Hello all, I have a problem with mail relaying. Testing my machine (at home) with the test at http://www.abuse.net/relay.html, I found that it was indeed relaying. That was a surprise, because I thought I had a default configuration and that the default would not allow relaying. I selected "host with permanent net connection" in yast. In order to get things going, I had to set FROM_HEADER="elec.canterbury.ac.nz" in rc.config, which leads to a DMelec.canterbury.ac.nz line in sendmail.cf. Without this, email to kuhlmav@elec.canterbury.ac.nz leaves my host (as /var/log/mail shows), but never arrives - presumably because the university's mail gateway cantva.canterbury.ac.nz trashes it. I remember having had problems before if the sending host's (mine) FQN doesn't resolve (although it seemed I can put anything I want, as long as it resolves). How can I configure things to make email work, but block relaying? Thanks for any help, Volker
Hi Volker, On Wed, 1 Nov 2000, Volker Kuhlmann wrote:
Hello all,
I have a problem with mail relaying. Testing my machine (at home) with the test at http://www.abuse.net/relay.html, I found that it was indeed relaying. That was a surprise, because I thought I had a default configuration and that the default would not allow relaying.
I selected "host with permanent net connection" in yast. In order to get things going, I had to set
FROM_HEADER="elec.canterbury.ac.nz"
in rc.config, which leads to a
DMelec.canterbury.ac.nz
I don't use SuSE's default configuration, so in part I'm guessing here. Anyway DM is for masquerading, i.e. every mail (except for exposed users) to leave your machine is masqued to look like it came from username@elec.canterbury.ac.nz. If this is your machine name, it shouldn't be neccessary though.
line in sendmail.cf. Without this, email to kuhlmav@elec.canterbury.ac.nz leaves my host (as /var/log/mail shows), but never arrives - presumably because the university's mail gateway cantva.canterbury.ac.nz trashes it. I remember having had problems before if the sending host's (mine) FQN doesn't resolve (although it seemed I can put anything I want, as long as it resolves).
I am guessing that elec.canterbury.ac.nz is your machine? The first thing you need to do is make sure that in your sendmail.cw file you put every hostname that should be treated as local, that is delivered to a local user. so your sendmail.cw file should contain localhost elec.canterbury.ac.nz (optionally canterbury.ac.nz if you're mailserver for the entire canterbury domain) That means every e-mail sent FROM elec.canterbury.ac.nz to user@elec.canterbury.ac.nz will be treated as local. However, to enable people to send mail to you from a remote site, you need to do more. Ask you local DNS administrator to add an MX record for your machine (which he will not do as long as your machine relays ;-)). You can test it with nslookup. Do: nslookup
set q=MX (to query for mail exchangers) elec.canterbury.ac.nz
This should give you the mail exchanger record for your machine, which is now probably empty. That means that depending on their configuration, a lot of servers won't be able to send to you (in the absence of an MX record, some try to send directly to the ip-address of the machine instead).
How can I configure things to make email work, but block relaying?
These changes will make sure your mail is sent and delivered correctly. It doesn't help with your relay problem though. Check your /etc/mail/access and /etc/mail/relay-domains to see if they're correctly set-up. And check your sendmail.cf to see if both are used. I should think a default SuSE setup uses both. Check out which relay test you failed, usually there are hints to help you along. Also you might want to check out www.orbs.org, there are some good tips on closing relay holes there.
Thanks for any help,
One request though: PLEASE PLEASE shut down your server while it is relaying. I'm sure a lot of people on this list have experienced the joys of open relays.
Volker
good luck Stefan
Hi Stefan Suurmeijer,
I don't use SuSE's default configuration, so in part I'm guessing here. Anyway DM is for masquerading, i.e. every mail (except for exposed users) to leave your machine is masqued to look like it came from username@elec.canterbury.ac.nz. If this is your machine name, it shouldn't be neccessary though.
line in sendmail.cf. good luck
in your mail you told how to make it, if you use sendmail. Sendmail is a very old mta. What have you to do if you want to fix the relayingproblem by using qmail. qmail is a replacement for sendmail, has more performance and more security. Regards, Ruprecht
On Wed, Nov 01, 2000 at 06:26:22PM +0100, Ruprecht Helms wrote:
in your mail you told how to make it, if you use sendmail. Sendmail is a very old mta. What have you to do if you want to fix the relayingproblem by using qmail. qmail is a replacement for sendmail, has more performance and more security.
