×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Forgrd "From" mail in maillog

Forgrd "From" mail in maillog

Forgrd "From" mail in maillog

(OP)
Hi we're running Fedora Core5 with Sendmail 8.13. I notice a ton of email leaving the server with unknown "from" addreses. Shouldn't mail from our local domain only be allowed to send out?

Thanks
Tim

 

RE: Forgrd "From" mail in maillog

You may have an open relay.  For example, if you have sendmail configured to relay mail if the return address is from one of the domains you host.  Any time you relay based on a local return address, you invite mischief such as address spoofing.  The best way is to not use the access or Relay Domains (CR) files and use smtpauth instead.  By default, smtp mail is handled first then pop3 mail is processed.  The pop3 server requires authentication but it's too late for the outgoing mail at this point.  An original work-around was to use a method called "pop before smtp" but this has given way to smtpauth which is what it shounds like.  It requires your smtp server to require authentication.  It is very easy to setup.  I've explained it a few times here on this forum so you may be able to do a seach for "smtpauth".  If you don't get anywhere with that, I or anyone here will be glad to help you.

   

RE: Forgrd "From" mail in maillog

(OP)
Thanks I'll give a look

RE: Forgrd "From" mail in maillog

Are you running the smtp server as inbound, outbound, or both?  There are several web sites that can verify a open relay.
 

RE: Forgrd "From" mail in maillog

(OP)
I'm not sure, how the smtp server is running. How would I check? I've ran some of the online open relay scans and they all come back "not" an open relay, smtpauth sounds like something I will try.

Thanks
Tim

RE: Forgrd "From" mail in maillog

(OP)
Also, I do have entries in the /etc/mail/access file that need to be there. They are other servers that are configured to send mail. Would that be a problem getting smtpauth to work correctly?

Thanks
Tim

RE: Forgrd "From" mail in maillog

Yes, I believe you cannot use smtpauth in this case if the other servers can't authenticate.  You can restrict the ips you allow to connect to your server.

When you tested open relay, did it say it could connect to port 25?  If not, then you aren't a direct inbound mail gateway.

Are both the To and From not in your domain?  You need to analyze some of the headers to see the origins of the email.

I would check some of the letters to see that possibly that your other servers are acting as an relay (which passes through you).  Even web apps can be fooled into sending forged email.

RE: Forgrd "From" mail in maillog

Anything in "access" is ignored by the smtpauth process and therefor can be exploited by someone wanting to spoof (forge)those domains.  The only thing you really need in the are localhost, localhost.localdomain and 127.0.0.1.  If you don't mind posting your sendmail.mc file, we can take a look at it and see if anything jumps out that shouldn't be there.

      

RE: Forgrd "From" mail in maillog

(OP)
Than how would I relay mail from a unix box through the fedora box?

