Can anybody tell me how they got relaying working on their box? I would really appreciate it, this is very very frustrating, any help would be greatly appreciated, thanks.
Full Version: Relaying Denied - Im Losing It
I have read the sendmail.org page on relaying many times. I have installed so many programs I lost count, qpopper poprelay etc. I can't get sendmail to relay based on any of these, the programs seem to install. But I run into problems with all of them, different sendmail errors from relaying denied to other varioius problems.
Can anybody tell me how they got relaying working on their box? I would really appreciate it, this is very very frustrating, any help would be greatly appreciated, thanks.
Can anybody tell me how they got relaying working on their box? I would really appreciate it, this is very very frustrating, any help would be greatly appreciated, thanks.
When you're dealing with Sendmail, a pop daemon and some log-monitoring glue-ware, there's a whole lot that can go wrong... Can you put up some config files, and which programs you're using? Most notably the .mc file you generated your sendmail.cf file from.
Saddly, there's no really good HowTO on the subject for sendmail.
Saddly, there's no really good HowTO on the subject for sendmail.
Thanks for any ideas or help. I've included my sendmail.mc file. Right now I have a few programs installed but none are running or I'm using. I'm really stuck, so any suggestions would be much appreciated. Thanks so much. (I changed my domain name at the last line.)
divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwmy-domain.com
divert(-1)
dnl This is the sendmail macro config file. If you make changes to this file,
dnl you need the sendmail-cf rpm installed and then have to generate a
dnl new /etc/sendmail.cf by running the following command:
dnl
dnl m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
OSTYPE(`linux')
define(`confDEF_USER_ID',``8:12'')dnl
undefine(`UUCP_RELAY')dnl
undefine(`BITNET_RELAY')dnl
define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`confDONT_PROBE_INTERFACES',true)dnl
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
dnl define(`STATUS_FILE', `/etc/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
dnl TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
dnl define(`confTO_QUEUEWARN', `4h')dnl
dnl define(`confTO_QUEUERETURN', `5d')dnl
dnl define(`confQUEUE_LA', `12')dnl
dnl define(`confREFUSE_LA', `18')dnl
dnl FEATURE(delay_checks)dnl
FEATURE(`no_default_msa',`dnl')dnl
FEATURE(`smrsh',`/usr/sbin/smrsh')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db',`hash -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
dnl This changes sendmail to only listen on the loopback device 127.0.0.1
dnl and not on any other network devices. Comment this out if you want
dnl to accept email over the network.
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
dnl NOTE: binding both IPv4 and IPv6 daemon to the same port requires
dnl a kernel patch
dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6')
dnl We strongly recommend to comment this one out if you want to protect
dnl yourself from spam. However, the laptop and users on computers that do
dnl not have 24x7 DNS do need this.
dnl FEATURE(`accept_unresolvable_domains')dnl
dnl FEATURE(`relay_based_on_MX')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Cwmy-domain.com
Easy fix... you need to add a rule to the file so that it starts using the /etc/mail/popip file:
Which I pulled straight out of sendmail.mc.add_for_poprelay file included with the poprelay distro.
What it does is looks up the ip address in (the hashed version of) /etc/mail/popip, and /etc/mail/access. If it's in there, it tells Sendmail to OK relaying from that host.
I'm a little unsure about the part fo using the access file like that. It makes newer techniques (like using Connect:ip.address.number, and To:domain.name) fail miserably, but if you're not using that, then go for it.
CODE
# We probably want the access_db feature enabled.
FEATURE(access_db)dnl
# List of IP addresses we allow relaying from.
Klocalip hash -a<MATCH> /etc/mail/access
Kpopip hash -a<MATCH> /etc/mail/popip
LOCAL_RULESETS
SLocal_check_rcpt
# Put the address into cannonical form (even if it doesn't resolve to an MX).
R$* $: $>Parse0 $>3 $1
R$* < $* > $* $: $1 < $2 . > $3 Pretend it's canonical.
