hi all i am using sendmail mail server, i have configured SASL+TLS+MailScanner+Spamassasin+.Procmail and its working fine, but there is one problem when i am doing telnet to my server on 25 port and using "mail from " command to send mail by any user like abc@gmail.com or any user @mydomain then sendmail is not able to verify sending user , so plz help me how can i verify the real sender means i want only my domain real user can sendmails .and when i am using mail clients then its working fine . prolem is occuring when , when i am doing telnet directly to smtp port to my server
__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/
Morning,
abhishek singh wrote:
hi all prolem is occuring when , when i am doing telnet directly to smtp port to my server
So many words ...
... and not one line out of a log file which really would help with helping you ...
Ralph
Ralph Angenendt wrote:
Morning,
abhishek singh wrote:
hi all prolem is occuring when , when i am doing telnet directly to smtp port to my server
So many words ...
... and not one line out of a log file which really would help with helping you ...
only because you do not know what he is asking for.
Feizhou wrote:
Ralph Angenendt wrote:
... and not one line out of a log file which really would help with helping you ...
only because you do not know what he is asking for.
Looks like it, yes :)
Cheers,
Ralph
abhishek singh wrote:
hi all i am using sendmail mail server, i have configured SASL+TLS+MailScanner+Spamassasin+.Procmail and its working fine, but there is one problem when i am doing telnet to my server on 25 port and using "mail from " command to send mail by any user like abc@gmail.com or any user @mydomain then sendmail is not able to verify sending user , so plz help me how can i verify the real sender means i want only my domain real user can sendmails .and when i am using mail clients then its working fine . prolem is occuring when , when i am doing telnet directly to smtp port to my server
Did you use AUTH to authenticate yourself?
Also, from what you say, do you also want to make sure that any user who authenticates must use an email address in your domain as their return-path?
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
mail from: abs@domain.com
this command is showing Sender is ok while its not user in my mail server.after that
rcpt to: xyz@domain.com DATA jhsjhdf . quit
after this mail is queued for delivery to xyz user and in this scenario xyz is valid user accound on my mail server so i want that unkown account for my domain cant sendmail , so how i will do that ,
when i am sending mail to out side domain without authentication then everything is ok means any one can send mail to my domain while he is not user. this is the problem.
i have one solution , but i want to know very easy way to do that .
--- Feizhou feizhou@graffiti.net wrote:
abhishek singh wrote:
hi all i am using sendmail mail server, i have configured SASL+TLS+MailScanner+Spamassasin+.Procmail and its working fine, but there is one problem when i am
doing
telnet to my server on 25 port and using "mail
from "
command to send mail by any user like
abc@gmail.com or
any user @mydomain then sendmail is not able to
verify
sending user , so plz help me how can i verify the real sender means i want only my domain real user
can
sendmails .and when i am using mail clients then
its
working fine . prolem is occuring when , when i am doing telnet directly to smtp port to my server
Did you use AUTH to authenticate yourself?
Also, from what you say, do you also want to make sure that any user who authenticates must use an email address in your domain as their return-path? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/
abhishek singh schrieb:
Do not top-post please.
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
mail from: abs@domain.com
The syntax isn't correct: there has to be no space in between
MAIL FROM:abs@domain.com
this command is showing Sender is ok while its not user in my mail server.after that
rcpt to: xyz@domain.com DATA jhsjhdf . quit
after this mail is queued for delivery to xyz user and in this scenario xyz is valid user accound on my mail server so i want that unkown account for my domain cant sendmail , so how i will do that ,
when i am sending mail to out side domain without authentication then everything is ok means any one can send mail to my domain while he is not user.
That makes no sense.
this is the problem.
