Mark
asked on
How do I tell if I'm being used as a relay
I just fired up new sendmail mail server, but I'm getting odd looking log message and I'm wondering if it's being used as a relay. Message are like:
Feb 19 08:54:34 mail sm-mta[16262]: t1HHNKgC027661: to=<jkkalisz@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:31:14, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:34 mail sm-mta[16262]: t1HHflwx028217: to=<crhawn@bex.net>, ctladdr=<daemon@ohprs.org> (2/2), delay=1+20:12:47, xdelay=00:00:00, mailer=esmtp, pri=10366932, relay=mx.bex.net.cust.b.hostedemail.com., dsn=4.0.0, stat=Deferred
Feb 19 08:54:39 mail sm-mta[16262]: STARTTLS=client, relay=aln-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:45 mail sm-mta[16262]: STARTTLS=client, relay=scc-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Feb 19 08:54:51 mail sm-mta[16262]: STARTTLS=client, relay=frf-mailrelay.att.net., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Here's my .mc file:include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
DOMAIN(generic)dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confTO_IDENT', `0')dnl
define(`confBAD_RCPT_THROTTLE',`1')dnl
define(`confCONNECTION_RATE_THROTTLE',`3')dnl
define(`confDEAD_LETTER_DROP',`/dev/null')dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`nobody')dnl
define(`confDF_BUFFER_SIZE',`16384')dnl
define(`confXF_BUFFER_SIZE',`16384')dnl
define(`confSUPER_SAFE',`true')dnl
define(`confCHECKPOINT_INTERVAL',`10')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`lookupdotdomain')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`bl.spamcop.net')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
define(`confCACERT_PATH',`/etc/ssl/OHPRS/GoDaddy/')dnl
define(`confCACERT',`/etc/ssl/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem')dnl
define(`confSERVER_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confSERVER_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
define(`confCLIENT_CERT',`/etc/ssl/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt')dnl
define(`confCLIENT_KEY',`/etc/ssl/OHPRS/GoDaddy/mail.ohprs.org.key')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
define(`confMILTER_MACROS_ENVRCPT',`r, v, Z')dnl
INPUT_MAIL_FILTER(`milter-bcc',`S=local:/var/run/milter-bcc.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
MASQUERADE_AS(`ohprs.org')dnl
MASQUERADE_DOMAIN(`ohprs.org')dnl
FEATURE(`allmasquerade')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`masquerade_entire_domain')dnl
FEATURE(`always_add_domain')dnl
EXPOSED_USER(`root')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Advice?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think I'm OK, just a bit paranoid with this new configuration. I'm going to consider this closed and if I get nervous again I'll post a new question. Thanks for you help. The mxtoolbox.com site was useful generally.
just a side note: listing allowed relay hosts or subnets by their respective DNS name means that i can change my inverse DNS and spoof your domain name and then send spam through your system.
i always recommend using IP addresses or subnets.
i always recommend using IP addresses or subnets.
ASKER
Jan Springer: This is the entire /etc/mail/access:
Open in new window
The 1st entry is to permit all hosts on the LAN. The 2nd and 3rd entries are for a host which uses *this* host as a 'Smart Host'. The relaying host (webserver) also has an address on the LAN and relays to the mail server's LAN address so probably never sends from the public address, but it's there just in case.the next two entries are for a host which is powered off.
The last 2 relay entries are for the voice mail computer.
Yes, I've done a manual telnet and can connect just fine. Why would it block? How else would you, for example, send me an email on that host?