?
Solved

How do I tell if I'm being used as a relay

Posted on 2015-02-19
5
Medium Priority
?
241 Views
Last Modified: 2015-02-22
I just fired up new sendmail mail server, but I'm getting odd looking log message and I'm wondering if it's being used as a relay. Message are like:
Feb 19 08:54:34 mail sm-mta[16262]: t1HHNKgC027661: to=<jkkalisz@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:31:14, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:34 mail sm-mta[16262]: t1HHflwx028217: to=<crhawn@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:12:47, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:39 mail sm-mta[16262]: STARTTLS=client, relay=aln-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:45 mail sm-mta[16262]: STARTTLS=client, relay=scc-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:51 mail sm-mta[16262]: STARTTLS=client, relay=frf-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256

Open in new window

Here's my .mc file:
include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
DOMAIN(generic)dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl
define(`confBAD_RCPT_THROTTLE',`1')dnl
define(`confCONNECTION_RATE_THROTTLE',`3')dnl
define(`confDEAD_LETTER_DROP',`/dev/null')dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`nobody')dnl
define(`confDF_BUFFER_SIZE',`16384')dnl
define(`confXF_BUFFER_SIZE',`16384')dnl
define(`confSUPER_SAFE',`true')dnl
define(`confCHECKPOINT_INTERVAL',`10')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`lookupdotdomain')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`bl.spamcop.net')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
define(`confCACERT_PATH',`/etc/ssl/OHPRS/GoDaddy/')dnl
define(`confCACERT',`/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem')dnl
define(`confSERVER_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confSERVER_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
define(`confCLIENT_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confCLIENT_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
INPUT_MAIL_FILTER(`milter-bcc',`S=local:/var/run/milter-bcc.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
MASQUERADE_AS(`ohprs.org')dnl
MASQUERADE_DOMAIN(`ohprs.org')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`always_add_domain')dnl
EXPOSED_USER(`root')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl

Open in new window

Advice?
0
Comment
Question by:jmarkfoley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Accepted Solution

by:
Ivan earned 1000 total points
ID: 40618892
Hi,

you can always use http://mxtoolbox.com/diagnostic.aspx to check if you are relay.
Just enter public name of server, such as mail.domain.com

Regards.
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 1000 total points
ID: 40618917
If you have an new release of sendmail and sendmail.cf, by default those are turned off.

What does /etc/mail/access have in it?

And have you gone to an external (off net) IP and manually done a manual telnet to test that port 25 blocks mail from unknown IPs or unauthenticated senders?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40620402
spriggan13: I did try mxtoolbox.com and it did not say anything about relaying, though I may not have picked the right test.

Jan Springer:
What does /etc/mail/access have in it?
This is the entire /etc/mail/access:
192.168.0       RELAY

webserver.ohprs.org  RELAY
64.129.23.95    RELAY

oldmail.ohprs.org RELAY
64.129.23.80    RELAY

# Voicemail system
66.202.79.114   RELAY
.choiceone.net  RELAY

To:noreply@ohprs.org    ERROR:"550 This address does not receive mail"

Open in new window

The 1st entry is to permit all hosts on the LAN. The 2nd and 3rd entries are for a host which uses *this* host as a 'Smart Host'. The relaying host (webserver) also has an address on the LAN and relays to the mail server's LAN address so probably never sends from the public address, but it's there just in case.

the next two entries are for a host which is powered off.

The last 2 relay entries are for the voice mail computer.
And have you gone to an external (off net) IP and manually done a manual telnet to test that port 25 blocks mail from unknown IPs or unauthenticated senders?
Yes, I've done a manual telnet and can connect just fine. Why would it block? How else would you, for example, send me an email on that host?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 40623785
I think I'm OK, just a bit paranoid with this new configuration. I'm going to consider this closed and if I get nervous again I'll post a new question. Thanks for you help. The mxtoolbox.com site was useful generally.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 40624311
just a side note:  listing allowed relay hosts or subnets by their respective DNS name means that i can change my inverse DNS and spoof your domain name and then send spam through your system.

i always recommend using IP addresses or subnets.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Suggested Courses
Course of the Month8 days, 23 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question