| |
| |
| |
|
Page: 1 2 3
Comments:
<0> hello
<0> stupid question - do I have to add 127.0.0.1 to relay-domains ?
<0> msg is not being forwarded to postmaster but panics instead
<0> Feb 5 18:47:32 skipper sendmail[4601]: k15Nl9tv004601: to=postmaster, delay=00:00:08, xdelay=00:00:08, mailer=relay, pri=32145, relay=[127.0.0.1] [127.0.0.1], dsn=5.0.0, stat=Service unavailable
<0> Feb 5 18:47:32 skipper sendmail[4601]: k15Nl9tu004601: Losing ./qfk15Nl9tu004601: savemail panic
<0> Feb 5 18:47:32 skipper sendmail[4601]: k15Nl9tu004601: SYSERR(root): savemail: cannot save rejected email anywhere
<1> no, localhost does not belong to relay-domains
<1> but to access_db
<0> oh
<0> makes sense
<0> hmm
<0> it's already in there
<0> I wonder if this is the spam ******in milter acting up
<1> spam******in itself is no milter
<0> spam******in-milter
<1> do not know that, spam***-milter i know
<0> it's sifting the mail nicely - I sent ti a test msg with spam and it is rejecting it
<1> or milter-spamc
<0> yeah - spam***-milter
<0> my mistake
<0> it looks like spam*** detect it, rejects it, and the tries to relay to postmaster
<0> I know the postmaster alias works - goes to root
<0> this troubles me though
<0> stat=Service unavailable
<1> increase the log_level to see more information
<1> i am off now for some hardware changes with my PC
<0> good luck
<2> Hello. ;)
<2> What should I configure for having relay from localdomain to localdomain also requiring authentication?
<2> Because spamers are faking local addresses to send mail to my users.
<3> what do you mean by 'localdomain'?
<2> thrig: My local server's domain.
<2> For example chloe.art.pl
<2> If someone fakes user1@chloe.art.pl and sends a message to user2@chloe.art.pl he can send it anonymously.
<2> And I don't want it.
<2> I want all of them to use be forced to use auth.
<3> spammers can easily forge the 'from' addresses
<2> I know.
<2> That's why I want to force AUTH even if sender appears to be from my host.
<2> And sends email to my host. Do you underestand?
<4> you can probably make a rule that checks those things.
<3> "claims from my domain but not in a list of things or authorized to do so"
<2> How can I create that rule?
<3> custom ruleset, milter
<2> There is no easier way to do so?
<4> easier?
<4> like you hope there is a feature you can include?
<2> I have no idea about how to mess up with milter to do that.
<4> sorry, no.
<2> And what rules...making lookups of received from can be painful.
<4> normally you would do the same cl*** match that sendmail does to decide if the mail is destined locally.
<2> It is about spamming local users by faking local users.
<4> e.g., R$* < @ $=w > $* ...
<4> right, so you test the from to see if it claims to be a local domain.
<2> Problem is that even if I have auth, if someone fakes a user from my host and sends to my host then it is accepted.
<2> MAIL FROM: blah@platinum.linux.pl
<2> RCPT TO: blah2@platinum.linux.pl
<2> Will be successful from any host.
<4> sigh.
<2> Exactly.
<2> ;]
<4> i meant that you failed to get my point.
<4> probably because you haven't read sendmail's documentation.
<2> I am doing nothing else than that since like 5 hours.
<1> Platyna: of course local email addresses have to be accepted, else those users would never get mail
<4> you could: write a rule that tests the from address against the local domain list, then check that there is auth, and if not return a reject.
<1> http://www.sendmail.org/~ca/email/protected.html
<2> "Attention: this protection is only based on the address information given in the envelope of the e-mail which can be easily forged."
<2> If something can be easly forged then it will surely be. ;)
<2> What do yu mean by "testing the from address against local domain"?
<2> If from is actually faked.
<1> RCPT TO: blah2@platinum.linux.pl isn't accepted just because the sender claims to be too @platinum.linux.pl
<1> "A slightly better solution is to check the relaying host instead of the sender address ..."
<2> Then real users will be never able to send emal to each other if I will reject all stuff like that.
<2> Oh well, I will think about it tommorow then.
<2> I have more silly problem.
<2> I made SSL but DIGEST-MD5 and CRAM-MD5 not appears on EHLO help.
<2> Even if these are defined.
<4> did you enable a sasl library for those methods?
