[SOLVED] sendmail 8.13.8: how to force local addresses to actually be from localhost

benhare · 10-19-2011, 02:48 AM

i have recently configured sendmail 8.13.8 on a new VPS. so far i'm lucky and am not being bombarded by spam as it's a new server.

relaying is only allowed from localhost. there are also only two email "accounts" and they are simply aliases in /etc/aliases.

i have one consistent spam problem: someone connects with a LOCAL address such as "postmaster@myhost.com" from a REMOTE location. the mail server ACCEPTS the from address ( as it always would anyway as the server IS available to the internet ) and, if a valid user account is listed as the recipient, in this case the same address "postmaster@myhost.com", then the mail is accepted for delivery.

the question description is: SURELY, there must be a way to say "if someone connects and requests to send email from postmaster@myhost.com then they must _actually_be_ connecting from localhost". However, try as i might, i cannot find a way to enforce this. can anyone help me with how to do this?

below is a real example log of one of the actual spam emails being accepted and delivered to me via the postmaster address ( in the below log snippet the VPS hostname is changed to 'localhost' and my google address is changed to 'localalias':

Code:

Oct 19 18:16:10 localhost sendmail[7411]: NOQUEUE: connect from 175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (may be forged)
Oct 19 18:16:10 localhost sendmail[7411]: AUTH: available mech=ANONYMOUS, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
Oct 19 18:16:10 localhost sendmail[7411]: p9J7GAic007411: Milter: no active filter
Oct 19 18:16:10 localhost sendmail[7411]: p9J7GAic007411: --- 220 localhost.org ESMTP Wed, 19 Oct 2011 18:16:10 +1100
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: <-- HELO SERVER
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: --- 250 localhost.org Hello 175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (may be forged), pleased to meet you
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: <-- MAIL FROM: <postmaster@localhost.org>
Oct 19 18:16:11 localhost sendmail[7411]: p9J7GAic007411: --- 250 2.1.0 <postmaster@localhost.org>... Sender ok
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: <-- RCPT TO: <postmaster@localhost.org>
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: --- 250 2.1.5 <postmaster@localhost.org>... Recipient ok
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: <-- DATA
Oct 19 18:16:12 localhost sendmail[7411]: p9J7GAic007411: --- 354 Enter mail, end with "." on a line by itself
Oct 19 18:16:13 localhost sendmail[7411]: p9J7GAic007411: from=<postmaster@localhost.org>, size=3119, class=0, nrcpts=1, msgid=<$MESSAGE_ID>, proto=SMTP, daemon=MTA, relay=175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (may be forged)
Oct 19 18:16:13 localhost sendmail[7411]: p9J7GAic007411: --- 250 2.0.0 p9J7GAic007411 Message accepted for delivery
Oct 19 18:16:13 localhost sendmail[7412]: p9J7GAic007411: alias <postmaster@localhost.org> => root
Oct 19 18:16:13 localhost sendmail[7412]: p9J7GAic007411: alias root => localalias@gmail.com
Oct 19 18:16:14 localhost sendmail[7412]: p9J7GAic007411: SMTP outgoing connect on localhost.org
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: ClientCertFile missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: ClientKeyFile missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: CACertPath missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: CACertFile missing
Oct 19 18:16:14 localhost sendmail[7412]: STARTTLS: CRLFile missing
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, init=1
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, start=ok
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, info: fds=13/4, err=2
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, info: fds=13/4, err=2
Oct 19 18:16:15 localhost sendmail[7411]: p9J7GAid007411: --- 421 4.4.1 localhost.org Lost input channel from 175-107-rev-placeholder.reverse.ntc.
net.pk [175.107.16.106] (may be forged)
Oct 19 18:16:15 localhost sendmail[7411]: p9J7GAid007411: lost input channel from 175-107-rev-placeholder.reverse.ntc.net.pk [175.107.16.106] (m
ay be forged) to MTA after data 
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, get_verify: 20 get_peer: 0x2ba029ab54e0
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, 
bits=128/128
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=client, cert-subject=/C=US/ST=California/L=Mountain+20View/O=Google+20Inc/CN=mx.google.com, c
ert-issuer=/C=US/O=Google+20Inc/CN=Google+20Internet+20Authority, verifymsg=unable to get local issuer certificate
Oct 19 18:16:15 localhost sendmail[7412]: STARTTLS=read, info: fds=13/4, err=2
Oct 19 18:16:16 localhost last message repeated 3 times
Oct 19 18:16:17 localhost sendmail[7412]: p9J7GAic007411: to=localalias@gmail.com, delay=00:00:05, xdelay=00:00:04, mailer=esmtp, pri=33386, relay=gmail-smtp-in.l.google.com. [74.125.65.26], dsn=2.0.0, stat=Sent (OK 1319008577 u37si2130015ybu.55)
Oct 19 18:16:17 localhost sendmail[7412]: p9J7GAic007411: done; delay=00:00:05, ntries=1
Oct 19 18:16:17 localhost sendmail[7412]: STARTTLS=read, info: fds=13/4, err=2
Oct 19 18:16:17 localhost sendmail[7412]: STARTTLS=client, SSL_shutdown not done