R$* < $* . . > $* $1 < $2 . > $3 Remove extra dots.
# Allow relaying if the connected host is a local IP address.
R$* $: < $&{client_addr} > Get client IP address.
R<> $#OK Local is ok.
R< $* . $- > $* $(localip $1.$2 $: < $1 > . $2 $) Check last three octets.
R$* < MATCH > $#OK
R< $- > $* $: $(localip $1 $: < > $1 $2 $) Check first octet.
R$* < MATCH > $#OK
# Allow relaying if the connected host has recently POP3 authenticated.
R$* $: < $&{client_addr} > Get client IP address.
R< $* > $(popip $1 $) Check full address.
R$* < MATCH > $#OK
# IP address didn't match.
FEATURE(access_db)dnl
# List of IP addresses we allow relaying from.
Klocalip hash -a<MATCH> /etc/mail/access
Kpopip hash -a<MATCH> /etc/mail/popip
LOCAL_RULESETS
SLocal_check_rcpt
# Put the address into cannonical form (even if it doesn't resolve to an MX).
R$* $: $>Parse0 $>3 $1
R$* < $* > $* $: $1 < $2 . > $3 Pretend it's canonical.
R$* < $* . . > $* $1 < $2 . > $3 Remove extra dots.
# Allow relaying if the connected host is a local IP address.
R$* $: < $&{client_addr} > Get client IP address.
R<> $#OK Local is ok.
R< $* . $- > $* $(localip $1.$2 $: < $1 > . $2 $) Check last three octets.
R$* < MATCH > $#OK
R< $- > $* $: $(localip $1 $: < > $1 $2 $) Check first octet.
R$* < MATCH > $#OK
# Allow relaying if the connected host has recently POP3 authenticated.
R$* $: < $&{client_addr} > Get client IP address.
R< $* > $(popip $1 $) Check full address.
R$* < MATCH > $#OK
# IP address didn't match.
Which I pulled straight out of sendmail.mc.add_for_poprelay file included with the poprelay distro.
What it does is looks up the ip address in (the hashed version of) /etc/mail/popip, and /etc/mail/access. If it's in there, it tells Sendmail to OK relaying from that host.
I'm a little unsure about the part fo using the access file like that. It makes newer techniques (like using Connect:ip.address.number, and To:domain.name) fail miserably, but if you're not using that, then go for it.
Thank you so much, it works! 
I'm so happy, I really appreciate it!
I'm so happy, I really appreciate it!
Hey, no problem. Sure beats getting to work on that multi-threaded, POSIX real-time signal, filtering proxy program I was planning on starting.
* sigh *
> man signaltimedwait
No manual entry for sigtimedwait
Gonna be a long day.
* sigh *
> man signaltimedwait
No manual entry for sigtimedwait
Gonna be a long day.
QUOTE
Originally posted by dafonso
Easy fix... you need to add a rule to the file so that it starts using the /etc/mail/popip file:
Which I pulled straight out of sendmail.mc.add_for_poprelay file included with the poprelay distro.
What it does is looks up the ip address in (the hashed version of) /etc/mail/popip, and /etc/mail/access. If it's in there, it tells Sendmail to OK relaying from that host.
I'm a little unsure about the part fo using the access file like that. It makes newer techniques (like using Connect:ip.address.number, and To:domain.name) fail miserably, but if you're not using that, then go for it.
Easy fix... you need to add a rule to the file so that it starts using the /etc/mail/popip file:
CODE
# We probably want the access_db feature enabled.
FEATURE(access_db)dnl
# List of IP addresses we allow relaying from.
Klocalip hash -a<MATCH> /etc/mail/access
Kpopip hash -a<MATCH> /etc/mail/popip
LOCAL_RULESETS
SLocal_check_rcpt
# Put the address into cannonical form (even if it doesn't resolve to an MX).
R$* $: $>Parse0 $>3 $1
R$* < $* > $* $: $1 < $2 . > $3 Pretend it's canonical.
