Hoi !
I´ve a mailserver running at home (for 2 clients - nothing serious),
SuSE 7.2. I´ve already restrictet access by using the /etc/mail/access
to 192.168 . That´s enough or should i do something more?
Background is, i got me this message by my system :
----- The following addresses had permanent fatal errors -----
RCPT To:
<<< 550 relaying to
Hello Carsten,
you can prohibit sending mail of roaming user by pop-before-smtp
(http://www.google.de/search?q=pop+before+smtp+%2B+sendmail&ie=UTF-8&oe=UTF-
8&hl=de&meta=)
Smtp has no authentication mechanism, but pop has. after configured
pop-before-smtp with sendmail only users with authenticated by pop first are
allowed to send email through your mailserver.
Jens
-----Ursprüngliche Nachricht-----
Von: Carsten Becher [mailto:cb-maillist@cbecher.de]
Gesendet: Samstag, 26. April 2003 10:57
An: SuSE Security
Betreff: [suse-security] sendmail, avoiding open relay
Hoi !
I´ve a mailserver running at home (for 2 clients - nothing serious),
SuSE 7.2. I´ve already restrictet access by using the /etc/mail/access
to 192.168 . That´s enough or should i do something more?
Background is, i got me this message by my system :
----- The following addresses had permanent fatal errors -----
RCPT To:
<<< 550 relaying to
"Jens Hoja"
Smtp has no authentication mechanism, but pop has. after configured pop-before-smtp with sendmail only users with authenticated by pop first are allowed to send email through your mailserver.
Sorry, but SMTP does have an authentication mechanism. RFC2554 (and possibly others) describe this. SuSE sendmail supports this, you may have to use package sendmail-sasl rather than just 'plain' sendmail in some releases. This does, of course, need to configured as to what authentication is required.
Hoi ! Jens Hoja schrieb:
Hello Carsten, you can prohibit sending mail of roaming user by pop-before-smtp
Smtp has no authentication mechanism, but pop has. after configured pop-before-smtp with sendmail only users with authenticated by pop first are allowed to send email through your mailserver. Jens
I tried to set up sendmail-sasl first, but had problems (better-sendmail had) to dlopen a library which was nevertheless there. So i don´t know if pop-before-smtp would work. thX & cu Carsten
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 26 April 2003 13:08, Jens Hoja wrote:
smtp.kundenserver.de: Hello,
Is that not 1und1 email server. If I am correct you must use the authority server. see http://sdb.suse.de/de/sdb/html/sendmail_smtp_auth.html or http://www.abgruen.de/linux/auth-smtp.html for SuSE8.0 and above Hopefully this will help you. Ian - -- A child of five would understand this. Send someone to fetch a child of five. Groucho Marx - ---------------------------------------------------- This mail has been scanned for virus by AntiVir for UNIX Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+qv68KiWi8VifhEkRAqZ9AJ0QVeZdNv5i4/VvUBis1Nl4c5Se+QCfVi4D bg1mcwn1JeFL5YWHDi3iTKA= =IuL/ -----END PGP SIGNATURE-----
On Sat, Apr 26, 2003 at 10:56:58AM +0200, Carsten Becher wrote:
I?ve a mailserver running at home (for 2 clients - nothing serious), SuSE 7.2.
Is it "visible" from the Internet, or is there a router/firewall between your LAN mailserver and the Internet? In the second case you do not have any problem, if the router does not forward requests from outside. If your mailserver is connected directly to the Internet (which I do not recommend), then you must be very accurate installing all necessary patches to all the services this server offers (and limiting these services as strictly as possible). And you should use the SuSE firewall to block all accesses from outside which are not iniciated from inside.
I?ve already restrictet access by using the /etc/mail/access to 192.168 . That?s enough or should i do something more?
Hm; normally sendmail in the standard installation does not relay to any other destination. So you must have done something to change that behaviour. What have you done? What exactly was your change in /etc/mail/access?
Background is, i got me this message by my system :
----- The following addresses had permanent fatal errors -----
(reason: 550 relaying to prohibited by administrator) ----- Transcript of session follows ----- ... while talking to smtp.kundenserver.de:
RCPT To:
<<< 550 relaying to
prohibited by administrator 550 5.1.1 ... User unknown Look?s tight to me, or did i miss something important?