I do not see "the problem" from above statement. Just understand your question about avoiding to receive mail from faked senders (see below).
i have one solution , but i want to know very easy way to do that
http://www.sendmail.org/~ca/email/fake.html
Alexander
abhishek singh wrote:
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
where are you telnetting from? localhost?
telnet localhost 25?
mail from: abs@domain.com
this command is showing Sender is ok while its not user in my mail server.after that
if you are using delayed checks, this is normal. BTW, does this sendmail box solely does smtp-auth relay only? It is not used for receiving mail right?
rcpt to: xyz@domain.com DATA jhsjhdf . quit
after this mail is queued for delivery to xyz user and in this scenario xyz is valid user accound on my mail server so i want that unkown account for my domain cant sendmail , so how i will do that ,
when i am sending mail to out side domain without authentication then everything is ok means any one can send mail to my domain while he is not user. this is the problem.
Okay, I thought you wanted something like that. You want to allow only mails where the sender exists on your system, right?
i have one solution , but i want to know very easy way to do that .
well...you could try looking for ready made rulesets for what you want. Otherwise, it will have to be written.
--- Feizhou feizhou@graffiti.net wrote:
abhishek singh wrote:
hi all i am using sendmail mail server, i have configured SASL+TLS+MailScanner+Spamassasin+.Procmail and its working fine, but there is one problem when i am
doing
telnet to my server on 25 port and using "mail
from "
command to send mail by any user like
abc@gmail.com or
any user @mydomain then sendmail is not able to
verify
sending user , so plz help me how can i verify the real sender means i want only my domain real user
can
sendmails .and when i am using mail clients then
its
working fine . prolem is occuring when , when i am doing telnet directly to smtp port to my server
Did you use AUTH to authenticate yourself?
Also, from what you say, do you also want to make sure that any user who authenticates must use an email address in your domain as their return-path? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/ _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, 2006-09-20 at 05:12, abhishek singh wrote:
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
mail from: abs@domain.com
this command is showing Sender is ok while its not user in my mail server.after that
The stock Centos configuration should reject everything that doesn't come from the localhost unless you make changes to /etc/mail/access to permit it. Are you doing this test from the local host?
Les Mikesell wrote:
On Wed, 2006-09-20 at 05:12, abhishek singh wrote:
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
mail from: abs@domain.com
this command is showing Sender is ok while its not user in my mail server.after that
The stock Centos configuration should reject everything that doesn't come from the localhost unless you make changes to /etc/mail/access to permit it. Are you doing this test from the local host?
Do you have telnet open to the outside world? If so kill it and only allow ssh with the proper extra security setup. You may need to open telnet for a little while for testing purposes, but don't leave it that way.
John Hinton
John Hinton schrieb:
On Wed, 2006-09-20 at 05:12, abhishek singh wrote:
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
[ snip ]
Do you have telnet open to the outside world? If so kill it and only allow ssh with the proper extra security setup. You may need to open telnet for a little while for testing purposes, but don't leave it that way.
What has using the telnet client for testing a daemon on a tcp port to do with running a telnet daemon? Answer: nothing.
John Hinton
Alexander
Alexander Dalloz wrote:
John Hinton schrieb:
On Wed, 2006-09-20 at 05:12, abhishek singh wrote:
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
[ snip ]
Do you have telnet open to the outside world? If so kill it and only allow ssh with the proper extra security setup. You may need to open telnet for a little while for testing purposes, but don't leave it that way.
What has using the telnet client for testing a daemon on a tcp port to do with running a telnet daemon? Answer: nothing.
John Hinton
Alexander
My bad. I didn't know you could do that! I had always started the telnet service before even trying!
John Hinton
i have never opened telnet ok , my xinetd service is off so there is no telnet service , i m doing telnet to outside to 25 port on my mail server and there is proper smtp authentication enabled on server , the problem is anyuser (non-existing) with my domain can send mail to my real domain users. below is example........
