Relay MX accepting mail for ANY domain

Hi,

I'm having a problem under 8.13.1 .

My FR is set to "-o /etc/mail/relaydomains"
In it is :

EXAMPLE.COM
WWW.EXAMPLE.COM
MACHINE.EXAMPLE.COM

I have the following problem :

220 valhalla.EXAMPLE.NET ESMTP Sendmail 8.13.1/8.13.1; Sun, 21 Oct
2007 12:33:40 -0400 (EDT)
EHLO fred
250-valhalla.EXAMPLE.NET Hello SOMEMACHINE.EXAMPLE.COM [A.A.A.A],
pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-ETRN
250-DELIVERBY
250 HELP
MAIL FROM:
250 2.1.0 ... Sender ok
RCPT TO:
250 2.1.5 ... Recipient ok

The SOMEMACHINE.EXAMPLE.COM machine is NOT trusted in any way, not an
allowed
relay, etc. But for some reason it WILL accept the mail.

I'm not sure where I made a configuration error.....

Thanks, Tuc

Re: Relay MX accepting mail for ANY domain

In article <1192984720.942930.289900@i13g2000prf.googlegroups.com> Tuc
writes:
>
>I'm having a problem under 8.13.1 .
>
>My FR is set to "-o /etc/mail/relaydomains"

Drop the -o (not relevant for your problem, just good practice).

>In it is :
>
>EXAMPLE.COM
>WWW.EXAMPLE.COM
>MACHINE.EXAMPLE.COM
>
>I have the following problem :
>
>220 valhalla.EXAMPLE.NET ESMTP Sendmail 8.13.1/8.13.1; Sun, 21 Oct
>2007 12:33:40 -0400 (EDT)
>EHLO fred
>250-valhalla.EXAMPLE.NET Hello SOMEMACHINE.EXAMPLE.COM [A.A.A.A],
>pleased to meet you
>250-ENHANCEDSTATUSCODES
>250-PIPELINING
>250-8BITMIME
>250-SIZE
>250-ETRN
>250-DELIVERBY
>250 HELP
>MAIL FROM:
>250 2.1.0 ... Sender ok
>RCPT TO:
>250 2.1.5 ... Recipient ok
>
>The SOMEMACHINE.EXAMPLE.COM machine is NOT trusted in any way, not an
>allowed
>relay, etc. But for some reason it WILL accept the mail.

cf/README:

relay_hosts_only
By default, names that are listed as RELAY in the access
db and class {R} are treated as domain names, not host names.
For example, if you specify ``foo.com'', then mail to or
from foo.com, abc.foo.com, or a.very.deep.domain.foo.com
will all be accepted for relaying. This feature changes
the behaviour to lookup individual host names only.


--Per Hedeland
per@hedeland.org

Re: Relay MX accepting mail for ANY domain

On Oct 21, 1:52 pm, p...@hedeland.org (Per Hedeland) wrote:
> In article <1192984720.942930.289...@i13g2000prf.googlegroups.com> Tuc
>
> writes:
>
> >I'm having a problem under 8.13.1 .
>
> >My FR is set to "-o /etc/mail/relaydomains"
>
> Drop the -o (not relevant for your problem, just good practice).
>
What IS the "-o" for? Is that to prevent it from running if the
file
doesn't exist?
>
>
> >In it is :
>
> >EXAMPLE.COM
> >WWW.EXAMPLE.COM
> >MACHINE.EXAMPLE.COM
>
> >I have the following problem :
>
> >220 valhalla.EXAMPLE.NET ESMTP Sendmail 8.13.1/8.13.1; Sun, 21 Oct
> >2007 12:33:40 -0400 (EDT)
> >EHLO fred
> >250-valhalla.EXAMPLE.NET Hello SOMEMACHINE.EXAMPLE.COM [A.A.A.A],
> >pleased to meet you
> >250-ENHANCEDSTATUSCODES
> >250-PIPELINING
> >250-8BITMIME
> >250-SIZE
> >250-ETRN
> >250-DELIVERBY
> >250 HELP
> >MAIL FROM:
> >250 2.1.0 ... Sender ok
> >RCPT TO:
> >250 2.1.5 ... Recipient ok
>
> >The SOMEMACHINE.EXAMPLE.COM machine is NOT trusted in any way, not an
> >allowed
> >relay, etc. But for some reason it WILL accept the mail.
>
> cf/README:
>
> relay_hosts_only
> By default, names that are listed as RELAY in the access
> db and class {R} are treated as domain names, not host names.
> For example, if you specify ``foo.com'', then mail to or
> from foo.com, abc.foo.com, or a.very.deep.domain.foo.com
> will all be accepted for relaying. This feature changes
> the behaviour to lookup individual host names only.
>
> --Per Hedeland
> p...@hedeland.org

I thought that was in there.... Ooops... But now I realize why on that
host it
wasn't. I run "hylafax" on it. The original way I installed was to put
MAILER(fax)dnl
into my .mc, and "fax" into relaydomains. Then you email
USER@FAXNUM.fax .
That meant it had to interpret the relays as domains, not hosts.
Putting
that back in breaks it.

