LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   maillog relay question (https://www.linuxquestions.org/questions/linux-security-4/maillog-relay-question-590602/)

DragonM15 10-09-2007 02:21 PM
maillog relay question
 
Hello All,
Ok, this is just a quick question in regards to a small section of my maillog file. The lines:
Code:
Oct  9 08:14:16 looneytunes sm-mta[23312]: l99FEFXM023312: ruleset=check_mail, arg1=<michael78694@MyMainServer.com>, relay=218-167-77-53.dynamic.hinet.net [218.167.77.53], reject=553 5.1.8 <michael78694@MyMainServer.com>... Domain of sender address michael78694@MyMainServer.com does not exist
Oct  9 08:14:16 looneytunes sm-mta[23312]: l99FEFXM023312: from=<michael78694@MyMainServer.com>, size=0, class=0, nrcpts=0, proto=SMTP, daemon=MTA, relay=218-167-77-53.dynamic.hinet.net [218.167.77.53]
Oct  9 11:29:45 looneytunes sm-mta[25770]: l99ITjaa025770: dimensionallife.com [69.13.38.197] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
are what are in question. I notice that it originally says relaying was rejected, but then later down the line it just says relay=218.#.#.# Is this anything to be worried about?

Also, the last line with dimensionallife.com (may be forged) I was just curious exactly what that means.

Thanks,
DragonM15

jayjwa 10-13-2007 07:33 PM
The 'relay' bit first confused me too. Sendmail has a somewhat confusing terminology here. You're thinking probably 'relay' as in 'I relayed the mail to someplace else' but here it means 'the place that gave something to you', or 'the previous or next position'. Think of people running a relay race, and maybe that will help (one hands off to the next).

The 'may be forged' bit comes up when hostname and IP addresses don't match up perfectly. I see this with one of my systems, it happens with hostname pointers in use and multihomed systems.

Here:

Code:
host 69.13.38.197
197.38.13.69.in-addr.arpa domain name pointer dimensionallife.com.

host dimensionallife.com
dimensionallife.com has address 76.233.223.98
dimensionallife.com mail is handled by 10 dallas-texas.net.
dimensionallife.com mail is handled by 20 mail.dallastexas.net.
dimensionallife.com mail is handled by 30 mail.dimensionallife.com

host 76.233.223.98
98.223.233.76.in-addr.arpa domain name pointer adsl-76-233-223-98.dsl.pltn13.sbcglobal.net

Non-authoritative answer:
197.38.13.69.in-addr.arpa      name = dimensionallife.com.

Authoritative answers can be found from:
38.13.69.in-addr.arpa  nameserver = ns.propagation.net.
38.13.69.in-addr.arpa  nameserver = ns2.propagation.net.
38.13.69.in-addr.arpa  nameserver = ns3.propagation.net.
38.13.69.in-addr.arpa  nameserver = ns4.propagation.net.
ns.propagation.net      internet address = 216.221.160.10
ns2.propagation.net    internet address = 216.221.162.106
ns3.propagation.net    internet address = 63.249.128.204
ns4.propagation.net    internet address = 63.249.128.203
What (I think) is going on here is that someone with an sbcglobal.net DSL line pointed the name 'dimensionallife.com' back to themselves. Looking at the nameservers for the address that it resolves back into, it looks like it might be some hosting or load balancing service (propagation.net). Sendmail throws the warning because dimensionallife.com = 76.233.223.98 but 76.233.223.98 != dimensionallife.com. 76.233.223.98 has more than 1 name pointing at it. My IP right now has three. There's free services that you can get that will point names to your host. That's especially useful if you're stuck on a dynamic connection.


All times are GMT -5. The time now is 02:19 AM.