R$* < $* . . > $* $1 < $2 . > $3 Remove extra dots.
# Allow relaying if the connected host is a local IP address.
R$* $: < $&{client_addr} > Get client IP address.
R<> $#OK Local is ok.
R< $* . $- > $* $(localip $1.$2 $: < $1 > . $2 $) Check last three octets.
R$* < MATCH > $#OK
R< $- > $* $: $(localip $1 $: < > $1 $2 $) Check first octet.
R$* < MATCH > $#OK
# Allow relaying if the connected host has recently POP3 authenticated.
R$* $: < $&{client_addr} > Get client IP address.
R< $* > $(popip $1 $) Check full address.
R$* < MATCH > $#OK
# IP address didn't match.
FEATURE(access_db)dnl
# List of IP addresses we allow relaying from.
Klocalip hash -a<MATCH> /etc/mail/access
Kpopip hash -a<MATCH> /etc/mail/popip
LOCAL_RULESETS
SLocal_check_rcpt
# Put the address into cannonical form (even if it doesn't resolve to an MX).
R$* $: $>Parse0 $>3 $1
R$* < $* > $* $: $1 < $2 . > $3 Pretend it's canonical.
R$* < $* . . > $* $1 < $2 . > $3 Remove extra dots.
# Allow relaying if the connected host is a local IP address.
R$* $: < $&{client_addr} > Get client IP address.
R<> $#OK Local is ok.
R< $* . $- > $* $(localip $1.$2 $: < $1 > . $2 $) Check last three octets.
R$* < MATCH > $#OK
R< $- > $* $: $(localip $1 $: < > $1 $2 $) Check first octet.
R$* < MATCH > $#OK
# Allow relaying if the connected host has recently POP3 authenticated.
R$* $: < $&{client_addr} > Get client IP address.
R< $* > $(popip $1 $) Check full address.
R$* < MATCH > $#OK
# IP address didn't match.
Which I pulled straight out of sendmail.mc.add_for_poprelay file included with the poprelay distro.
What it does is looks up the ip address in (the hashed version of) /etc/mail/popip, and /etc/mail/access. If it's in there, it tells Sendmail to OK relaying from that host.
I'm a little unsure about the part fo using the access file like that. It makes newer techniques (like using Connect:ip.address.number, and To:domain.name) fail miserably, but if you're not using that, then go for it.
Hi dafonso,
How can I add this rule? Could you make it a bit easy for me please?
edit your /etc/mail/sendmail.mc file, and paste in the lines after "# List of IP addresses we allow relaying from" at the end. then run "m4 /etc/mail/sendmail.mc > /etc/sendmail.cf" as root, and restart sendmail with "service sendmail restart".
Hope it helps.
Hope it helps.
This seems to work and grabs my IP but it erros out when I try and relay:
lay=185-38.SPEEDe.golden.net [216.75.185.38], reject=553 5.3.0 185-38.SPEEDe.golden.net
Jul 21 10:05:08 aqua sendmail[10395]: NOQUEUE: 185-38.SPEEDe.golden.net [216.75.185.38] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
lay=185-38.SPEEDe.golden.net [216.75.185.38], reject=553 5.3.0 185-38.SPEEDe.golden.net
Jul 21 10:05:08 aqua sendmail[10395]: NOQUEUE: 185-38.SPEEDe.golden.net [216.75.185.38] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
That error means that your client app is timing out, and disconnecting. Try upping the connection timeout. It may be taking a long time for Sendmail to look up your address.