##EXAMPLE 1>
telnet 192.168.1.4 25 220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED
220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED mail.domain.com ehlo domain.com 250-mail.domain.com Hello [192.168.1.5], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP MAIL FROM:axy@domain.com 250 2.1.0 axy@domain.com... Sender ok RCPT TO:abhi@domain.com 250 2.1.5 abhi@domain.com... Recipient ok DATA 354 Enter mail, end with "." on a line by itself this is bad . 250 2.0.0 k8L4I0FL004621 Message accepted for delivery quit 221 2.0.0 mail.domain.com closing connection #################################################### EXAMPLE-2
telnet 192.168.1.4 25
220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED mail.domain.com ehlo domain.com 250-mail.domain.com Hello [192.168.1.5], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP MAIL FROM:alex@mai.com 250 2.1.0 alex@mai.com... Sender ok RCPT TO:abhi@domain.com 250 2.1.5 abhi@domain.com... Recipient ok DATA 354 Enter mail, end with "." on a line by itself hjsdhkjhdfkjhsdkf sfdkdkfjdkg . 250 2.0.0 k8L4LUMY004822 Message accepted for delivery quit 221 2.0.0 mail.domain.com closing connection
Connection to host lost.
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
In second scenario sender is able to send mail by forging domain name by any domain to my domain users.
i have replaced my real domain name with domain.com and i have to do same thing from out side network , in my /etc/mail/access file only 127.0.0.1 is allowed .
when i am trying to send mail to another domain then relaying is denied means my mail server is not open relay.
plz help me.
Abhishek Kr. Singh System Administrator DSC. LTD. Mob.No. +91-9871563248
__________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/
On Thu, 2006-09-21 at 05:38 +0100, abhishek singh wrote:
i have never opened telnet ok , my xinetd service is off so there is no telnet service , i m doing telnet to outside to 25 port on my mail server and there is proper smtp authentication enabled on server , the problem is anyuser (non-existing) with my domain can send mail to my real domain users. below is example........
##EXAMPLE 1>
telnet 192.168.1.4 25 220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED
220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED mail.domain.com ehlo domain.com 250-mail.domain.com Hello [192.168.1.5], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP MAIL FROM:axy@domain.com 250 2.1.0 axy@domain.com... Sender ok RCPT TO:abhi@domain.com 250 2.1.5 abhi@domain.com... Recipient ok DATA 354 Enter mail, end with "." on a line by itself this is bad . 250 2.0.0 k8L4I0FL004621 Message accepted for delivery quit 221 2.0.0 mail.domain.com closing connection #################################################### EXAMPLE-2
telnet 192.168.1.4 25
220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED mail.domain.com ehlo domain.com 250-mail.domain.com Hello [192.168.1.5], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP MAIL FROM:alex@mai.com 250 2.1.0 alex@mai.com... Sender ok RCPT TO:abhi@domain.com 250 2.1.5 abhi@domain.com... Recipient ok DATA 354 Enter mail, end with "." on a line by itself hjsdhkjhdfkjhsdkf sfdkdkfjdkg . 250 2.0.0 k8L4LUMY004822 Message accepted for delivery quit 221 2.0.0 mail.domain.com closing connection
Connection to host lost.
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
---- probably not good questions for the list but better you to read up on what you want to do. The above is normal behavior for an smtp server that is accepting mail for local users - how else would anyone else send e-mail to users on your domain if it didn't work this way? ----
In second scenario sender is able to send mail by forging domain name by any domain to my domain users.
---- yeah by RFC, you shouldn't need to be sending from a valid host and you can offer a return e-mail address that is totally faked ----
i have replaced my real domain name with domain.com and i have to do same thing from out side network , in my /etc/mail/access file only 127.0.0.1 is allowed .
---- if that is the case, it isn't working - perhaps you want to show us your real sendmail.mc file or read up on using sendmail. ----
when i am trying to send mail to another domain then relaying is denied means my mail server is not open relay.
---- nothing I saw above would indicate that but you can have other systems test your system for being an open relay...try www.ordb.org ----
plz help me.
---- You need to read up on sendmail, MTA usage in general. This list can help with configuration details but you need to get a better understanding which would only come from in depth reading of things like the Sendmail 'Bat' book.