If this isn't a complete line of crap I don't know what is. ftp.sendmail.org ls -l pub/sendmail/sendmail.8.11.1.tar.gz -rw-r--r-- 1 gshapiro sendmail 1315141 Sep 28 18:30 sendmail.8.11.1.tar.gz That doesn't look to old to me. To be correct actually, sendmail has done a pretty good source code audit of sendmail. They've also added alot of features to help improve security. The reason most people switch to qmail is because they cannot figure out the sendmail configuration as its pretty confusing. Sendmail can be made "secure" easily. Sendmail has been around since the beginning of time yes, and it has had its share of major security problems, but I do feel that a properly configured sendmail box will outperform qmail. Not to mention that sendmail has alot of the features needed by big companies whereas qmail does not. I do not want to start a "sendmail vs. qmail" war here, I just hate seeing people spew crap out of their mouth about issues like this. -miah
Actually, yes sendmail can be made resaonably secure... but if you want performance, sendmail is really not the choice you want to go with. Postfix and qmail both have much smaller memory footprints on the system and are more efficient in terms of cpu time. To give you an example... I run a mail list that has some 240k subscribers. Running sendmail, this machine would routinely hit load averages of 30 or higher. Switching to Postfix, the box seldom goes higher than a load of 6! I've used sendmail for a long time... in fact starting with version 4. I know how to configure it, and on small systems, it is just fine. But for larger industrial use... you either need an large industrial computer or a lighter MTA. - Herman On Wed, 1 Nov 2000 jjohnson@penguincomputing.com wrote: ->>On Wed, Nov 01, 2000 at 06:26:22PM +0100, Ruprecht Helms wrote: ->>> in your mail you told how to make it, if you use sendmail. Sendmail is a ->>> very old mta. What have you to do if you want to fix the relayingproblem by ->>> using qmail. qmail is a replacement for sendmail, has more performance and more ->>> security. ->> ->> ->>If this isn't a complete line of crap I don't know what is. ->> ->>ftp.sendmail.org ->> ->>ls -l pub/sendmail/sendmail.8.11.1.tar.gz ->> ->>-rw-r--r-- 1 gshapiro sendmail 1315141 Sep 28 18:30 sendmail.8.11.1.tar.gz ->> ->>That doesn't look to old to me. To be correct actually, sendmail has done a pretty good source code audit of sendmail. They've also added alot of features to help improve security. The reason most people switch to qmail is because they cannot figure out the sendmail configuration as its pretty confusing. Sendmail can be made "secure" easily. Sendmail has been around since the beginning of time yes, and it has had its share of major security problems, but I do feel that a properly configured sendmail box will outperform qmail. Not to mention that sendmail has alot of the features needed by big companies whereas qmail does not. I do not want to start a "sendmail vs. qmail" war here, I just hate seeing people spew crap out of their mouth about issues like this. ->> ->>-miah ->> ->>--------------------------------------------------------------------- ->>To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>For additional commands, e-mail: suse-security-help@suse.com ->>
On Wednesday 01 November 2000 12:34, jjohnson@penguincomputing.com wrote:
is because they cannot figure out the sendmail configuration as its pretty confusing. Sendmail can be made "secure" easily. Sendmail has been around
If you are using a current version it starts out fairly secure.
since the beginning of time yes, and it has had its share of major security problems, but I do feel that a properly configured sendmail box will
Most of the problems are people running older versions. Sendmail has defaulted to relay off for quite a while now. Nick
On Wed, 1 Nov 2000 jjohnson@penguincomputing.com wrote:
If this isn't a complete line of crap I don't know what is.
ftp.sendmail.org
ls -l pub/sendmail/sendmail.8.11.1.tar.gz
-rw-r--r-- 1 gshapiro sendmail 1315141 Sep 28 18:30 sendmail.8.11.1.tar.gz
That doesn't look to old to me. To be correct actually, sendmail has done a pretty good source code audit of sendmail. They've also added alot of features to help improve security. The reason most people switch to qmail is because they cannot figure out the sendmail configuration as its pretty confusing. Sendmail can be made "secure" easily. Sendmail has been around since the beginning of time yes, and it has had its share of major security problems, but I do feel that a properly configured sendmail box will outperform qmail. Not to mention that sendmail has alot of the features needed by big companies whereas qmail does not. I do not want to start a "sendmail vs. qmail" war here, I just hate seeing people spew crap out of their mouth about issues like this.
