Dear all linux user:

My company's linux mail server always received this log inform by the mail

My linux is RH 7.2 with sendmail 8.11.9

I don't understand what they mean, do it is mean that someone using my mail server to make illegal e-mail?


NOQUEUE: [157.238.185.69] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

gAQAwGc12201: lost input channel from [61.50.173.191] to MTA after rcpt

if the IPs are not from your network, most probably it is someone using your MTA server.

Then it is mean that some user other than our IP is illegal using our MTA mail server to send spam e-mail la

Do the above inform is mean they are successful illegal send the spam e-mail to other by our MTA server?

And do anyone can give me suggest how to fix this problems don't let them illegal using our mail server to send spam e-mail

Thanks

Possible probe of your mailserver.

Could be caused by a number of things but most of the time it is someone checking out the daemon banner for your sendmail version.

Test it yourself
------------------------------------------------------------------------
#telnet mailserver 25
Trying xxx.xxx.xx.x...
Connected to mailserver.
Escape character is '^]'.
220 mailserver.some.domain ESMTP Sendmail 8.11.6/8.11.6; Wed, 27 Nov 2002 14:41:05 +1100 (EST)
------------------------------------------------------------------------
then enter QUIT to shut down the connection.

You should see a fresh entry in your logs.
Looks like someone is checking whether or not you have a compromisable version or testing whether they can use you as a relay.

You might want to consider
a) changing your daemon banner
either set

define(`confSMTP_LOGIN_MSG',`$j')dnl

in your .mc file and rebuild your sendmail.cf, or edit the line

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

to be

O SmtpGreetingMessage=$j

that way smtp probes won't help an attacker. I generally
spoof my MTA banner to look like something else, this one generally throws them off :-)

O SmtpGreetingMessage=$j Lotus MTA Service Ready

b) ensure that your mail server is not setup to accept mail from unqualified senders or from addresses in unresolvable domains.
Remove the options
FEATURE(`accept_unresolvable_domains')dnl and
FEATURE(`accept_unqualified_senders')dnl
if they exist in your .mc file and rebuild your sendmail.cf

c) ensure no-one can enumerate your mail aliases etc by setting the privacy options to reject EXPN (expand usernames) and VRFY (verify user exists).
Either add this line to your .mc file

define(`confPRIVACY_FLAGS',`goaway')dnl

and rebuild your sendmail.cf or edit your sendmail.cf file,
O PrivacyOptions=goaway

To check if this needs to be done telnet to your mailserver on port 25 and issue the command
EHLO any.host.name
it should return whatever options it accepts. Check the list for VRFY or EXPN.

I am unsure how RH setup their configs, but if this is your front end mail relay it SHOULD be hardened.

These type of error messages are typically the result of a port scan. The client is making a connection to your service, but no following through with a legimate email transaction.