?
Solved

How do I tell if I'm being used as a relay

Posted on 2015-02-19
5
Medium Priority
?
255 Views
Last Modified: 2015-02-22
I just fired up new sendmail mail server, but I'm getting odd looking log message and I'm wondering if it's being used as a relay. Message are like:
Feb 19 08:54:34 mail sm-mta[16262]: t1HHNKgC027661: to=<jkkalisz@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:31:14, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:34 mail sm-mta[16262]: t1HHflwx028217: to=<crhawn@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:12:47, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:39 mail sm-mta[16262]: STARTTLS=client, relay=aln-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:45 mail sm-mta[16262]: STARTTLS=client, relay=scc-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:51 mail sm-mta[16262]: STARTTLS=client, relay=frf-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256

Open in new window

Here's my .mc file:
include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
DOMAIN(generic)dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl
define(`confBAD_RCPT_THROTTLE',`1')dnl
define(`confCONNECTION_RATE_THROTTLE',`3')dnl
define(`confDEAD_LETTER_DROP',`/dev/null')dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`nobody')dnl
define(`confDF_BUFFER_SIZE',`16384')dnl
define(`confXF_BUFFER_SIZE',`16384')dnl
define(`confSUPER_SAFE',`true')dnl
define(`confCHECKPOINT_INTERVAL',`10')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`lookupdotdomain')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`bl.spamcop.net')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
define(`confCACERT_PATH',`/etc/ssl/OHPRS/GoDaddy/')dnl
define(`confCACERT',`/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem')dnl
define(`confSERVER_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confSERVER_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
define(`confCLIENT_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confCLIENT_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
INPUT_MAIL_FILTER(`milter-bcc',`S=local:/var/run/milter-bcc.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
MASQUERADE_AS(`ohprs.org')dnl
MASQUERADE_DOMAIN(`ohprs.org')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`always_add_domain')dnl
EXPOSED_USER(`root')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Open in new window

Advice?
0
Comment
Question by:jmarkfoley
  • 2
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
Ivan earned 1000 total points
ID: 40618892
Hi,

you can always use http://mxtoolbox.com/diagnostic.aspx to check if you are relay.
Just enter public name of server, such as mail.domain.com

Regards.
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1000 total points
ID: 40618917
If you have an new release of sendmail and sendmail.cf, by default those are turned off.

What does /etc/mail/access have in it?

And have you gone to an external (off net) IP and manually done a manual telnet to test that port 25 blocks mail from unknown IPs or unauthenticated senders?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40620402
spriggan13: I did try mxtoolbox.com and it did not say anything about relaying, though I may not have picked the right test.

Jan Springer:
What does /etc/mail/access have in it?
This is the entire /etc/mail/access:
192.168.0       RELAY

webserver.ohprs.org  RELAY
64.129.23.95    RELAY

oldmail.ohprs.org RELAY
64.129.23.80    RELAY

# Voicemail system
66.202.79.114   RELAY
.choiceone.net  RELAY

To:noreply@ohprs.org    ERROR:"550 This address does not receive mail"

Open in new window

The 1st entry is to permit all hosts on the LAN. The 2nd and 3rd entries are for a host which uses *this* host as a 'Smart Host'. The relaying host (webserver) also has an address on the LAN and relays to the mail server's LAN address so probably never sends from the public address, but it's there just in case.

the next two entries are for a host which is powered off.

The last 2 relay entries are for the voice mail computer.
And have you gone to an external (off net) IP and manually done a manual telnet to test that port 25 blocks mail from unknown IPs or unauthenticated senders?
Yes, I've done a manual telnet and can connect just fine. Why would it block? How else would you, for example, send me an email on that host?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40623785
I think I'm OK, just a bit paranoid with this new configuration. I'm going to consider this closed and if I get nervous again I'll post a new question. Thanks for you help. The mxtoolbox.com site was useful generally.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40624311
just a side note:  listing allowed relay hosts or subnets by their respective DNS name means that i can change my inverse DNS and spoof your domain name and then send spam through your system.

i always recommend using IP addresses or subnets.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses
Course of the Month16 days, 1 hour left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question