[CentOS] sendmail security-with example

Thu Sep 21 05:02:40 UTC 2006
Craig White <craigwhite at azapple.com>

On Thu, 2006-09-21 at 05:38 +0100, abhishek singh wrote:
> i have never opened telnet ok , my xinetd service is
> off so there is no telnet service , i m doing telnet
> to outside to 25 port on my mail server and there is
> proper smtp authentication  enabled on server , the
> problem is anyuser (non-existing) with my domain can
> send mail to my real domain users.
> below is example........
> 
> ##EXAMPLE 1>
> 
> telnet 192.168.1.4 25 
> 220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED 
> 
> 220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED
> mail.domain.com
> ehlo domain.com
> 250-mail.domain.com Hello [192.168.1.5], pleased to
> meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> MAIL FROM:<axy at domain.com>
> 250 2.1.0 <axy at domain.com>... Sender ok
> RCPT TO:<abhi at domain.com>
> 250 2.1.5 <abhi at domain.com>... Recipient ok
> DATA
> 354 Enter mail, end with "." on a line by itself
> this is bad
> .
> 250 2.0.0 k8L4I0FL004621 Message accepted for delivery
> quit
> 221 2.0.0 mail.domain.com closing connection
> ####################################################
> EXAMPLE-2
> 
> telnet 192.168.1.4 25
> 
> 220 UNAUTHORIZED ESMTP ACCESS IS PROHIBITED 
> mail.domain.com
> ehlo domain.com
> 250-mail.domain.com Hello [192.168.1.5], pleased to
> meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> MAIL FROM:<alex at mai.com>
> 250 2.1.0 <alex at mai.com>... Sender ok
> RCPT TO:<abhi at domain.com>
> 250 2.1.5 <abhi at domain.com>... Recipient ok
> DATA
> 354 Enter mail, end with "." on a line by itself
> hjsdhkjhdfkjhsdkf
> sfdkdkfjdkg
> .
> 250 2.0.0 k8L4LUMY004822 Message accepted for delivery
> quit
> 221 2.0.0 mail.domain.com closing connection
> 
> 
> Connection to host lost.
> 
> 
> In above example u can see in the 1st example the
> sender(xyz) is not real user of my domain , still he
> is able to sendmail to my real users (abhi).
----
probably not good questions for the list but better you to read up on
what you want to do. The above is normal behavior for an smtp server
that is accepting mail for local users - how else would anyone else send
e-mail to users on your domain if it didn't work this way?
----
> 
> In second scenario sender is able to send mail by
> forging domain name by any domain to my domain users.
----
yeah by RFC, you shouldn't need to be sending from a valid host and you
can offer a return e-mail address that is totally faked
----
> 
> i have replaced my real domain name with domain.com
> and i have to do same thing from out side network , in
> my /etc/mail/access file only 127.0.0.1 is allowed .
----
if that is the case, it isn't working - perhaps you want to show us your
real sendmail.mc file or read up on using sendmail.
----
> 
> when i am trying to send mail to another domain then
> relaying is denied means my mail server is not open
> relay.
----
nothing I saw above would indicate that but you can have other systems
test your system for being an open relay...try www.ordb.org
----
> 
> plz help me.
----
You need to read up on sendmail, MTA usage in general. This list can
help with configuration details but you need to get a better
understanding which would only come from in depth reading of things like
the Sendmail 'Bat' book.

Craig