This looks to me like a bounce from the mailserver smtp.kundenserver.de, i.e. that server did not accept a mail coming from you. Did you send that mail? To whom was it sent? What is the domain of your server? Do you use an "smart relay" and which? What are the headers of the bounced mail? Your question simply does not contain all the necessary informations. *If* you are using smtp.kundenserver.de as smart relay *and* you have the problem that that server does not accept your mails to third parties than http://sdb.suse.de/de/sdb/html/sendmail_smtp_auth.html contains the solution. If you leave the mail configuration in its standard form (which does not allow relaying) than your clients still can send their mails using SMTP AUTH via your mail server. This is obviously the safest configuration (if you do not leave an unpatched sendmail-tls or openssl on your mailserver). Gruß, Hatto
Hoi ! Hatto von Hatzfeld schrieb:
On Sat, Apr 26, 2003 at 10:56:58AM +0200, Carsten Becher wrote:
I?ve a mailserver running at home (for 2 clients - nothing serious), SuSE 7.2.
Is it "visible" from the Internet, or is there a router/firewall between your LAN mailserver and the Internet? In the second case you do not have any problem, if the router does not forward requests from outside.
It is. It is the same box through wich i connect to the internet.
If your mailserver is connected directly to the Internet (which I do not recommend), then you must be very accurate installing all necessary patches to all the services this server offers (and limiting these services as strictly as possible). And you should use the SuSE firewall to block all accesses from outside which are not iniciated from inside.
I have already tried to strip-down the system to the necessary (no X, no compiler, only the required software, selfmade kernel with only the necessary drivers and without suport for loadable modules)
I?ve already restrictet access by using the /etc/mail/access to 192.168 . That?s enough or should i do something more?
Hm; normally sendmail in the standard installation does not relay to any other destination. So you must have done something to change that behaviour. What have you done? What exactly was your change in /etc/mail/access?
adding the line : 192.168 RELAY I know from squid that you as last rule set "deny all" for to close off everything you did not explicit allow. Is this possible with sendmail too?
Background is, i got me this message by my system :
----- The following addresses had permanent fatal errors -----
(reason: 550 relaying to prohibited by administrator) ----- Transcript of session follows ----- ... while talking to smtp.kundenserver.de:
RCPT To:
<<< 550 relaying to
prohibited by administrator 550 5.1.1 ... User unknown Look?s tight to me, or did i miss something important?
This looks to me like a bounce from the mailserver smtp.kundenserver.de, i.e. that server did not accept a mail coming from you. Did you send that mail? To whom was it sent? What is the domain of your server? Do you use an "smart relay" and which? What are the headers of the bounced mail?
Did not send it, dont know this user. Thats my prob- i am afraid that
someone has tried to send mail via my system.
This is the complete mail i got from my system :
*********************************************************************
The original message was received at Fri, 25 Apr 2003 22:37:09 +0200
from pc-200-74-27-127.apoquindo2.pc.metropolis-inter.com [200.74.27.127]
(may be forged)
with id h3PKb8102370
----- The following addresses had permanent fatal errors -----
RCPT To:
<<< 550 relaying to
Your question simply does not contain all the necessary informations.
Well, i am pretty much a newbie when it comes to sendmail .....
*If* you are using smtp.kundenserver.de as smart relay *and* you have the problem that that server does not accept your mails to third parties than http://sdb.suse.de/de/sdb/html/sendmail_smtp_auth.html contains the solution.
I use smtp.kundenserver.de as mailrelay and it accepts my own mails pretty well. smtp-auth i couldn´t get to work because sendmail couldn´t dlopen a lib.
If you leave the mail configuration in its standard form (which does not allow relaying) than your clients still can send their mails using SMTP AUTH via your mail server. This is obviously the safest configuration (if you do not leave an unpatched sendmail-tls or openssl on your mailserver).
Gruß, Hatto
thX & cu Carsten
Had a look at my old logs - the file sendmail complained about : sendmail[349]: unable to dlopen /usr/lib/sasl/libgssapiv2.so: libgssapi.so.1: cannot load shared object file: No such file or directory This file existed. Re-installed everything relatet 5 times without solving the problem. cu Carsten
participants (5)
-
Carsten Becher
-
Graham Murray
-
Hatto von Hatzfeld
-
Ian David Laws
-
Jens Hoja