Craig
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
probably not good questions for the list but better you to read up on what you want to do. The above is normal behavior for an smtp server that is accepting mail for local users - how else would anyone else send e-mail to users on your domain if it didn't work this way?
the latest postfix has this feature to tell the client to get lost if the address in the mail from: is a local domain and if the address does not exist.
i have replaced my real domain name with domain.com and i have to do same thing from out side network , in my /etc/mail/access file only 127.0.0.1 is allowed .
if that is the case, it isn't working - perhaps you want to show us your real sendmail.mc file or read up on using sendmail.
his is working perfectly fine.
plz help me.
You need to read up on sendmail, MTA usage in general. This list can help with configuration details but you need to get a better understanding which would only come from in depth reading of things like the Sendmail 'Bat' book.
I don't see that he has a problem at all besides expressing himself.
abhishek singh wrote:
i have never opened telnet ok , my xinetd service is off so there is no telnet service , i m doing telnet to outside to 25 port on my mail server and there is proper smtp authentication enabled on server , the problem is anyuser (non-existing) with my domain can send mail to my real domain users. below is example........
Check this and do accordingly ...
http://www.sendmail.org/faq/section3.html#3.27 http://www.sendmail.org/tips/relaying.html
hope this help!
Mahayudin Mohd Hashim wrote:
abhishek singh wrote:
i have never opened telnet ok , my xinetd service is off so there is no telnet service , i m doing telnet to outside to 25 port on my mail server and there is proper smtp authentication enabled on server , the problem is anyuser (non-existing) with my domain can send mail to my real domain users. below is example........
Check this and do accordingly ...
http://www.sendmail.org/faq/section3.html#3.27 http://www.sendmail.org/tips/relaying.html
hope this help!
It does not. He does not have a relay problem. He wants to reject mails that have sender addresses claiming to be from his domain and not only that, they are also forged (non-existent).
On Thu, 2006-09-21 at 02:18, Feizhou wrote:
i have never opened telnet ok , my xinetd service is off so there is no telnet service , i m doing telnet to outside to 25 port on my mail server and there is proper smtp authentication enabled on server , the problem is anyuser (non-existing) with my domain can send mail to my real domain users. below is example........
Check this and do accordingly ...
http://www.sendmail.org/faq/section3.html#3.27 http://www.sendmail.org/tips/relaying.html
hope this help!
It does not. He does not have a relay problem. He wants to reject mails that have sender addresses claiming to be from his domain and not only that, they are also forged (non-existent).
Custom tests are fairly easy if you add MimeDefang to your sendmail setup. An example was just posted to their mail list that would reject hosts claiming to be in your domain but not in your IP ranges. This would be used along with SMTP AUTH if you do want to allow your own users to roam and send from remote locations.
Although this is not specifically on topic, it will help in the big picture of your overall mail system(s) design and implementation...
Please do not forget to carefully craft proper SPF records for your domain or domains... then you would need to deal with SPF issues in the servers as to what you will and will not accept from others.
- rh
-- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
Email Lists wrote:
Although this is not specifically on topic, it will help in the big picture of your overall mail system(s) design and implementation...
Please do not forget to carefully craft proper SPF records for your domain or domains... then you would need to deal with SPF issues in the servers as to what you will and will not accept from others.
I won't get into the SPF debate but significant numbers of well experienced mail administrators do not believe in its usefulness at all and that includes admins all across various mtas.
eg: SPF breaks forwarding.
The real problem is SMTP is outdated. SMTP is broken for today's Internet.
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
plz help me.
abhishek singh,
The simplest way that I can think of is to create a database of your addresses and then check the mail from against that database and reject if not found.
The problem is how to maintain that database.
You could add a table lookup for this database and then add rules in Local_check_mail to check mail from: addresses against the database.
Feizhou wrote:
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
plz help me.
abhishek singh,
The simplest way that I can think of is to create a database of your addresses and then check the mail from against that database and reject if not found.
The problem is how to maintain that database.