note there are two other issues you will notice in the above log snippet but i will ask them separately to keep it simple.

thanks in advance for any help.

Best Regards,

Ben Hare.

bathory · 10-19-2011, 04:26 AM

Quote:

relaying is only allowed from localhost.

How do you do this?
You may use:

Code:

Connect:127.0.0.1 RELAY

in /etc/mail/access and rebuild the access database

benhare · 10-19-2011, 04:39 AM

Hi,

thanks for reply but that is not issue here. i was meaning that i already only allow relaying from localhost. my /etc/mail/access:

Code:

Connect:localhost.localdomain           RELAY
Connect:localhost                       RELAY
Connect:127.0.0.1                       RELAY

edit: to be more specific, they're not relaying, they're connecting from a remote server ( which is allowed ) and sending message to a local, valid address ( allowed ). my point is, if the address they are sending to is a local address like postmaster@myhost.com is then how do i enforce that, in that case, the mail is ONLY allowed if it originates FROM localhost.

bathory · 10-19-2011, 05:51 AM

I guess you don't want to use:

Code:

From:postmaster@myhost.com REJECT

In this case you can use procmail to discard the mail from postmaster@myhost.com to postmaster@myhost.com

benhare · 10-19-2011, 05:55 AM

nah no good either cos i do want to receive mail addressed to postmaster. i'm really surprised if there is not a way to enforce local senders to only be allowed to connect and send from localhost.

thanks anyway.

bathory · 10-19-2011, 06:28 AM

Quote:

i'm really surprised if there is not a way to enforce local senders to only be allowed to connect and send from localhost.

You can use smtp_auth even for localhost, but you understand that postmaster cannot authenticate as it's not a real user but special account used by the mail server.
Why don't you consider the procmail approach? I guess you have procmail installed as it's usually comes with sendmail
Or you can use a spam filter, like spamassassin for the same

Regards

benhare · 10-19-2011, 06:41 AM

that's essentially what happens anyway - the above mail does go straight to my spam folder. i'm just surprised there is no setting that can be applied to enforce what would seem to me to be an obvious way of cutting down on spam. i can't think of a case where the postmaster of your box would ever need to send mail, to the postmaster of your box ( itself ) from a dial up address, external to your network.

anyway, cheers for the options. if it becomes more of an issue, there are some options there so ta.

benhare · 07-15-2015, 04:22 AM

came across this old thread by accident and thought i would update in hope it may be beneficial to someone:

i ended up in fact taking the poster's advice and using:

Code:

From:postmaster@myhost.com REJECT

as i did not realise at the time of my original post that this still allows mail to be sent *to* the postmaster address, just not from.

in conjunction with implementing SPF, this had reduced, though not eliminated this type of spam.