<2> For example Kmail shows these as unavailable.
<2> Of course I did.
<1> SSL hasn't anything to do with -MD5 mechs
<2> I have p***ed proper configure options.
<2> s/but/and/
<2> ;-)
<2> cplatinum:/home/platyna$ cat /usr/lib/sasl/Sendmail.conf
<2> pwcheck_method: shadow
<2> mech_list: LOGIN PLAIN DIGEST-MD5 CRAM-MD5
<4> shadow doesn't work with the md5 mechanisms.
<2> And I have checked if configure script detects all stuff correctly.
<2> Oh.
<2> Noo...don't tell me I will need that saslauth daemon...
<4> login and plain won't be presented until ssl is started if you have the p option.
<1> /usr/lib/sasl is old SASL version 1, most probably you want to use SASLv2
<2> No, I don't. :P
<2> I am using SASL1 for purpose.
<1> just conbfiguring Sendmail.conf does not make Sendmail offer and trust any MECH
<1> sendmail.mc/.cf requires settings too
<2> I configured sendmail to use these mechanisms too.
<2> I am not THAT blondie.
<2> dnl ### do SMTPAUTH
<2> define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
<2> TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
<2> ;]
<4> login and plain are offerred after ssl, just fine.
<1> but the more severe issue is like twkm said: shadow auth can't handle -MD5 mechs
<2> LOGIN and PLAIN are ok.
<4> also offerred without ssl.
<2> sendmail just not offers md5 ones.
<4> and never will.
<4> there is no shared secret available.
<2> Unless I upgrade to that god dang v2?
<2> ;]
<4> nope.
<4> even v2 won't provide md5's for shadow based credentials.
<2> Yes, but that provides that saslauthd that uses sasldb or something.
<2> I have negative experience with sasl2.
<2> Fix me if I am wrong.
<1> i never had any problem with SASLv2
<1> neither using saslauthd nor direct auxprop plugins
<2> But I don't need extra deamon on my host.
<5> I had problems with sasl2. it didn't support SSHA p***words with mysql. Now my saslauthd supports it..
<5> problems are solvable
<2> Can I have MD5 auth without saslauthd?
<2> Some way?
<2> ;)
<5> UTSL
<4> Platyna: if you only have shadow now then the best you can do is migrate them to md5, but initially they would have to use login or plain. most smtp clients don't understand that.
<1> with the proper backend: yes
<4> Platyna: anyone that has a sasldb secret can have md5 now.
<4> fyi, migration is risky as it copies the plain text p***word to the sasldb file.
<2> So, I should give up on MD5?
<5> Platyna: why don't you just use plain/login over ssl?
<4> i didn't say that. only you know what you want as an end result.
<2> I want my sendmail to be more secure. ;)
<2> I am also not interested in Viagra, since I am not dating old guys. ;]
<2> So generally security and spam protection is my goal here.
<2> Ok. I will get some sleep now. See you tommorow and thanks for help. ;)
<6> On a 450 smtp response what should sendmail do? Retry the same host or move to the next priority mx?
<7> Feb 5 22:07:28 d-day sm-mta[10003]: STARTTLS=client, relay=mail.bc.edu., version=TLS
<7> v1/SSLv3, verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168
<7> Feb 5 22:07:30 d-day sm-mta[10003]: k1637OCB010001: to=<james.toy@bc.edu>, ctladdr=<
<7> jt@d-day.westonvideo.org> (1001/0), delay=00:00:05, xdelay=00:00:05, mailer=esmtp, pr
<7> i=30475, relay=mail.bc.edu. [136.167.2.24], dsn=5.0.0, stat=Service unavailable
<7> Feb 5 22:07:30 d-day sm-mta[10003]: k1637OCB010001: k1637UCB010003: DSN: Service una
<7> vailable
<7> Feb 5 22:07:30 d-day sm-mta[10003]: k1637UCB010003: to=<jt@d-day.westonvideo.org>, d
<7> elay=00:00:00, xdelay=00:00:00, mailer=local, pri=31499, relay=local, dsn=2.0.0, stat
<7> =Sent
Return to
#sendmail
or
Go to some related
logs:
ERESTARTSYS (To be restarted)
firefox
unmerge failed prerm -1
python send UDP firewall
gentoo unmerge xfce4
#osdev
#php
rehl +DVD burning
#centos
#css
bcm43 tutorial
|
|