam

Put simply,  After sendmail does a hostname look-up on the IP address of the connecting client, the IP addresses of that hostname are looked up. If the client IP address does not appear in that list, then the may be forged tag is added.

0
 
LVL 26

Expert Comment

by:jar3817
ID: 21830885
Based on the format of your hostname (customer-xxx-xx-xxx-xx.somedomain), it looks very generic if not dynamic. Having your IP address embedded in your hostname is going to cause problems with sending email. It looks dynamic to many spam filters and therefore your mail will get tagged, put in spam folders or rejected. You should ask your isp to change it to something specific like mail.youdomain.com or smtp.yourdomain.com. If they wont, it probably means you're on a residential or non-commercial connection and probably shouldn't be sending mail anyway.

Kenfcamp is right though, you get the "(may be forged)" because your DNS forward and reverse records don't match:

customer-xxx-xx-xxx-xx.somedomain points to xxx.xx.xxx.xx but xxx.xx.xxx.x doesn't point to customer-xxx-xx-xxx-xx.somedomain
0
 

Author Comment

by:DoradoITTeam
ID: 21832108
The reverse DNS on the server side matches, but i have particular problems on the other network not being able to send emails:


Server Network                                                                              Network with problems

IP = xxx.xx.xxx.xx ---------------  (INTERNET) -------------------    Public IP: yyy.yy.yyy.yy
Domain: mydomain.com                                                                NAT: zzz.zzz.zzz.z
 
I can send email from every other network but this network, i tried adding the network to spam control and allow relay to that specific network but does not work.




0
 
LVL 26

Expert Comment

by:jar3817
ID: 21832159
post your sendmail.mc file so we can see how sendmail on the nonworking server is configured.
0
 

Author Comment

by:DoradoITTeam
ID: 21832234
Here is sendmail.mc
divert(-1)dnl

dnl #

dnl # This is the sendmail macro config file for m4. If you make changes to

dnl # /etc/mail/sendmail.mc, you will need to regenerate the

dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is

dnl # installed and then performing a

dnl #

dnl #     make -C /etc/mail

dnl #

include(`/usr/share/sendmail-cf/m4/cf.m4')dnl

VERSIONID(`setup for Red Hat Linux')dnl

OSTYPE(`linux')dnl

dnl #

dnl # default logging level is 9, you might want to set it higher to

dnl # debug the configuration

dnl #

define(`confLOG_LEVEL', `14')dnl

dnl #

dnl # Uncomment and edit the following line if your outgoing mail needs to

dnl # be sent out through an external mail server:

dnl #

dnl define(`SMART_HOST',`mail.dorado-sf.com.mx')

dnl #FEATURE(`authinfo',`hash -o /etc/mail/authinfo')

dnl #

define(`confDEF_USER_ID',``8:12'')dnl

dnl define(`confAUTO_REBUILD')dnl

define(`confTO_CONNECT', `1m')dnl

define(`confTRY_NULL_MX_LIST',true)dnl

define(`confDONT_PROBE_INTERFACES',true)dnl

define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl

define(`ALIAS_FILE', `/etc/aliases')dnl

define(`STATUS_FILE', `/var/log/mail/statistics')dnl

define(`UUCP_MAILER_MAX', `2000000')dnl

define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl

define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl

dnl #

dnl # The following allows relaying if the user authenticates, and disallows

dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links

dnl #

dnl #

dnl # PLAIN is the preferred plaintext authentication method and used by

dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do

dnl # use LOGIN. Other mechanisms should be used if the connection is not

dnl # guaranteed secure.

dnl # Please remember that saslauthd needs to be running for AUTH.

dnl #

define(`confAUTH_OPTIONS',`A')

