Sendmail (IP maybe forged)

Posted on 2008-06-17
Medium Priority
Last Modified: 2013-12-17
I have an email server running on Fedora Core 7 version 8.13.14. The server is working fine, but i have a problem with one of our networks in other city.

If connect to the server via Telnet from that network and type ehlo, i received a message saying "customer-xxx-xx-xxx-xx.somedomain [xxx.xx.xxx.xx] (maybe forged), pleased to meet you"
Then the problem is that no matter what computer or account im trying to send from does not work. If i put the network on SPAM CONTROL (access), the address can send emails to external accounts like hotmail, yahoo, but not local delivery, i don't receive any bounce back messages from the server. I searched on google and experts-exchange, and it seems to be a problem with dns, i also checked my domain and ip address on dnstuff.com, and it seems to be ok, th ptr points to my mailserver.

Any ideas.
Question by:DoradoITTeam
  • 6
  • 4
  • 2
  • +1
LVL 14

Expert Comment

ID: 21827687
Hello DoradoITTeam

Put simply,  After sendmail does a hostname look-up on the IP address of the connecting client, the IP addresses of that hostname are looked up. If the client IP address does not appear in that list, then the may be forged tag is added.

LVL 26

Expert Comment

ID: 21830885
Based on the format of your hostname (customer-xxx-xx-xxx-xx.somedomain), it looks very generic if not dynamic. Having your IP address embedded in your hostname is going to cause problems with sending email. It looks dynamic to many spam filters and therefore your mail will get tagged, put in spam folders or rejected. You should ask your isp to change it to something specific like mail.youdomain.com or smtp.yourdomain.com. If they wont, it probably means you're on a residential or non-commercial connection and probably shouldn't be sending mail anyway.

Kenfcamp is right though, you get the "(may be forged)" because your DNS forward and reverse records don't match:

customer-xxx-xx-xxx-xx.somedomain points to xxx.xx.xxx.xx but xxx.xx.xxx.x doesn't point to customer-xxx-xx-xxx-xx.somedomain

Author Comment

ID: 21832108
The reverse DNS on the server side matches, but i have particular problems on the other network not being able to send emails:

Server Network                                                                              Network with problems

IP = xxx.xx.xxx.xx ---------------  (INTERNET) -------------------    Public IP: yyy.yy.yyy.yy
Domain: mydomain.com                                                                NAT: zzz.zzz.zzz.z
I can send email from every other network but this network, i tried adding the network to spam control and allow relay to that specific network but does not work.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 26

Expert Comment

ID: 21832159
post your sendmail.mc file so we can see how sendmail on the nonworking server is configured.

Author Comment

ID: 21832234
Here is sendmail.mc
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
VERSIONID(`setup for Red Hat Linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
define(`confLOG_LEVEL', `14')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`mail.dorado-sf.com.mx')
dnl #FEATURE(`authinfo',`hash -o /etc/mail/authinfo')
dnl #
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl DAEMON_OPTIONS(`Port=smtp,Addr=, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
dnl # FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`mydomain.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
dnl MAILER(cyrusv2)dnl

Open in new window


Author Comment

ID: 21832392
I also have MailScanner with ClamAV installed on the server, but i have had it for a long time, but i thought it was important to post it. thanks
LVL 29

Expert Comment

by:Jan Springer
ID: 21841728
As mentioned above, that error is indicative of the forward and inverse DNS not matching.

If MailScanner picks up the message and marks it for quarantine, you should be able find that information in the logs and in the MailScanner quarantine directory.

Can you post the full log information for a sample connection.

Author Comment

ID: 21847761
Do i need to setup reverse DNS on the remote network even if its dynamic ip address? Where is the log file of MailScanner, can u help me?
LVL 29

Expert Comment

by:Jan Springer
ID: 21848249
You setup the forward and inverse DNS at the master authoritative servers.  They should match.  For example:

host domain name pointer example.domain.com

host example.domain.com
  example.domain.com has address

The MailScanner information is in /var/log/maillog

If you have a dynamic address, you may be blocked specifically because of that.

Author Comment

ID: 21857273
I'm kind of lost now, this is my DNS

> server
Default Server:  dns4.telnor.net

> mail.doradoranch.com.mx
Server:  dns4.telnor.net

Non-authoritative answer:
Name:    mail.doradoranch.com.mx

> set type=ptr
Server:  dns4.telnor.net

Non-authoritative answer:      name = mail.century21baja.com.mx      name = mail.doradoranch.com.mx

This is on server side,

this is a log of transfer on log file

 "Jun 5 09:41:48 ns1 sendmail[24565]: m55GfkVs024565: from=<dorado@doradoranch.com.mx>, size=1148, class=0, nrcpts=1, msgid=<000e01c8c72a$fb4b0250$c603000a@edm.local>, proto=ESMTP, daemon=MTA, relay=customer-201-134-92-195.uninet-ide.com.mx [] (may be forged)"
 "Jun 5 09:41:59 ns1 sendmail[24608]: m55GfkVs024565: to=<josue.haros@doradoranch.com.mx>, ctladdr=<dorado@doradoranch.com.mx> (526/551), delay=00:00:12, xdelay=00:00:04, mailer=local, pri=121148, dsn=2.0.0, stat=Sent

It says SENT, but the mail never get to recipient. is the remote network where the client is.
LVL 29

Expert Comment

by:Jan Springer
ID: 21857590
This nameserver is timing out:


All of the nameservers specified for your [ISP] domain should answer and answer authoritatively.  It doesn't appear that they are.

Did this message run through mailscanner?
Do you have this email in the quarantine -> /var/spool/MailScanner/quarantine/...
Check your aliases and virthusertable to make sure that the mail is not being incorrectly forwarded.

Author Comment

ID: 21857845
Sorry to ask these questions but i want to get all information right with no assumptions

  1. Checked aliases and virtuser tables, all seems to be ok, since i can receive emails from other network beside this one.
  2. I have a bunch of stuff in /var/spool/MailScanner/quarantine, but all of them are files that are being blocked by the server.

  3. Yes, the message transfer i posted, i retrieved it from /var/log/maillog file although i just see sendmail logs there, could not find MAILSCANNER tagged logs

  4. Dns stuff i don't completely understand, what do i need to do? how did u get this dnsadm-interno.uninet.net.mx? client network?
LVL 29

Accepted Solution

Jan Springer earned 2000 total points
ID: 21883796
If I look up your IP address at the RIR, I can find the authoritative nameservers.  There are further delegations that identify servers that are expected to provde authoritative answers, as well.  The one machine listed above is timing out and I can verify that I had randomly hit it.

If a host wants to know that you are who you say you are, it will look up your inverse DNS information and compare it against the forward DNS.  If those two do not match, the host may choose to reject the mail.  And, those two not matching is the reason that you are seeing the "may be forged" in your log.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses
Course of the Month17 days, 13 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question