Mailinglist Archive: opensuse-security (547 mails)

< Previous Next >
Re: [suse-security] mail relaying, SuSE 7.0
  • From: Stefan Suurmeijer <stefan@xxxxxxxxxxxx>
  • Date: Wed, 1 Nov 2000 13:21:57 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0011011243540.21795-100000@xxxxxxxxxxxxxxxxxxxx>
Hi Volker,

On Wed, 1 Nov 2000, Volker Kuhlmann wrote:

> Hello all,
>
> I have a problem with mail relaying. Testing my machine (at home)
> with the test at http://www.abuse.net/relay.html, I found that it was
> indeed relaying. That was a surprise, because I thought I had a default
> configuration and that the default would not allow relaying.
>
> I selected "host with permanent net connection" in yast. In order to
> get things going, I had to set
>
> FROM_HEADER="elec.canterbury.ac.nz"
>
> in rc.config, which leads to a
>
> DMelec.canterbury.ac.nz
>

I don't use SuSE's default configuration, so in part I'm guessing
here. Anyway DM is for masquerading, i.e. every mail (except for exposed
users) to leave your machine is masqued to look like it came from
username@xxxxxxxxxxxxxxxxxxxxxx If this is your machine name, it shouldn't
be neccessary though.

> line in sendmail.cf. Without this, email to kuhlmav@xxxxxxxxxxxxxxxxxxxxx
> leaves my host (as /var/log/mail shows), but never arrives - presumably
> because the university's mail gateway cantva.canterbury.ac.nz trashes it.
> I remember having had problems before if the sending host's (mine)
> FQN doesn't resolve (although it seemed I can put anything I want,
> as long as it resolves).
>

I am guessing that elec.canterbury.ac.nz is your machine? The first thing
you need to do is make sure that in your sendmail.cw file you put every
hostname that should be treated as local, that is delivered to a local
user. so your sendmail.cw file should contain

localhost
elec.canterbury.ac.nz

(optionally canterbury.ac.nz if you're mailserver for the entire
canterbury domain)

That means every e-mail sent FROM elec.canterbury.ac.nz to
user@xxxxxxxxxxxxxxxxxxxxx will be treated as local. However, to enable
people to send mail to you from a remote site, you need to do more. Ask
you local DNS administrator to add an MX record for your machine (which he
will not do as long as your machine relays ;-)). You can test it with
nslookup. Do:

nslookup

> set q=MX
(to query for mail exchangers)
> elec.canterbury.ac.nz

This should give you the mail exchanger record for your machine, which is
now probably empty. That means that depending on their configuration, a
lot of servers won't be able to send to you (in the absence of an MX
record, some try to send directly to the ip-address of the machine
instead).


> How can I configure things to make email work, but block relaying?
>

These changes will make sure your mail is sent and delivered correctly. It
doesn't help with your relay problem though. Check your /etc/mail/access
and /etc/mail/relay-domains to see if they're correctly set-up. And check
your sendmail.cf to see if both are used. I should think a default SuSE
setup uses both. Check out which relay test you failed, usually there are
hints to help you along. Also you might want to check out www.orbs.org,
there are some good tips on closing relay holes there.

> Thanks for any help,
>

One request though: PLEASE PLEASE shut down your server while it is
relaying. I'm sure a lot of people on this list have experienced the joys
of open relays.

> Volker
>

good luck

Stefan



< Previous Next >
Follow Ups
References