You could add a table lookup for this database and then add rules in Local_check_mail to check mail from: addresses against the database.
in /etc/mail, create a file realuser eg: cat realuser root OK chris OK
makemap hash realuser.db < realuser
Make a copy of sendmail.cf (eg: test-sendmail.cf) and add a lookup for realuser.db:
Krealuser hash -o /etc/mail/realuser.db
Add some rulesets to check the mail from against this database:
SLocal_check_mail R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > R< $- @ $* > tabspace OK R< OK > tabspace OK R<?> tabspace $#error $@ 5.7.1 $: "550 Access denied"
NB: REPLACE domain.com with your real domain. sendmail rulesets have left and right hand sides separated by tabs. Please make sure you have them when you copy for testing. If you have more than one domain, then add more R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > rules BEFORE the R< $- @ $* > tabspace OK line. Sorry for this as this is just a quick hack.
You can test offline by:
'sendmail -bt -C test-sendmail.cf'
Some likely output below:
==run check on external address==
check_mail dunno@yahoo.com
check_mail input: < dunno @ yahoo . com > Local_check_mail input: < dunno @ yahoo . com > Local_check_mail returns: OK Basic_check_mail input: < dunno @ yahoo . com > tls_client input: $| MAIL D input: < > < ? > < ! "TLS_Clt" > < > D returns: < ? > < > < ? > < ! "TLS_Clt" > < > A input: < > < ? > < ! "TLS_Clt" > < > A returns: < > < ? > < ! "TLS_Clt" > < > TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < > TLS_connection returns: OK tls_client returns: OK CanonAddr input: < dunno @ yahoo . com > canonify input: < dunno @ yahoo . com > Canonify2 input: dunno < @ yahoo . com > Canonify2 returns: dunno < @ yahoo . com . > canonify returns: dunno < @ yahoo . com . > Parse0 input: dunno < @ yahoo . com . > Parse0 returns: dunno < @ yahoo . com . > CanonAddr returns: dunno < @ yahoo . com . > SearchList input: < + From > $| < F : dunno @ yahoo . com > < U : dunno @ > < D : yahoo . com > < > F input: < dunno @ yahoo . com > < ? > < + From > < > F returns: < ? > < > SearchList input: < + From > $| < U : dunno @ > < D : yahoo . com > < > U input: < dunno @ > < ? > < + From > < > U returns: < ? > < > SearchList input: < + From > $| < D : yahoo . com > < > D input: < yahoo . com > < ? > < + From > < > D input: < com > < ? > < + From > < > D returns: < ? > < > D returns: < ? > < > SearchList returns: < ? > SearchList returns: < ? > SearchList returns: < ? > Basic_check_mail returns: < OKR > check_mail returns: < OKR >
==run check on existing address==
check_mail chris@domain.com
check_mail input: < chris @ domain . com > Local_check_mail input: < chris @ domain . com > Local_check_mail returns: OK Basic_check_mail input: < chris @ domain . com > tls_client input: $| MAIL D input: < > < ? > < ! "TLS_Clt" > < > D returns: < ? > < > < ? > < ! "TLS_Clt" > < > A input: < > < ? > < ! "TLS_Clt" > < > A returns: < > < ? > < ! "TLS_Clt" > < > TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < > TLS_connection returns: OK tls_client returns: OK CanonAddr input: < chris @ domain . com > canonify input: < chris @ domain . com > Canonify2 input: chris < @ domain . com > Canonify2 returns: chris < @ domain . com . > canonify returns: chris < @ domain . com . > Parse0 input: chris < @ domain . com . > Parse0 returns: chris < @ domain . com . > CanonAddr returns: chris < @ domain . com . > SearchList input: < + From > $| < F : chris @ domain . com > < U : chris @ > < D : domain . com > < > F input: < chris @ domain . com > < ? > < + From > < > F returns: < ? > < > SearchList input: < + From > $| < U : chris @ > < D : domain . com > < > U input: < chris @ > < ? > < + From > < > U returns: < ? > < > SearchList input: < + From > $| < D : domain . com > < > D input: < domain . com > < ? > < + From > < > D input: < com > < ? > < + From > < > D returns: < ? > < > D returns: < ? > < > SearchList returns: < ? > SearchList returns: < ? > SearchList returns: < ? > Basic_check_mail returns: < OKR > check_mail returns: < OKR >
==run check on fake local address==
check_mail dunno@domain.com
check_mail input: < dunno @ domain . com > Local_check_mail input: < dunno @ domain . com > Local_check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied" check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"
==hit CTRL-D to leave sendmail ruleset debugging mode==
i have solved one problem that was 1st example in my previous mail. means now no unknow user from my domain can send mail to my real users of mydomain but still there is 2nd problem means anyone can telnet to my server and can forge real domain address to sendmail to my domain users like telnet mail.domain.com 25 ............ ..... .... ............. mail from: abhi@gmail.com sender ok abhi@gmail.com sender ok rcpt to: abhisingh@domain.com abhisingh@domain.com recpient ok data kjkdjdkfjkdjf ldfjkljf . quit
in this we can see anyone can user real mail id of anyone to send mail to real user of domain.com user.