Here's the sendmail.mc

divert(-1)dnl
dnl #
dnl # This is the sendmail macro config file for m4. If you make changes to
dnl # /etc/mail/sendmail.mc, you will need to regenerate the
dnl # /etc/mail/sendmail.cf file by confirming that the sendmail-cf package is
dnl # installed and then performing a
dnl #
dnl #     make -C /etc/mail
dnl #
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
dnl #
dnl # default logging level is 9, you might want to set it higher to
dnl # debug the configuration
dnl #
dnl define(`confLOG_LEVEL', `9')dnl
dnl #
dnl # Uncomment and edit the following line if your outgoing mail needs to
dnl # be sent out through an external mail server:
dnl #
dnl define(`SMART_HOST',`smtp.your.provider')dnl
dnl #
define(`confDEF_USER_ID',``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl #
dnl # The following allows relaying if the user authenticates, and disallows
dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
dnl #
dnl define(`confAUTH_OPTIONS', `A p')dnl
dnl #
dnl # PLAIN is the preferred plaintext authentication method and used by
dnl # Mozilla Mail and Evolution, though Outlook Express and other MUAs do
dnl # use LOGIN. Other mechanisms should be used if the connection is not
dnl # guaranteed secure.
dnl # Please remember that saslauthd needs to be running for AUTH.
dnl #
dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl #
dnl # Rudimentary information on creating certificates for sendmail TLS:
dnl #     cd /usr/share/ssl/certs; make sendmail.pem
dnl # Complete usage:
dnl #     make -C /usr/share/ssl/certs usage
dnl #
dnl define(`confCACERT_PATH',`/etc/pki/tls/certs')dnl
dnl define(`confCACERT',`/etc/pki/tls/certs/ca-bundle.crt')dnl
dnl define(`confSERVER_CERT',`/etc/pki/tls/certs/sendmail.pem')dnl
dnl define(`confSERVER_KEY',`/etc/pki/tls/certs/sendmail.pem')dnl
dnl #
dnl # This allows sendmail to use a keyfile that is shared with OpenLDAP's
dnl # slapd, which requires the file to be readble by group ldap
dnl #
dnl define(`confDONT_BLAME_SENDMAIL',`groupreadablekeyfile')dnl
dnl #
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
define(`confTO_IDENT', `0')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
dnl #
dnl # The following limits the number of processes sendmail can fork to accept
dnl # incoming messages or process its message queues to 12.) sendmail refuses
dnl # to accept connections once it has reached its quota of child processes.
dnl #
dnl define(`confMAX_DAEMON_CHILDREN', 12)dnl
dnl #
dnl # Limits the number of new connections per second. This caps the overhead
dnl # incurred due to forking new sendmail processes. May be useful against
dnl # DoS attacks or barrages of spam. (As mentioned below, a per-IP address
dnl # limit would be useful but is not available as an option at this writing.)
dnl #
dnl define(`confCONNECTION_RATE_THROTTLE', 3)dnl
dnl #
dnl # The -t option will retry delivery if e.g. the user runs over his quota.
dnl #
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl #
dnl # For using Cyrus-IMAPd as POP3/IMAP server through LMTP delivery uncomment
dnl # the following 2 definitions and activate below in the MAILER section the
dnl # cyrusv2 mailer.
dnl #
dnl define(`confLOCAL_MAILER', `cyrusv2')dnl
dnl define(`CYRUSV2_MAILER_ARGS', `FILE /var/lib/imap/socket/lmtp')dnl
dnl #
dnl # The following causes sendmail to only listen on the IPv4 loopback address
dnl # 127.0.0.1 and not on any other network devices. Remove the loopback
dnl # address restriction to accept email from the internet or intranet.
dnl #
dnl #DAEMON_OPTIONS(`Port=smtp,Addr=172.17.1.5, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 587 for
dnl # mail from MUAs that authenticate. Roaming users who can't reach their
dnl # preferred sendmail daemon due to port 25 being blocked or redirected find
dnl # this useful.
dnl #
dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
dnl #
dnl # The following causes sendmail to additionally listen to port 465, but
dnl # starting immediately in TLS mode upon connecting. Port 25 or 587 followed
dnl # by STARTTLS is preferred, but roaming clients using Outlook Express can't
dnl # do STARTTLS on ports other than 25. Mozilla Mail can ONLY use STARTTLS
dnl # and doesn't support the deprecated smtps; Evolution <1.1.1 uses smtps
dnl # when SSL is enabled-- STARTTLS support is available in version 1.1.1.
dnl #
dnl # For this to work your OpenSSL certificates must be configured.
dnl #
dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
dnl #
dnl # The following causes sendmail to additionally listen on the IPv6 loopback
dnl # device. Remove the loopback address restriction listen to the network.
dnl #
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')dnl
dnl #
dnl # enable both ipv6 and ipv4 in sendmail:
dnl #
dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet, Name=MTA-v6, Family=inet6')
dnl #
dnl # We strongly recommend not accepting unresolvable domains if you want to
dnl # protect yourself from spam. However, the laptop and users on computers
dnl # that do not have 24x7 DNS do need this.
dnl #
FEATURE(`accept_unresolvable_domains')dnl
dnl #
dnl FEATURE(`relay_based_on_MX')dnl
dnl #
dnl # Also accept email sent to "localhost.localdomain" as local email.
dnl #
LOCAL_DOMAIN(`netmax.jonesmotor.com')dnl
dnl #
dnl # The following example makes mail from this host and any additional
dnl # specified domains appear to be sent from mydomain.com
dnl #
dnl MASQUERADE_AS(`jonesmotor.com')dnl
dnl #
dnl # masquerade not just the headers, but the envelope as well
dnl #
dnl FEATURE(masquerade_envelope)dnl
dnl #
dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well
dnl #
dnl FEATURE(masquerade_entire_domain)dnl
dnl #
dnl MASQUERADE_DOMAIN(localhost)dnl
dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl
dnl MASQUERADE_DOMAIN(mydomainalias.com)dnl
dnl MASQUERADE_DOMAIN(mydomain.lan)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
 