TRUST_AUTH_MECH(`LOGIN PLAIN')

define(`confAUTH_MECHANISMS',`LOGIN PLAIN')

dnl #

dnl # Rudimentary information on creating certificates for sendmail TLS:

dnl #     cd /usr/share/ssl/certs; make sendmail.pem

dnl # Complete usage:

dnl #     make -C /usr/share/ssl/certs usage

dnl #

define(`confCACERT_PATH',`/etc/pki/tls/certs')

define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')

define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')

define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')

dnl #

dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's

dnl # slapd, which requires the file to be readble by group ldap

dnl #

dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl

dnl #

dnl define(`confTO_QUEUEWARN', `4h')dnl

dnl define(`confTO_QUEUERETURN', `5d')dnl

dnl define(`confQUEUE_LA', `12')dnl

dnl define(`confREFUSE_LA', `18')dnl

define(`confTO_IDENT', `0')dnl

FEATURE(delay_checks)dnl

FEATURE(`no_default_msa',`dnl')dnl

FEATURE(`smrsh',`/usr/sbin/smrsh')dnl

FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl

FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl

FEATURE(redirect)dnl

FEATURE(always_add_domain)dnl

FEATURE(use_cw_file)dnl

FEATURE(use_ct_file)dnl

dnl #

dnl # The following limits the number of processes sendmail can fork to accept

dnl # incoming messages or process its message queues to 12.) sendmail refuses

dnl # to accept connections once it has reached its quota of child processes.

dnl #

dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl

dnl #

dnl # Limits the number of new connections per second. This caps the overhead

dnl # incurred due to forking new sendmail processes. May be useful against

dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address

dnl # limit would be useful but is not available as an option at this writing.)

dnl #

dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl

dnl #

dnl # The -t option will retry delivery if e.g. the user runs over his quota.

dnl #

FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl

FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl

FEATURE(`blacklist_recipients')dnl

EXPOSED_USER(`root')dnl

dnl #

dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment

dnl # the following 2 definitions and activate below in the MAILER section the

dnl # cyrusv2 mailer.

dnl #

dnl define(`confLOCAL_MAILER', `cyrusv2')dnl

dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl

dnl #

dnl # The following causes sendmail to only listen on the IPv4 loopback address

dnl # 127.0.0.1 and not on any other network devices. Remove the loopback

dnl # address restriction to accept email from the internet or intranet.

dnl #

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 587 for

dnl # mail from MUAs that authenticate. Roaming users who can't reach their

dnl # preferred sendmail daemon due to port 25 being blocked or redirected find

dnl # this useful.

dnl #

dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl

dnl #

dnl # The following causes sendmail to additionally listen to port 465, but

dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed

dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't

dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS

dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps

dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.

dnl #

dnl # For this to work your OpenSSL certificates must be configured.

dnl #

dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

dnl #

dnl # The following causes sendmail to additionally listen on the IPv6 loopback

dnl # device. Remove the loopback address restriction listen to the network.

dnl #

dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl

dnl #

dnl # enable both ipv6 and ipv4 in sendmail:

dnl #

dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')

dnl #

dnl # We strongly recommend not accepting unresolvable domains if you want to

dnl # protect yourself from spam. However, the laptop and users on computers

dnl # that do not have 24x7 DNS do need this.

dnl #

dnl # FEATURE(`accept_unresolvable_domains')dnl

dnl #

dnl FEATURE(`relay_based_on_MX')dnl

dnl #

dnl # Also accept email sent to "localhost.localdomain" as local email.

dnl #

LOCAL_DOMAIN(`localhost.localdomain')dnl

dnl #

dnl # The following example makes mail from this host and any additional

dnl # specified domains appear to be sent from mydomain.com

dnl #

dnl MASQUERADE_AS(`mydomain.com')dnl

dnl #

dnl # masquerade not just the headers, but the envelope as well

dnl #

dnl FEATURE(masquerade_envelope)dnl

dnl #

dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well

dnl #

dnl FEATURE(masquerade_entire_domain)dnl

dnl #

dnl MASQUERADE_DOMAIN(localhost)dnl

dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl

dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl

dnl MASQUERADE_DOMAIN(mydomain.lan)dnl

MAILER(`local')

MAILER(smtp)dnl

MAILER(procmail)dnl

dnl MAILER(cyrusv2)dnl

Open in new window

0
 

Author Comment

by:DoradoITTeam
ID: 21832392
I also have MailScanner with ClamAV installed on the server, but i have had it for a long time, but i thought it was important to post it. thanks
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 21841728
As mentioned above, that error is indicative of the forward and inverse DNS not matching.