I'm sure since it never broke during upgrages I never checked to see
if
they suggested another way. The latest package says :

# This file should be installed as /usr/local/lib/fax/mailfax
# (or whatever is specified in the sendmail.cf file).
#
# Edit your sendmail configuration. Include the following
# mailer definition (or similar):
#
# Mfax, P=/usr/local/lib/fax/mailfax, FßMShu, M=100000,
# A=mailfax $u $h $f
#
# add the following address rewriting rule to rule set 0:
#
# # forward FAX messages to HylaFAX software
# R$+<@$+.FAX> $#fax $@ $2 $: $1 user@host.FAX
#
# and arrange things so that rule set 3 will not attempt a host map
lookup
# on FAX addresses. If you are using the .cf file generated by the
# m4 macros as your starting point (as implemented in sendmail 8.8.8),
# this can be done by adding these lines:
#
# # Make FAX a pseudo domain, to avoid failed DNS lookups
# CPFAX

I'll have to see if going about it that way resolves the problem so I
have the best of both worlds. :)

Thanks, Tuc

Re: Relay MX accepting mail for ANY domain

Tuc wrote:
> On Oct 21, 1:52 pm, p...@hedeland.org (Per Hedeland) wrote:
relay, etc. But for some reason it WILL accept the mail.
>> cf/README:
>>
>> relay_hosts_only
>> By default, names that are listed as RELAY in the access
>> db and class {R} are treated as domain names, not host names.
>> For example, if you specify ``foo.com'', then mail to or
>> from foo.com, abc.foo.com, or a.very.deep.domain.foo.com
>> will all be accepted for relaying. This feature changes
>> the behaviour to lookup individual host names only.
>>
>> --Per Hedeland
>> p...@hedeland.org
>
> I thought that was in there.... Ooops... But now I realize why on that
> host it
> wasn't. I run "hylafax" on it. The original way I installed was to put
> MAILER(fax)dnl
> into my .mc, and "fax" into relaydomains. Then you email
> USER@FAXNUM.fax .
> That meant it had to interpret the relays as domains, not hosts.
> Putting
> that back in breaks it.

Did you put the .fax pseudo domain in /etc/mail/relaydomains?
That means you'll accept mail from everywhere that has *.fax as
destination. Or in other words: you built an *open* mail-to-fax gateway.
Assuming that your users are allowed to relay through your server
already, there is no need at all to put the .fax pseudo domain in the
relaydomains file.


Regards,

Kees.

--
Kees Theunissen.

Re: Relay MX accepting mail for ANY domain

On Oct 21, 5:42 pm, Kees Theunissen wrote:
> Tuc wrote:
> > On Oct 21, 1:52 pm, p...@hedeland.org (Per Hedeland) wrote:
>
> relay, etc. But for some reason it WILL accept the mail.
>
>
>
> >> cf/README:
>
> >> relay_hosts_only
> >> By default, names that are listed as RELAY in the access
> >> db and class {R} are treated as domain names, not host names.
> >> For example, if you specify ``foo.com'', then mail to or
> >> from foo.com, abc.foo.com, or a.very.deep.domain.foo.com
> >> will all be accepted for relaying. This feature changes
> >> the behaviour to lookup individual host names only.
>
> >> --Per Hedeland
> >> p...@hedeland.org
>
> > I thought that was in there.... Ooops... But now I realize why on that
> > host it
> > wasn't. I run "hylafax" on it. The original way I installed was to put
> > MAILER(fax)dnl
> > into my .mc, and "fax" into relaydomains. Then you email
> > U...@FAXNUM.fax .
> > That meant it had to interpret the relays as domains, not hosts.
> > Putting
> > that back in breaks it.
>
> Did you put the .fax pseudo domain in /etc/mail/relaydomains?
> That means you'll accept mail from everywhere that has *.fax as
> destination. Or in other words: you built an *open* mail-to-fax gateway.
> Assuming that your users are allowed to relay through your server
> already, there is no need at all to put the .fax pseudo domain in the
> relaydomains file.
>
> Regards,
>
> Kees.
>
> --
> Kees Theunissen.

Hi,

Yes, the single line/word "fax" was in my relayhosts. And yes,
it
does mean its an open "mail-to-fax" gateway. In this case, however,
normal users aren not allowed to relay through the machine. For
those users who are allowed to use the gateway, we add to their
sendmail.cf's on their machines /etc/mail/mailertable :

..fax smtp:faxserver.example.com

So I would think then I would need to add it since they don't
authenticate to faxserver.example.com in any way. I'm not sure
all of them could use the SMTP AUTH command during sessions.

BUT, what your saying, is if I DID find a way to do that for all
users, and removed it from my relaydomains, it would be closed
as well as not violate the relay_hosts_only... Correct?

Thanks, Tuc