Date: Mon, 10 Nov 2008 22:13:11 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: redtick@sbcglobal.net Cc: help help <freebsd-questions@freebsd.org> Subject: Re: open mail relay with ipv6?? Message-ID: <4918B1F7.6060103@infracaninophile.co.uk> In-Reply-To: <346469.37304.qm@web81205.mail.mud.yahoo.com> References: <346469.37304.qm@web81205.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig80BFF4C009587C88F139FFDB
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Mark Busby wrote:
> Is this an open relay using ipv6? If so how to block the ipv6 relay.
> I thought after sendmail v8.9, all relay action was blocked by default.=
You haven't given sufficient information to say whether the machine is
an open relay or not. We'd need to see the configuration files (well,
the .mc file that is processed to produce the eventual sendmail.cf)=20
plus potentially the contents of the access DB. However, you are=20
correct: nowadays the default sendmail configuration is to block=20
relaying, and you have to deliberately add configuration settings to
enable any permitted relays. If you're using the default configuration =
shipped with FreeBSD, then it is not an open relay.
> maillog entry =20
> Nov 10 15:01:11 "hostname" sm-mta[8989]: mAAL021C008989: from=3D<jjack@=
panama-overseas.com>, size=3D4825, class=3D0, nrcpts=3D0, bodytype=3D7BIT=
, proto=3DESMTP, daemon=3DIPv6, relay=3Dlocalhost [IPv6:::1]
> Nov 10 15:01:17 "hostname" sm-mta[8989]: mAAL021D008989: ruleset=3Dchec=
k_mail, arg1=3D<security@bank0famerica.com>, relay=3Dlocalhost [IPv6:::1]=
, reject=3D451 4.1.8 Domain of sender address security@bank0famerica.com =
does not resolve
> Nov 10 15:01:17 "hostname" sm-mta[8989]: mAAL021D008989: from=3D<securi=
ty@bank0famerica.com>, size=3D3880, class=3D0, nrcpts=3D0, bodytype=3D7BI=
T, proto=3DESMTP, daemon=3DIPv6, relay=3Dlocalhost [IPv6:::1]
This certainly doesn't indicate a message being inappropriately=20
relayed. The attempt to send the message is rejected with a permanent=20
error code (ie. tell the sender to bounce the message as undeliverable=20
and not to re-queue it for another attempt at delivery later). I think=20
it's also doing the correct thing and rejecting the e-mail during the=20
SMTP dialog rather than accepting the message for delivery and then=20
later sending a bounce-o-gram to the listed sender address. Google for=20
'backscatter spam' in order to understand why the latter course of=20
action is a bad idea.
=20
>> sockstat -6
> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRE=
SS
> root sendmail 8284 5 tcp6 *:25 *:*
> root sshd 1520 3 tcp6 *:5960 *:*
> root ntpd 1010 5 udp6 *:123 *:*
> root ntpd 1010 9 udp6 fe80:6::1:123 *:*
> root ntpd 1010 10 udp6 ::1:123 *:*
> root syslogd 927 6 udp6 *:514 *:*
You've got sendmail listening on all interfaces for IPv6 connections. =20
This is appropriate if you expect the machine to receive incoming=20
e-mails. If that's not the case, then set "sendmail_enable=3D'NO'" in
/etc/rc.conf. This will give you a send-only configuration with a=20
sendmail listener bound to the loopback address (typically both ::1
and 127.0.0.1)
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig80BFF4C009587C88F139FFDB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkkYsf8ACgkQ8Mjk52CukIx0HACfXFK6IBfzJHnlZzug1v2IGlZJ
MlkAn2cEam1+TQLCcGgw2kWXrpWFvuzX
=xjvW
-----END PGP SIGNATURE-----
--------------enig80BFF4C009587C88F139FFDB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4918B1F7.6060103>