QUOTE
Originally posted by bobbyt
This seems to work and grabs my IP but it erros out when I try and relay:
lay=185-38.SPEEDe.golden.net [216.75.185.38], reject=553 5.3.0 185-38.SPEEDe.golden.net
Jul 21 10:05:08 aqua sendmail[10395]: NOQUEUE: 185-38.SPEEDe.golden.net [216.75.185.38] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
This seems to work and grabs my IP but it erros out when I try and relay:
lay=185-38.SPEEDe.golden.net [216.75.185.38], reject=553 5.3.0 185-38.SPEEDe.golden.net
Jul 21 10:05:08 aqua sendmail[10395]: NOQUEUE: 185-38.SPEEDe.golden.net [216.75.185.38] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Can i disable lookups or would that foil the whole setup?
That would break things. Disabling lookups is easy enough, but it's used for quite a lot of things like delivering e-mail.
If you can't up the timeouts, or don't want to then the best thing to do would be to delay checks, and enable SMTP authentication. That would preven sendmail from ever doing the checks. Failing that....
You can play with some of the settings, and hope for the best. The first one I would try would be the "delay_checks" feature which will just let you connect, and plug away with data, and then accept/deny you when your system start specifying recipients. It also can do much quicker lookups if you set it up to do them.
From the sendmail manual:
So if you put you address in the access map as a relay entry, or authenticate, or put your sending address in the access map (not reccommended. Spammers know about this, and use it often) it will avoid the DNS checks, and just let you deliver.:
If you can't up the timeouts, or don't want to then the best thing to do would be to delay checks, and enable SMTP authentication. That would preven sendmail from ever doing the checks. Failing that....
You can play with some of the settings, and hope for the best. The first one I would try would be the "delay_checks" feature which will just let you connect, and plug away with data, and then accept/deny you when your system start specifying recipients. It also can do much quicker lookups if you set it up to do them.
From the sendmail manual:
QUOTE
By using FEATURE(`delay_checks') the rulesets check_mail and check_relay
will not be called when a client connects or issues a MAIL command,
respectively. Instead, those rulesets will be called by the check_rcpt
ruleset; they will be skipped if a sender has been authenticated using
a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH().
If check_mail returns an error then the RCPT TO command will be rejected
with that error. If it returns some other result starting with $# then
check_relay will be skipped. If the sender address (or a part of it) is
listed in the access map and it has a RHS of OK or RELAY, then check_relay
will be skipped. This has an interesting side effect: if your domain is
my.domain and you have
my.domain RELAY
in the access map, then all e-mail with a sender address of
gets through, even if check_relay would reject it
(e.g., based on the hostname or IP address). This allows spammers
to get around DNS based blacklist by faking the sender address. To
avoid this problem you have to use tagged entries:
To:my.domain RELAY
Connect:my.domain RELAY
if you need those entries at all (class {R} may take care of them).
FEATURE(`delay_checks') can take an optional argument:
FEATURE(`delay_checks', `friend')
enables spamfriend test
FEATURE(`delay_checks', `hater')
enables spamhater test
If such an argument is given, the recipient will be looked up in the
access map (using the tag Spam:). If the argument is `friend', then
the default behavior is to apply the other rulesets and make a SPAM
friend the exception. The rulesets check_mail and check_relay will be
skipped only if the recipient address is found and has RHS FRIEND. If
the argument is `hater', then the default behavior is to skip the rulesets
check_mail and check_relay and make a SPAM hater the exception. The
other two rulesets will be applied only if the recipient address is
found and has RHS HATER.
This allows for simple exceptions from the tests, e.g., by activating
the friend option and having
Spam:abuse@ FRIEND
in the access map, mail to abuse@localdomain will get through (where
"localdomain" is any domain in class {w}). It is also possible to
specify a full address or an address with +detail:
Spam:abuse@my.domain FRIEND
Spam:me+abuse@ FRIEND
Spam:spam.domain FRIEND
Note: The required tag has been changed in 8.12 from To: to Spam:.
