On Tue, Dec 18, 2001 at 09:53:21AM -0600, Chris Halverson wrote: > Jay S Curtis <[EMAIL PROTECTED]> writes: > > > Run one of the "relaycheck" utilities from a point outside your network > > and you may find you **do** have an open relay. I was shocked to find this > > to be true using 8.11.12 of sendmail - and nothing I changed in the config > > would close it.... so I got rid of it. > > Of course, Postfix will also generally trigger these as being "open", > when in fact they are not. I routinely check my machines from off > network, and have been probed by Orbs, Orbz, RBL, etc. and never had > any problems with my sendmail installs. My Postfix ones, due to the > nature of how postfix works (ie. it accepts the mail before rejecting > it due to the fact that the programs are split up as opposed to a > monolithic program like sendmail pre-8.12, 8.12+ uses two separate > (one non-suid) programs much like postfix), are sometimes reported as > open. This may be "fixed" in newer Postfixes, but I have never had an > open sendmail relay for at least the past 5 years.
You must be talking about older Postfixes. We've been running Postfix on four internet-exposed servers for a couple of years now, with no relay complaints, correct or defective. I don't know what those relaycheck utilities do. Here's a snapshot of mine. From a third-party host: telnet www.ssc.com 25 Trying 209.61.186.36... Connected to www.ssc.com. Escape character is '^]'. 220 www.ssc.com ESMTP Postfix helo sunsite.unc.edu 250 www.ssc.com mail from: <[EMAIL PROTECTED]> 250 Ok rcpt to: <[EMAIL PROTECTED]> 554 <[EMAIL PROTECTED]>: Recipient address rejected: Relay access denied www.ssc.com runs Postfix of some but not great antiquity, totally stock so far as its anti-relay settings go. >From cascadia.a42.com I telnet to it and give a forged helo. It accepts that. That's a reasonable thing to do, amazingly enough. I then announce a forged envelope-from, which it again accepts, and specify envelope-to an innocent third-party victim. Who is actually me. I guess that disposes of any claim of innocence! At that point, after a short delay, Postfix lowers the boom with a 554. If I go on and say: data I get 503 Error: need RCPT command Not sure what more a relaycheck utility could expect. -- ----------------------------------------------------------------- Dan Wilder <[EMAIL PROTECTED]> Technical Manager & Editor SSC, Inc. P.O. Box 55549 Phone: 206-782-8808 Seattle, WA 98155-0549 URL http://embedded.linuxjournal.com/ ----------------------------------------------------------------- ------------------------------------------------------ Mailman-Users maillist - [EMAIL PROTECTED] http://mail.python.org/mailman/listinfo/mailman-users