plz check ur mail servers also for this and tell me how we can block this.
Feizhou feizhou@graffiti.net wrote: Feizhou wrote:
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
plz help me.
abhishek singh,
The simplest way that I can think of is to create a database of your addresses and then check the mail from against that database and reject if not found.
The problem is how to maintain that database.
You could add a table lookup for this database and then add rules in Local_check_mail to check mail from: addresses against the database.
in /etc/mail, create a file realuser eg: cat realuser root OK chris OK
makemap hash realuser.db < realuser
Make a copy of sendmail.cf (eg: test-sendmail.cf) and add a lookup for realuser.db:
Krealuser hash -o /etc/mail/realuser.db
Add some rulesets to check the mail from against this database:
SLocal_check_mail R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > R< $- @ $* > tabspace OK R< OK > tabspace OK R tabspace $#error $@ 5.7.1 $: "550 Access denied"
NB: REPLACE domain.com with your real domain. sendmail rulesets have left and right hand sides separated by tabs. Please make sure you have them when you copy for testing. If you have more than one domain, then add more R< $- @ domain.com > tabspace $: < $(realuser $1 $: ? $) > rules BEFORE the R< $- @ $* > tabspace OK line. Sorry for this as this is just a quick hack.
You can test offline by:
'sendmail -bt -C test-sendmail.cf'
Some likely output below:
==run check on external address==
check_mail
check_mail input: < dunno @ yahoo . com > Local_check_mail input: < dunno @ yahoo . com > Local_check_mail returns: OK Basic_check_mail input: < dunno @ yahoo . com > tls_client input: $| MAIL D input: < > < ? > < ! "TLS_Clt" > < > D returns: < ? > < > < ? > < ! "TLS_Clt" > < > A input: < > < ? > < ! "TLS_Clt" > < > A returns: < > < ? > < ! "TLS_Clt" > < > TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < > TLS_connection returns: OK tls_client returns: OK CanonAddr input: < dunno @ yahoo . com > canonify input: < dunno @ yahoo . com > Canonify2 input: dunno < @ yahoo . com > Canonify2 returns: dunno < @ yahoo . com . > canonify returns: dunno < @ yahoo . com . > Parse0 input: dunno < @ yahoo . com . > Parse0 returns: dunno < @ yahoo . com . > CanonAddr returns: dunno < @ yahoo . com . > SearchList input: < + From > $| < F : dunno @ yahoo . com > < U : dunno @ > < D : yahoo . com > < > F input: < dunno @ yahoo . com > < ? > < + From > < > F returns: < ? > < > SearchList input: < + From > $| < U : dunno @ > < D : yahoo . com > < > U input: < dunno @ > < ? > < + From > < > U returns: < ? > < > SearchList input: < + From > $| < D : yahoo . com > < > D input: < yahoo . com > < ? > < + From > < > D input: < com > < ? > < + From > < > D returns: < ? > < > D returns: < ? > < > SearchList returns: < ? > SearchList returns: < ? > SearchList returns: < ? > Basic_check_mail returns: < OKR > check_mail returns: < OKR >
==run check on existing address==
check_mail