If MailScanner picks up the message and marks it for quarantine, you should be able find that information in the logs and in the MailScanner quarantine directory.

Can you post the full log information for a sample connection.
0
 

Author Comment

by:DoradoITTeam
ID: 21847761
Do i need to setup reverse DNS on the remote network even if its dynamic ip address? Where is the log file of MailScanner, can u help me?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21848249
You setup the forward and inverse DNS at the master authoritative servers.  They should match.  For example:

host 192.168.0.21
   21.0.168.192.in-addr.arpa domain name pointer example.domain.com

host example.domain.com
  example.domain.com has address 192.168.0.21

The MailScanner information is in /var/log/maillog

If you have a dynamic address, you may be blocked specifically because of that.
0
 

Author Comment

by:DoradoITTeam
ID: 21857273
I'm kind of lost now, this is my DNS

> server 200.23.249.51
Default Server:  dns4.telnor.net
Address:  200.23.249.51

> mail.doradoranch.com.mx
Server:  dns4.telnor.net
Address:  200.23.249.51

Non-authoritative answer:
Name:    mail.doradoranch.com.mx
Address:  201.170.126.3

> set type=ptr
> 201.170.126.3
Server:  dns4.telnor.net
Address:  200.23.249.51

Non-authoritative answer:
3.126.170.201.in-addr.arpa      name = mail.century21baja.com.mx
3.126.170.201.in-addr.arpa      name = mail.doradoranch.com.mx

This is on server side,

this is a log of transfer on log file

 "Jun 5 09:41:48 ns1 sendmail[24565]: m55GfkVs024565: from=<dorado@doradoranch.com.mx>, size=1148, class=0, nrcpts=1, msgid=<000e01c8c72a$fb4b0250$c603000a@edm.local>, proto=ESMTP, daemon=MTA, relay=customer-201-134-92-195.uninet-ide.com.mx [201.134.92.195] (may be forged)"
 
 "Jun 5 09:41:59 ns1 sendmail[24608]: m55GfkVs024565: to=<josue.haros@doradoranch.com.mx>, ctladdr=<dorado@doradoranch.com.mx> (526/551), delay=00:00:12, xdelay=00:00:04, mailer=local, pri=121148, dsn=2.0.0, stat=Sent

It says SENT, but the mail never get to recipient. 201.134.92.195 is the remote network where the client is.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21857590
This nameserver is timing out:

dnsadm-interno.uninet.net.mx

All of the nameservers specified for your [ISP] domain should answer and answer authoritatively.  It doesn't appear that they are.

Did this message run through mailscanner?
Do you have this email in the quarantine -> /var/spool/MailScanner/quarantine/...
Check your aliases and virthusertable to make sure that the mail is not being incorrectly forwarded.
0
 

Author Comment

by:DoradoITTeam
ID: 21857845
Sorry to ask these questions but i want to get all information right with no assumptions

  1. Checked aliases and virtuser tables, all seems to be ok, since i can receive emails from other network beside this one.
 
  2. I have a bunch of stuff in /var/spool/MailScanner/quarantine, but all of them are files that are being blocked by the server.

  3. Yes, the message transfer i posted, i retrieved it from /var/log/maillog file although i just see sendmail logs there, could not find MAILSCANNER tagged logs

  4. Dns stuff i don't completely understand, what do i need to do? how did u get this dnsadm-interno.uninet.net.mx? client network?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 21883796
If I look up your IP address at the RIR, I can find the authoritative nameservers.  There are further delegations that identify servers that are expected to provde authoritative answers, as well.  The one machine listed above is timing out and I can verify that I had randomly hit it.

If a host wants to know that you are who you say you are, it will look up your inverse DNS information and compare it against the forward DNS.  If those two do not match, the host may choose to reject the mail.  And, those two not matching is the reason that you are seeing the "may be forged" in your log.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

MS outlook is a premier email client that enable you to send and receive the e-mails with various file formats of attachments such as document files, media file, and many others formats. There is some scenario occurs when a receiver of an e-mail mes…
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now