[SOLVED] sendmail 8.13.8: how to force local addresses to actually be from localhost
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
sendmail 8.13.8: how to force local addresses to actually be from localhost
i have recently configured sendmail 8.13.8 on a new VPS. so far i'm lucky and am not being bombarded by spam as it's a new server.
relaying is only allowed from localhost. there are also only two email "accounts" and they are simply aliases in /etc/aliases.
i have one consistent spam problem: someone connects with a LOCAL address such as "postmaster@myhost.com" from a REMOTE location. the mail server ACCEPTS the from address ( as it always would anyway as the server IS available to the internet ) and, if a valid user account is listed as the recipient, in this case the same address "postmaster@myhost.com", then the mail is accepted for delivery.
the question description is: SURELY, there must be a way to say "if someone connects and requests to send email from postmaster@myhost.com then they must _actually_be_ connecting from localhost". However, try as i might, i cannot find a way to enforce this. can anyone help me with how to do this?
below is a real example log of one of the actual spam emails being accepted and delivered to me via the postmaster address ( in the below log snippet the VPS hostname is changed to 'localhost' and my google address is changed to 'localalias':
Code:
Oct 19 18:16:10 localhost sendmail[7411]: NOQUEUE: connect from 175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (may be forged)
Oct 19 18:16:10 localhost sendmail[7411]: AUTH: available mech=ANONYMOUS, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
Oct 19 18:16:10 localhost sendmail[7411]: p9J7GAic007411: Milter: no active filter
Oct 19 18:16:10 localhost sendmail[7411]: p9J7GAic007411: --- 220 localhost.org ESMTP Wed, 19 Oct 2011 18:16:10 +1100
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: <-- HELO SERVER
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: --- 250 localhost.org Hello 175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (may be forged), pleased to meet you
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: <-- MAIL FROM: <postmaster@localhost.org>
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: --- 250 2.1.0 <postmaster@localhost.org>... Sender ok
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: <-- RCPT TO: <postmaster@localhost.org>
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: --- 250 2.1.5 <postmaster@localhost.org>... Recipient ok
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: <-- DATA
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: --- 354 Enter mail, end with "." on a line by itself
Oct 19 18:16:13 localhost sendmail[7411]: p9J7GAic007411: from=<postmaster@localhost.org>, size=3119, class=0, nrcpts=1, msgid=<$MESSAGE_ID>, proto=SMTP, daemon=MTA, relay=175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (may be forged)
Oct 19 18:16:13 localhost sendmail[7411]: p9J7GAic007411: --- 250 2.0.0 p9J7GAic007411 Message accepted for delivery
Oct 19 18:16:13 localhost sendmail[7412]: p9J7GAic007411: alias <postmaster@localhost.org> => root
Oct 19 18:16:13 localhost sendmail[7412]: p9J7GAic007411: alias root => localalias@gmail.com
Oct 19 18:16:14 localhost sendmail[7412]: p9J7GAic007411: SMTP outgoing connect on localhost.org
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: ClientCertFile missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: ClientKeyFile missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: CACertPath missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: CACertFile missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: CRLFile missing
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, init=1
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, start=ok
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, info: fds=13/4, err=2
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, info: fds=13/4, err=2
Oct 19 18:16:15 localhost sendmail[7411]: p9J7GAid007411: --- 421 4.4.1 localhost.org Lost input channel from 175-107-rev-placeholder.reverse.ntc.
net.pk [175.107.16.106] (may be forged)
Oct 19 18:16:15 localhost sendmail[7411]: p9J7GAid007411: lost input channel from 175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (m
ay be forged) to MTA after data
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, get_verify: 20 get_peer: 0x2ba029ab54e0
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA,
bits=128/128
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, cert-subject=/C=US/ST=California/L=Mountain+20View/O=Google+20Inc/CN=mx.google.com, c
ert-issuer=/C=US/O=Google+20Inc/CN=Google+20Internet+20Authority, verifymsg=unable to get local issuer certificate
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=read, info: fds=13/4, err=2
Oct 19 18:16:16 localhost last message repeated 3 times
Oct 19 18:16:17 localhost sendmail[7412]: p9J7GAic007411: to=localalias@gmail.com, delay=00:00:05, xdelay=00:00:04, mailer=esmtp, pri=33386, relay=gmail-smtp-in.l.google.com. [74.125.65.26], dsn=2.0.0, stat=Sent (OK 1319008577 u37si2130015ybu.55)
Oct 19 18:16:17 localhost sendmail[7412]: p9J7GAic007411: done; delay=00:00:05, ntries=1
Oct 19 18:16:17 localhost sendmail[7412]: STARTTLS=read, info: fds=13/4, err=2
Oct 19 18:16:17 localhost sendmail[7412]: STARTTLS=client, SSL_shutdown not done
note there are two other issues you will notice in the above log snippet but i will ask them separately to keep it simple.
thanks in advance for any help.
Best Regards,
Ben Hare.
Last edited by benhare; 10-19-2011 at 02:53 AM.
Reason: fix code block formatting
edit: to be more specific, they're not relaying, they're connecting from a remote server ( which is allowed ) and sending message to a local, valid address ( allowed ). my point is, if the address they are sending to is a local address like postmaster@myhost.com is then how do i enforce that, in that case, the mail is ONLY allowed if it originates FROM localhost.
nah no good either cos i do want to receive mail addressed to postmaster. i'm really surprised if there is not a way to enforce local senders to only be allowed to connect and send from localhost.
i'm really surprised if there is not a way to enforce local senders to only be allowed to connect and send from localhost.
You can use smtp_auth even for localhost, but you understand that postmaster cannot authenticate as it's not a real user but special account used by the mail server.
Why don't you consider the procmail approach? I guess you have procmail installed as it's usually comes with sendmail
Or you can use a spam filter, like spamassassin for the same
that's essentially what happens anyway - the above mail does go straight to my spam folder. i'm just surprised there is no setting that can be applied to enforce what would seem to me to be an obvious way of cutting down on spam. i can't think of a case where the postmaster of your box would ever need to send mail, to the postmaster of your box ( itself ) from a dial up address, external to your network.
anyway, cheers for the options. if it becomes more of an issue, there are some options there so ta.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.