check_mail input: < chris @ domain . com > Local_check_mail input: < chris @ domain . com > Local_check_mail returns: OK Basic_check_mail input: < chris @ domain . com > tls_client input: $| MAIL D input: < > < ? > < ! "TLS_Clt" > < > D returns: < ? > < > < ? > < ! "TLS_Clt" > < > A input: < > < ? > < ! "TLS_Clt" > < > A returns: < > < ? > < ! "TLS_Clt" > < > TLS_connection input: $| < > < ? > < ! "TLS_Clt" > < > TLS_connection returns: OK tls_client returns: OK CanonAddr input: < chris @ domain . com > canonify input: < chris @ domain . com > Canonify2 input: chris < @ domain . com > Canonify2 returns: chris < @ domain . com . > canonify returns: chris < @ domain . com . > Parse0 input: chris < @ domain . com . > Parse0 returns: chris < @ domain . com . > CanonAddr returns: chris < @ domain . com . > SearchList input: < + From > $| < F : chris @ domain . com > < U : chris @ > < D : domain . com > < > F input: < chris @ domain . com > < ? > < + From > < > F returns: < ? > < > SearchList input: < + From > $| < U : chris @ > < D : domain . com > < > U input: < chris @ > < ? > < + From > < > U returns: < ? > < > SearchList input: < + From > $| < D : domain . com > < > D input: < domain . com > < ? > < + From > < > D input: < com > < ? > < + From > < > D returns: < ? > < > D returns: < ? > < > SearchList returns: < ? > SearchList returns: < ? > SearchList returns: < ? > Basic_check_mail returns: < OKR > check_mail returns: < OKR >
==run check on fake local address==
check_mail
check_mail input: < dunno @ domain . com > Local_check_mail input: < dunno @ domain . com > Local_check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied" check_mail returns: $# error $@ 5 . 7 . 1 $: "550 Access denied"
==hit CTRL-D to leave sendmail ruleset debugging mode== _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Abhishek Kr. Singh System Administrator DSC. LTD. Mob.No. +91-9871563248 --------------------------------- Find out what India is talking about on - Yahoo! Answers India Send FREE SMS to your friend's mobile from Yahoo! Messenger Version 8. Get it NOW
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of abhishek singh Sent: Thursday, September 21, 2006 7:25 AM To: CentOS mailing list Subject: Re: [CentOS] sendmail security-with example i have solved one problem that was 1st example in my previous mail. means now no unknow user from my domain can send mail to my real users of mydomain but still there is 2nd problem means anyone can telnet to my server and can forge real domain address to sendmail to my domain users like telnet mail.domain.com 25 ............ ..... .... .............
Perhaps you should consider milter-sender if you want to verify that the sender is a valid email address.
Mike
abhishek singh wrote:
i have solved one problem that was 1st example in my previous mail. means now no unknow user from my domain can send mail to my real users of mydomain but still there is 2nd problem means anyone can telnet to my server and can forge real domain address to sendmail to my domain users like
Tell you what. Just ditch the whole sendmail thing and use postfix. If you are not using virtuser table, there should be very little, if not zero, changes.
http://www.postfix.org/ADDRESS_VERIFICATION_README.html
Postfix can do both with a few config lines natively. Just take note that some people do not appreciate callback verification.
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
You know that I can still connect to your server and send an email with address abhi@domain.com to abhi@domain.com right? Do you really want to prevent xyz@domain.com?
abhishek singh schrieb:
i have never opened telnet ok , my xinetd service is off so there is no telnet service , i m doing telnet to outside to 25 port on my mail server and there is proper smtp authentication enabled on server , the problem is anyuser (non-existing) with my domain can send mail to my real domain users.
I answered you regarding this question. Didn't you understand it?
below is example........
