[Mailman-Users] sendmail>>postfix - obtw...
Dan Wilder
dan at ssc.com
Tue Dec 18 17:38:06 CET 2001
On Tue, Dec 18, 2001 at 09:53:21AM -0600, Chris Halverson wrote:
> Jay S Curtis <camel at lrllamas.com> writes:
>
> > Run one of the "relaycheck" utilities from a point outside your network
> > and you may find you **do** have an open relay. I was shocked to find this
> > to be true using 8.11.12 of sendmail - and nothing I changed in the config
> > would close it.... so I got rid of it.
>
> Of course, Postfix will also generally trigger these as being "open",
> when in fact they are not. I routinely check my machines from off
> network, and have been probed by Orbs, Orbz, RBL, etc. and never had
> any problems with my sendmail installs. My Postfix ones, due to the
> nature of how postfix works (ie. it accepts the mail before rejecting
> it due to the fact that the programs are split up as opposed to a
> monolithic program like sendmail pre-8.12, 8.12+ uses two separate
> (one non-suid) programs much like postfix), are sometimes reported as
> open. This may be "fixed" in newer Postfixes, but I have never had an
> open sendmail relay for at least the past 5 years.
You must be talking about older Postfixes. We've been running
Postfix on four internet-exposed servers for a couple of years
now, with no relay complaints, correct or defective.
I don't know what those relaycheck utilities do. Here's a snapshot
of mine. From a third-party host:
telnet www.ssc.com 25
Trying 209.61.186.36...
Connected to www.ssc.com.
Escape character is '^]'.
220 www.ssc.com ESMTP Postfix
helo sunsite.unc.edu
250 www.ssc.com
mail from: <nobody.you.know at spamhost.org>
250 Ok
rcpt to: <wilder at eskimo.com>
554 <wilder at eskimo.com>: Recipient address rejected: Relay access denied
www.ssc.com runs Postfix of some but not great antiquity,
totally stock so far as its anti-relay settings go.
>From cascadia.a42.com I telnet to it and give a forged helo.
It accepts that. That's a reasonable thing to do, amazingly
enough. I then announce a forged envelope-from, which it
again accepts, and specify envelope-to an innocent third-party
victim. Who is actually me. I guess that disposes of any
claim of innocence! At that point, after a short delay, Postfix
lowers the boom with a 554. If I go on and say:
data
I get
503 Error: need RCPT command
Not sure what more a relaycheck utility could expect.
--
-----------------------------------------------------------------
Dan Wilder <dan at ssc.com> Technical Manager & Editor
SSC, Inc. P.O. Box 55549 Phone: 206-782-8808
Seattle, WA 98155-0549 URL http://embedded.linuxjournal.com/
-----------------------------------------------------------------
More information about the Mailman-Users
mailing list