RE: Forgrd "From" mail in maillog

Did you build/rebuild access database?  Can you post (in generic terms) what is in /etc/mail/access?

RE: Forgrd "From" mail in maillog

(OP)
The current access file

# Check the /usr/share/doc/sendmail/README.cf file for a description
# of the format of this file. (search for access_db in that file)
# The /usr/share/doc/sendmail/README.cf is part of the sendmail-doc
# package.
#
# by default we allow relaying from localhost...
Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:172.17.1.5                      RELAY
Connect:127.0.0.1                       RELAY
Connect:192.99.99.163                   RELAY
Connect:172.17.2                        RELAY
Connect:172.17.3                        RELAY

#Phone system
Connect:172.18.1.3                      RELAY
Connect:172.18.1.13                     RELAY


#Don Sheehy
Connect:68.54.66.135                    RELAY
Connect:144.232.229.142                 RELAY
#Avalon NJ
Connect:12.35.247.34                    RELAY

#Scan Stations
Connect:172.17.1.102                    RELAY
Connect:172.17.1.103                    RELAY
Connect:172.17.1.104                    RELAY

sbowen@veneziainc.com                   REJECT
sharicecloe@yahoo.com                   REJECT
 

RE: Forgrd "From" mail in maillog

And the obvious question, you do know how to rebuild it? (I have to ask)...

RE: Forgrd "From" mail in maillog

(OP)
Yes I do. It's starts with a makemap command

RE: Forgrd "From" mail in maillog

(OP)
So does it look like I can setup smtpauth?

Also if every test I run says I'm not an open relay, why are there hundreds of unknown emails leaving my mail server.

Can anyone explain how the originator of these email gained access?

Thanks

Tim  

RE: Forgrd "From" mail in maillog

I think that is the point.  You first need to trace back some of those messages through the log to figure out how they are getting to your system.  If they were relayed from one of your other hosts, or originated from your box.  By "relay" you are "trusting" those hosts.  SMTPauth is mostly used by email clients (eudora, outlook, etc.) not intended for server to server operations.

The times I was compromised:

A web application that was allowing crafting of mail.
A PC that was compromised.
A unix box that was hosting an illegal mailing list.
A unix box that someone was using as a mass mailer.

None of these were on my relay itself but were in my trusted network...
 

RE: Forgrd "From" mail in maillog

(OP)
Here is an example of one of the foreign emails leaving my server:

Jun 12 08:22:00 netmax sendmail[13852]: m5CCLrKl013852: from=<eicndmule@bluewavestrategies.com>, size=2376, class=0, nrcpts=1, msgid=<01c8cc9f$cd857100$ef1a645c@eicndmule>, proto=SMTP, daemon=MTA, relay=ppp92-100-26-239.pppoe.avangarddsl.ru [92.100.26.239]

How I could trace this back to anything in my trusted network?

Tim  

RE: Forgrd "From" mail in maillog

There should be a matching to: line, in this case it should be marked as m5CCLrKl013852.  I assume 92.100.26.239 isn't your network...if this is outbound gateway only, you don't need port 25 open inbound.

RE: Forgrd "From" mail in maillog

(OP)
How can I trace the origin of outgoing email from my lan? The /var/log/maillog does not show the computer that sent the email. Are there any other logs I can view? Are there any utilities that can be installed?

Thanks
Tim

RE: Forgrd "From" mail in maillog

Going by the example, the answer is right there.

The origin IP is 92.100.26.239, and if that isn't your IP range AND the TO is not to you AND you don't deny it or reject it, then you have a relay problem.

If the TO is to you, then you this is most likely spam and you need to install some antispam package.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close