Jerry Geis geisj@pagestation.com wrote (with a few extraneous bits removed):
------------ Original Message ------------
Date: Wednesday, November 12, 2008 03:33:11 PM -0500 From: Jerry Geis geisj@pagestation.com To: CentOS ML centos@centos.org Subject: [CentOS] close open relay
hi all, running centos 4.7 i686.
I seem to have an o pen r elay sendmail server. How do I close it?
I have the STRAIGHT centos install sendmail.mc file. Only thing I changed was: dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
so as to allow incoming email and not just localhost. however this seems to relay everyone.
I looked at http://www.sendmail.org/tips/relaying but it just talks about (AFIKT) enabling specific relays to occur - not how to CLOSE the relaying.
How do I close the relay?
Jerry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
------------ End Original Message ------------
....
Sure enough I tried your test and that looks good...
HOwever, when i run this test: HELO example.com MAIL From: TheBoss@example.com RCPT To: geisj@pagestation.com DATA Subject: Think we're insecure... I have a feeling our mail server is being abused... .. QUIT
and paste that into port 25 of my server (telnet I'm talking) I get the email and I should not ( I presume) as I am not example.com.
Jerry
The bottom of the file /etc/sendmail.mc should look like the following (change my domain, davenjudy.org, to whatever is appropriate for your domain). This won't get rid of any open relay problems but will at least fix the "example.com" issue:
... dnl # dnl # The following example makes mail from this host and any additional dnl # specified domains appear to be sent from mydomain.com dnl # MASQUERADE_AS(`davenjudy.org')dnl dnl # dnl # masquerade not just the headers, but the envelope as well dnl # dnl FEATURE(masquerade_envelope)dnl dnl # dnl # masquerade not just @mydomainalias.com, but @*.mydomainalias.com as well dnl # FEATURE(masquerade_entire_domain)dnl dnl # dnl MASQUERADE_DOMAIN(localhost)dnl dnl MASQUERADE_DOMAIN(localhost.localdomain)dnl MASQUERADE_DOMAIN(local.davenjudy.org)dnl MASQUERADE_DOMAIN(davenjudy.org)dnl
As for possibly having an open relay, you also want to make sure that the following line is commented out (has dnl at the beginning):
dnl # dnl FEATURE(`relay_based_on_MX')dnl dnl #
Finally, you'll need a line like:
FEATURE(`relay_entire_domain')dnl
DO NOT uncomment any of the other lines in sendmail.mc regarding relay settings unless you know what you're doing. If you aren't sure what was changed from the default, remove the sendmail-cf rpm and reinstall it to get back to a clean, default sendmail.mc file. It's a good idea to explicitly run make in /etc/mail and then bounce sendmail rather than let the sendmail startup script decide something has changed since it's easier to catch syntax errors that way. Finally, get a free mail account at your provider of choice (Google, Hotmail, whoever) and use it for testing both sending and receiving mail.
Cheers, Dave