-miah
I agree that a lot of people switch to qmail or postfix because of supposed improved security. But when I ask them which features specifically, I either get a feature that sendmail has as well or no answer at all. I've been trying out postfix lately, and while I have to admit that the configuration is a little easier, I haven't seen any huge other advantages yet. I don't know qmail well enough to say anything specific about that, but I have used sendmail for a long time now, and it has served me well. Stefan
I agree that a lot of people switch to qmail or postfix because of supposed improved security. But when I ask them which features specifically, I either get a feature that sendmail has as well or no answer at all. I've been trying out postfix lately, and while I have to admit that the configuration is a little easier, I haven't seen any huge other advantages yet. I don't know qmail well enough to say anything specific about that, but I have used sendmail for a long time now, and it has served me well.
I think sendmail supports it now, but postfix supports using databases as the config files, i.e. virtualusertable is in a MySQL DB, meaning changing it on the fly is trivial. Also one HUGE advantage in postfix and qmail is that they only run a small component as root, so if there is a buffer overflow/etc it is less likely to be fatal, whereas sendmail is a huge blob of run as root code.
Stefan
-Kurt
On Wed, Nov 01, 2000 at 02:43:47PM -0700, Kurt Seifried wrote:
I think sendmail supports it now, but postfix supports using databases as the config files, i.e. virtualusertable is in a MySQL DB, meaning changing it on the fly is trivial. Also one HUGE advantage in postfix and qmail is that they only run a small component as root, so if there is a buffer overflow/etc it is less likely to be fatal, whereas sendmail is a huge blob of run as root code.
Sendmail does not have to run as root. You can make it drop all root privledges and change to a different user. It just depends on your mail system setup. -miah
Kurt Seifried wrote:
I agree that a lot of people switch to qmail or postfix because of supposed improved security....
If you are unable to configure your MTA properly, it doesn't matter which MTA you use. OBTW: 'you' as in 'people' ;-)
...But when I ask them which features specifically, I either get a feature that sendmail has as well or no answer at all. I've been trying out postfix lately, and while I have to admit that the configuration is a little easier, I haven't seen any huge other advantages yet...
I've heard that Postfix is about 3 times faster than Sendmail.
...I don't know qmail well enough to say anything specific about that, but I have used sendmail for a long time now, and it has served me well.
IMHO Sendmail is a bit of a 'monster' to configure.
I think sendmail supports it now, but postfix supports using databases as the config files, i.e. virtualusertable is in a MySQL DB, meaning changing it on the fly is trivial...
Postfix has support for maps in LDAP as well.
...Also one HUGE advantage in postfix and qmail is that they only run a small component as root, so if there is a buffer overflow/etc it is less likely to be fatal, whereas sendmail is a huge blob of run as root code.
Postfix does not run as root at all. There are only one component which needs a sgid bit set (postdrop). You can disable that too - but then you need a world writable maildrop directory. (SuSE's default postfix configuration run chroot'ed and does not use sgid). -- Ørnulf Nielsen
Postfix does not run as root at all.
I thought root rights were needed to access ports < 1024. But that might be wrong.
That's right. But you can (as root) grab the socket with the low port and then trash the privileges, then continue working with that socket. It's like opening a file that is being chmod()ed after the open - if you were allowed to open it, you may still use it as long as you didn't close the file again.
mike
Roman.
--
- -
| Roman Drahtmüller
participants (10)
-
Herman Knief
-
jjohnson@penguincomputing.com
-
Kurt Seifried
-
Nick Zentena
-
Roman Drahtmueller
-
Ruprecht Helms
-
Stefan Suurmeijer
-
Thomas Michael Wanka
-
Volker Kuhlmann
-
Ørnulf Nielsen