Solved

How do I tell if I'm being used as a relay

Posted on 2015-02-19
5
229 Views
Last Modified: 2015-02-22
I just fired up new sendmail mail server, but I'm getting odd looking log message and I'm wondering if it's being used as a relay. Message are like:
Feb 19 08:54:34 mail sm-mta[16262]: t1HHNKgC027661: to=<jkkalisz@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:31:14, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:34 mail sm-mta[16262]: t1HHflwx028217: to=<crhawn@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:12:47, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:39 mail sm-mta[16262]: STARTTLS=client, relay=aln-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:45 mail sm-mta[16262]: STARTTLS=client, relay=scc-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:51 mail sm-mta[16262]: STARTTLS=client, relay=frf-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256

Open in new window

Here's my .mc file:
include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
DOMAIN(generic)dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl
define(`confBAD_RCPT_THROTTLE',`1')dnl
define(`confCONNECTION_RATE_THROTTLE',`3')dnl
define(`confDEAD_LETTER_DROP',`/dev/null')dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`nobody')dnl
define(`confDF_BUFFER_SIZE',`16384')dnl
define(`confXF_BUFFER_SIZE',`16384')dnl
define(`confSUPER_SAFE',`true')dnl
define(`confCHECKPOINT_INTERVAL',`10')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`lookupdotdomain')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`bl.spamcop.net')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
define(`confCACERT_PATH',`/etc/ssl/OHPRS/GoDaddy/')dnl
define(`confCACERT',`/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem')dnl
define(`confSERVER_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confSERVER_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
define(`confCLIENT_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confCLIENT_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
INPUT_MAIL_FILTER(`milter-bcc',`S=local:/var/run/milter-bcc.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
MASQUERADE_AS(`ohprs.org')dnl
MASQUERADE_DOMAIN(`ohprs.org')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`always_add_domain')dnl
EXPOSED_USER(`root')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Open in new window

Advice?
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
Ivan earned 250 total points
ID: 40618892
Hi,

you can always use http://mxtoolbox.com/diagnostic.aspx to check if you are relay.
Just enter public name of server, such as mail.domain.com

Regards.
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 40618917
If you have an new release of sendmail and sendmail.cf, by default those are turned off.

What does /etc/mail/access have in it?

And have you gone to an external (off net) IP and manually done a manual telnet to test that port 25 blocks mail from unknown IPs or unauthenticated senders?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40620402
spriggan13: I did try mxtoolbox.com and it did not say anything about relaying, though I may not have picked the right test.

Jan Springer:
What does /etc/mail/access have in it?
This is the entire /etc/mail/access:
192.168.0       RELAY

webserver.ohprs.org  RELAY
64.129.23.95    RELAY

oldmail.ohprs.org RELAY
64.129.23.80    RELAY

# Voicemail system
66.202.79.114   RELAY
.choiceone.net  RELAY

To:noreply@ohprs.org    ERROR:"550 This address does not receive mail"

Open in new window

The 1st entry is to permit all hosts on the LAN. The 2nd and 3rd entries are for a host which uses *this* host as a 'Smart Host'. The relaying host (webserver) also has an address on the LAN and relays to the mail server's LAN address so probably never sends from the public address, but it's there just in case.

the next two entries are for a host which is powered off.

The last 2 relay entries are for the voice mail computer.
And have you gone to an external (off net) IP and manually done a manual telnet to test that port 25 blocks mail from unknown IPs or unauthenticated senders?
Yes, I've done a manual telnet and can connect just fine. Why would it block? How else would you, for example, send me an email on that host?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40623785
I think I'm OK, just a bit paranoid with this new configuration. I'm going to consider this closed and if I get nervous again I'll post a new question. Thanks for you help. The mxtoolbox.com site was useful generally.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40624311
just a side note:  listing allowed relay hosts or subnets by their respective DNS name means that i can change my inverse DNS and spoof your domain name and then send spam through your system.

i always recommend using IP addresses or subnets.
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question