open mail relay with ipv6??

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Nov 10 14:13:26 PST 2008 

Mark Busby wrote:
> Is this an open relay using ipv6? If so how to block the ipv6 relay.
> I thought after sendmail v8.9, all relay action was blocked by default.

You haven't given sufficient information to say whether the machine is
an open relay or not.  We'd need to see the configuration files (well,
the .mc file that is processed to produce the eventual sendmail.cf) 
plus potentially the contents of the access DB.  However, you are 
correct: nowadays the default sendmail configuration is to block 
relaying, and you have to deliberately add configuration settings to
enable any permitted relays.  If you're using the default configuration  
shipped with FreeBSD, then it is not an open relay.

> maillog entry  
> Nov 10 15:01:11 "hostname" sm-mta[8989]: mAAL021C008989: from=<jjack at panama-overseas.com>, size=4825, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, relay=localhost [IPv6:::1]
> Nov 10 15:01:17 "hostname" sm-mta[8989]: mAAL021D008989: ruleset=check_mail, arg1=<security at bank0famerica.com>, relay=localhost [IPv6:::1], reject=451 4.1.8 Domain of sender address security at bank0famerica.com does not resolve
> Nov 10 15:01:17 "hostname" sm-mta[8989]: mAAL021D008989: from=<security at bank0famerica.com>, size=3880, class=0, nrcpts=0, bodytype=7BIT, proto=ESMTP, daemon=IPv6, relay=localhost [IPv6:::1]

This certainly doesn't indicate a message being inappropriately 
relayed. The attempt to send the message is rejected with a permanent 
error code (ie. tell the sender to bounce the message as undeliverable 
and not to re-queue it for another attempt at delivery later).  I think 
it's also doing the correct thing and rejecting the e-mail during the 
SMTP dialog rather than accepting the message for delivery and then 
later sending a bounce-o-gram to the listed sender address.  Google for 
'backscatter spam' in order to understand why the latter course of 
action is a bad idea.
 
>> sockstat -6
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> root     sendmail   8284  5  tcp6   *:25                  *:*
> root     sshd       1520  3  tcp6   *:5960                *:*
> root     ntpd       1010  5  udp6   *:123                 *:*
> root     ntpd       1010  9  udp6   fe80:6::1:123         *:*
> root     ntpd       1010  10 udp6   ::1:123               *:*
> root     syslogd    927   6  udp6   *:514                 *:*

You've got sendmail listening on all interfaces for IPv6 connections.  
This is appropriate if you expect the machine to receive incoming 
e-mails.  If that's not the case, then set "sendmail_enable='NO'" in
/etc/rc.conf. This will give you a send-only configuration with a 
sendmail listener bound to the loopback address (typically both ::1
and 127.0.0.1)

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081110/cf2d8451/signature.pgp

More information about the freebsd-questions mailing list