Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Could be caused by a number of things but most of the time it is someone checking out the daemon banner for your sendmail version.
Test it yourself
------------------------------------------------------------------------
#telnet mailserver 25
Trying xxx.xxx.xx.x...
Connected to mailserver.
Escape character is '^]'.
220 mailserver.some.domain ESMTP Sendmail 8.11.6/8.11.6; Wed, 27 Nov 2002 14:41:05 +1100 (EST)
------------------------------------------------------------------------
then enter QUIT to shut down the connection.
You should see a fresh entry in your logs.
Looks like someone is checking whether or not you have a compromisable version or testing whether they can use you as a relay.
You might want to consider
a) changing your daemon banner
either set
define(`confSMTP_LOGIN_MSG',`$j')dnl
in your .mc file and rebuild your sendmail.cf, or edit the line
O SmtpGreetingMessage=$j Sendmail $v/$Z; $b
to be
O SmtpGreetingMessage=$j
that way smtp probes won't help an attacker. I generally
spoof my MTA banner to look like something else, this one generally throws them off :-)
O SmtpGreetingMessage=$j Lotus MTA Service Ready
b) ensure that your mail server is not setup to accept mail from unqualified senders or from addresses in unresolvable domains.
Remove the options
FEATURE(`accept_unresolvable_domains')dnl and
FEATURE(`accept_unqualified_senders')dnl
if they exist in your .mc file and rebuild your sendmail.cf
c) ensure no-one can enumerate your mail aliases etc by setting the privacy options to reject EXPN (expand usernames) and VRFY (verify user exists).
Either add this line to your .mc file
define(`confPRIVACY_FLAGS',`goaway')dnl
and rebuild your sendmail.cf or edit your sendmail.cf file,
O PrivacyOptions=goaway
To check if this needs to be done telnet to your mailserver on port 25 and issue the command
EHLO any.host.name
it should return whatever options it accepts. Check the list for VRFY or EXPN.
I am unsure how RH setup their configs, but if this is your front end mail relay it SHOULD be hardened.
Originally posted by explorer1979 NOQUEUE: [157.238.185.69] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
gAQAwGc12201: lost input channel from [61.50.173.191] to MTA after rcpt
These type of error messages are typically the result of a port scan. The client is making a connection to your service, but no following through with a legimate email transaction.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.