This change is incompatible to previous versions. However, you can
(for now) simply add the new entries to the access map, the old
ones will be ignored. As soon as you removed the old entries from
the access map, specify a third parameter (`n') to this feature and
the backward compatibility rules will not be in the generated .cf
file.
will not be called when a client connects or issues a MAIL command,
respectively. Instead, those rulesets will be called by the check_rcpt
ruleset; they will be skipped if a sender has been authenticated using
a "trusted" mechanism, i.e., one that is defined via TRUST_AUTH_MECH().
If check_mail returns an error then the RCPT TO command will be rejected
with that error. If it returns some other result starting with $# then
check_relay will be skipped. If the sender address (or a part of it) is
listed in the access map and it has a RHS of OK or RELAY, then check_relay
will be skipped. This has an interesting side effect: if your domain is
my.domain and you have
my.domain RELAY
in the access map, then all e-mail with a sender address of
(e.g., based on the hostname or IP address). This allows spammers
to get around DNS based blacklist by faking the sender address. To
avoid this problem you have to use tagged entries:
To:my.domain RELAY
Connect:my.domain RELAY
if you need those entries at all (class {R} may take care of them).
FEATURE(`delay_checks') can take an optional argument:
FEATURE(`delay_checks', `friend')
enables spamfriend test
FEATURE(`delay_checks', `hater')
enables spamhater test
If such an argument is given, the recipient will be looked up in the
access map (using the tag Spam:). If the argument is `friend', then
the default behavior is to apply the other rulesets and make a SPAM
friend the exception. The rulesets check_mail and check_relay will be
skipped only if the recipient address is found and has RHS FRIEND. If
the argument is `hater', then the default behavior is to skip the rulesets
check_mail and check_relay and make a SPAM hater the exception. The
other two rulesets will be applied only if the recipient address is
found and has RHS HATER.
This allows for simple exceptions from the tests, e.g., by activating
the friend option and having
Spam:abuse@ FRIEND
in the access map, mail to abuse@localdomain will get through (where
"localdomain" is any domain in class {w}). It is also possible to
specify a full address or an address with +detail:
Spam:abuse@my.domain FRIEND
Spam:me+abuse@ FRIEND
Spam:spam.domain FRIEND
Note: The required tag has been changed in 8.12 from To: to Spam:.
This change is incompatible to previous versions. However, you can
(for now) simply add the new entries to the access map, the old
ones will be ignored. As soon as you removed the old entries from
the access map, specify a third parameter (`n') to this feature and
the backward compatibility rules will not be in the generated .cf
file.
So if you put you address in the access map as a relay entry, or authenticate, or put your sending address in the access map (not reccommended. Spammers know about this, and use it often) it will avoid the DNS checks, and just let you deliver.:
CODE
Connect:[x.x.x.x] RELAY # would allow for your IP address to relay
QUOTE
Originally posted by dafonso
That error means that your client app is timing out, and disconnecting. Try upping the connection timeout. It may be taking a long time for Sendmail to look up your address.
That error means that your client app is timing out, and disconnecting. Try upping the connection timeout. It may be taking a long time for Sendmail to look up your address.
O Timeout.connect=1m
that error message comes back in a matter of seconds cant be the timeout unless something else is timing out
QUOTE
Originally posted by bobbyt
O Timeout.connect=1m
that error message comes back in a matter of seconds cant be the timeout unless something else is timing out
O Timeout.connect=1m
that error message comes back in a matter of seconds cant be the timeout unless something else is timing out
I meant to up the timeout in your client.
This sendmail.mc modification didn't work for me, after I gen'd the new sendmail.cf and restarted sendmail, I couldn't authenticate to send mail anymore. Had to go back to the original configuration.
I can't believe that hardly anyone else is complaining that new sites created in Ensim cannot use sendmail until the service is bounced. That just makes no sense whatsoever. Right now I have to bounce sendmail nightly but if it fails to restart I'm screwed too.
I can't believe that hardly anyone else is complaining that new sites created in Ensim cannot use sendmail until the service is bounced. That just makes no sense whatsoever. Right now I have to bounce sendmail nightly but if it fails to restart I'm screwed too.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.