##EXAMPLE 1>
telnet 192.168.1.4 25 220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED
Hell, why do you violate the RFCs? Please do not change things like this if you don't know what harmful things you do. Please read RFC821 http://www.DNSstuff.com/pages/rfc821.htm 4.3 (and RFC2821 http://www.dnsreport.com/tools/rfc.ch?detail=2821 4.3.1).
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
http://www.sendmail.org/~ca/email/fake.html
In second scenario sender is able to send mail by forging domain name by any domain to my domain users.
Faking sender information is as easy as that 4 year old kids can do so. Why do you wonder about that? This is how (E)SMTP works. You can dislike it, but that's the technical state. To reject true fantasie sender domains just comment in sendmail.mc the line
FEATURE(`accept_unresolvable_domains')dnl
Abhishek Kr. Singh
Alexander
abhishek singh spake the following on 9/20/2006 9:38 PM:
i have never opened telnet ok , my xinetd service is off so there is no telnet service , i m doing telnet to outside to 25 port on my mail server and there is proper smtp authentication enabled on server , the problem is anyuser (non-existing) with my domain can send mail to my real domain users. below is example........
##EXAMPLE 1>
telnet 192.168.1.4 25 220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED
220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED mail.domain.com ehlo domain.com 250-mail.domain.com Hello [192.168.1.5], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP MAIL FROM:axy@domain.com 250 2.1.0 axy@domain.com... Sender ok RCPT TO:abhi@domain.com 250 2.1.5 abhi@domain.com... Recipient ok DATA 354 Enter mail, end with "." on a line by itself this is bad . 250 2.0.0 k8L4I0FL004621 Message accepted for delivery quit 221 2.0.0 mail.domain.com closing connection #################################################### EXAMPLE-2
telnet 192.168.1.4 25
220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED mail.domain.com ehlo domain.com 250-mail.domain.com Hello [192.168.1.5], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN 250-STARTTLS 250-DELIVERBY 250 HELP MAIL FROM:alex@mai.com 250 2.1.0 alex@mai.com... Sender ok RCPT TO:abhi@domain.com 250 2.1.5 abhi@domain.com... Recipient ok DATA 354 Enter mail, end with "." on a line by itself hjsdhkjhdfkjhsdkf sfdkdkfjdkg . 250 2.0.0 k8L4LUMY004822 Message accepted for delivery quit 221 2.0.0 mail.domain.com closing connection
Connection to host lost.
In above example u can see in the 1st example the sender(xyz) is not real user of my domain , still he is able to sendmail to my real users (abhi).
In second scenario sender is able to send mail by forging domain name by any domain to my domain users.
i have replaced my real domain name with domain.com and i have to do same thing from out side network , in my /etc/mail/access file only 127.0.0.1 is allowed .
when i am trying to send mail to another domain then relaying is denied means my mail server is not open relay.
plz help me.
As long as you are telnetting in from a system on the same subnet as your server, it will happily work. Try and do it from somewhere else. Do you hava access from home? A dialup account? Maybe someone on the list can try the same for you. Or use one of the relay tests like http://www.ordb.org/submit/
abhishek singh spake the following on 9/20/2006 3:12 AM:
yes i am using SMTP Authentication , but when i m doing telnet to my server on 25 port so i am able to send mail by unknow user that in in not my mail server like
mail from: abs@domain.com
this command is showing Sender is ok while its not user in my mail server.after that
rcpt to: xyz@domain.com DATA jhsjhdf . quit
after this mail is queued for delivery to xyz user and in this scenario xyz is valid user accound on my mail server so i want that unkown account for my domain cant sendmail , so how i will do that ,
when i am sending mail to out side domain without authentication then everything is ok means any one can send mail to my domain while he is not user. this is the problem.
Are you telnetting from inside your local ip address range? If so, you might be skipping some of the auth checks because sendmail thinks you are local.
-
abhishek singh -
Alexander Dalloz -
Craig White -
Email Lists -
Feizhou -
John Hinton -
Les Mikesell -
Mahayudin Mohd Hashim -
Mike Kercher -
Ralph Angenendt -
Scott Silva