Blog dedicated to Oracle Applications (E-Business Suite) Technology; covers Apps Architecture, Administration and third party bolt-ons to Apps

Tuesday, February 10, 2009

Relaying denied 550 5.7.1

Relaying denied error was received during this test:

Login to appserver.justanexample.com
telnet pluto.justanexample.com 25
MAIL FROM:pink.panther@justanexample.com
250 2.1.0 pink.panther@justanexample.com... Sender ok
RCPT TO:anthony.gonsalves@justanexample.com
550 5.7.1 anthony.gonsalves@justanexample.com... Relaying denied

In sendmail log in /var/log/sylog, the corresponding log entry was:

Feb 10 09:11:12 pluto sendmail[13783]: [ID 801593 mail.info] n1AEB3Ea013783: Authentication-Warning: pluto.justanexample.com: physicalpluto.justanexample.com [192.168.9.22] didn't use HELO protocol
Feb 10 09:11:21 pluto sendmail[13783]: [ID 801593 mail.notice] n1AEB3Ea013783: ruleset=check_rcpt, arg1=anthony.gonsalves@justanexample.com, relay=appserver.justanexample.com[192.168.4.1], reject=550 5.7.1 anthony.gonsalves@justanexample.com Relaying denied

I googled on ruleset=check_rcpt, and found this from sendmail.org:
check_rcpt
The address supplied through the RCPT command can be checked against the check_rcpt ruleset. On first look, this ruleset doesn't make much sense. Why check the recipient? sendmail does this anyway when trying to deliver, esp. for local recipients. However, this ruleset can be used to check whether your system is (mis)used as a relay. The check_compat ruleset, which seems to be better suited for this purpose, since it gets both addresses (sender and recipient) as parameters, is called too late. To reject a misuse at the earliest moment (and save your bandwidth etc), you can refer to the address of the sending system, which is available in the macro ${client_addr}. However, to use it in a rule, you have to refer to it as: $(dequote "" $&{client_addr} $) so sendmail defers evaluation and tokenizes it. The old solution is based on a proposal from Chin Huang: But since there is a problem with these rules, here is a new solution. First, we check whether it is a local client: it can do whatever it want. Next, we remove the local part, maybe repeatedly. If it still has routing information in it, it seems to be a relay attempt. (There are also a more detailed explanation of this ruleset and some additional thoughts.)
So list in the class

F{LocalIP} /etc/mail/LocalIP

the IP addresses of the local clients you will allow to relay through your mail server, for example

134.245 127.0.0.1

A client which connects from one of these IP numbers can send mail through your relay anywhere.

Scheck_rcpt # first: get client addr R$+ $: $(dequote "" $&{client_addr} $) $| $1 R0 $| $* $@ ok no client addr: directly invoked R$={LocalIP}$* $| $* $@ ok from here # not local, check rcpt R$* $| $* $: $>3 $2 # remove local part, maybe repeatedly R$+ $:$>removelocal $1 # still something left? R$*<@$*>$* $#error $@ 5.7.1 $: 550 we do not relay Sremovelocal # remove RelayTo part (maybe repeatedly) # R$*<@$*$={RelayTo}.>$* $>3 $1 $4 R$*<@$=w.>$* $: $>removelocal $>3 $1 $3 R$*<@$*>$* $@ $1<@$2>$3 # dequote local part R$+ $: $>3 $(dequote $1 $) R$*<@$*>$* $: $>removelocal $1<@$2>$3

The trailing $* after $={LocalIP} matches incompletely specified IP addresses on octet boundaries, as can be seen by 134.245 which matches a whole class B subnet.

If you relay mail for other systems (e.g., the secondary MX of a system points to your mailhost or your server is the primary MX, but you forward the mail to another system), use also:

F{RelayTo} /etc/mail/RelayTo

to list all hosts you relay mail to or accept mail for. For example, we put

uni-kiel.de

in RelayTo. Then enable the rule

R$*<@$*$={RelayTo}.>$* $>3 $1 $4

The leading $* will match subdomains of those domains in RelayTo too. You can also use a map instead of a class, if you slightly change the rules.

If you encounter a problem with this ruleset, try to find out which options you're missing or debug it directly.

However adding /etc/mail/LocalIP didn't help as our sendmail version was 8.13.8 and most probably this feature is available in Sendmail 9. I searched inside sendmail configuration file sendmail.cf for filenames which are checked:

# grep /etc/mail /etc/mail/sendmail.cf
Fw/etc/mail/local-host-names
FR-o /etc/mail/relay-domains
O AliasFile=/etc/mail/aliases
#O ErrorHeader=/etc/mail/error-header
O HelpFile=/etc/mail/helpfile
O StatusFile=/etc/mail/statistics
#O UserDatabaseSpec=/etc/mail/userdb
#O ServiceSwitchFile=/etc/mail/service.switch
#O DefaultAuthInfo=/etc/mail/default-auth-info
Ft/etc/mail/trusted-users

/etc/mail/local-host-names stood out. So I seached on that. and found this comment on http://www.ozzu.com/unix-linux-forum/how-setup-relay-host-sendmail-t29690.html

/etc/mail/relay-domains contains a list of hosts which are allowed to relay mail through your mail server. This list may consist of either specific hosts or whole domains.

/etc/mail/sendmail.cw (after sendmail version 8.10, this file is local-host-names) contains a list of domains for which your mail server will accept mail. This list is usually the domains hosted by your machine.

NOTE: put a CR/LF at the end of the last domain. Otherwise it won't work.

So I added appserver.justanexample.com in /etc/mail/local-host-names and bounced sendmail:

svcadm restart sendmail

The relay denied error stopped coming after this change.

No comments: