yesterday I was forced to switch to sendmail 17 from the ports collection because my new ISP demands authentication for using the smarthost.
It was not too complicated to switch from base sendmail to ports sendmail, and most things kept on working without any problem (mostly the smarthost worked again instantly
)
But today I've scrolled through the protocols and saw quite wierd entries like these:
Apr 5 19:31:56 l3router sm-mta[88098]: ruleset=trust_auth, arg1=www@l3router.meiszl.de, relay=localhost [127.0.0.1], reject=550 5.7.1 <www@l3router.meiszl.de>... not authenticated
Aha, a reject. Mail from localhost got rejected? but reading on I saw:
Apr 5 19:31:57 l3router sm-mta[88098]: 235HVufB088098: from=<www@l3router.meiszl.de>, size=907, class=0, nrcpts=1, msgid=<9B2YpT4ZfRJNqp6EHvkdya25I474p7vOCcS09u8UqYI@homepage.meiszl.de>, proto=ESMTPS, daemon=IPv4, relay=localhost [127.0.0.1]
Apr 5 19:31:57 l3router sendmail[88097]: 235HVuhM088097: to=WPSecurity@meiszl.de, ctladdr=www (80/80), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30751, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (235HVufB088098 Message accepted for delivery)
Apr 5 19:31:57 l3router sm-mta[88100]: 235HVufB088098: to=XXX, ctladdr=<www@l3router.meiszl.de> (80/80), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=61525, dsn=2.0.0, stat=Sent
Apr 5 19:31:57 l3router sm-mta[88100]: 235HVufB088098: to="| /usr/local/etc/BanWPFromMail", ctladdr=failmail (26/0), delay=00:00:00, xdelay=00:00:00, mailer=prog, pri=61525, dsn=2.0.0, stat=Sent
Apr 5 19:31:57 l3router sm-mta[88100]: 235HVufB088098: done; delay=00:00:00, ntries=1
instead of the reject, the mail was finally accepted and delivered !!!
(ok this example is a bit bad, the "recipient" is an alias and the message is forwarded to "XXX" and a fail2ban script. But both destinations got the mail!
Searching the logs for "not authenticated" showed quite a lot of these "rejects". (there is no need for authentication within the local net, this is the mail dump for everything and everybody within the lan).
So I am about to think, that this message is just fake news spread by sendmail to make the admin wonder and panic...
Or, can anybody explain what is going on and why the message shows up at all?
(btw: dear spammers: no need to try those email addresses from the listing, they are not accessible from the outside)
It was not too complicated to switch from base sendmail to ports sendmail, and most things kept on working without any problem (mostly the smarthost worked again instantly
)But today I've scrolled through the protocols and saw quite wierd entries like these:
Apr 5 19:31:56 l3router sm-mta[88098]: ruleset=trust_auth, arg1=www@l3router.meiszl.de, relay=localhost [127.0.0.1], reject=550 5.7.1 <www@l3router.meiszl.de>... not authenticated
Aha, a reject. Mail from localhost got rejected? but reading on I saw:
Apr 5 19:31:57 l3router sm-mta[88098]: 235HVufB088098: from=<www@l3router.meiszl.de>, size=907, class=0, nrcpts=1, msgid=<9B2YpT4ZfRJNqp6EHvkdya25I474p7vOCcS09u8UqYI@homepage.meiszl.de>, proto=ESMTPS, daemon=IPv4, relay=localhost [127.0.0.1]
Apr 5 19:31:57 l3router sendmail[88097]: 235HVuhM088097: to=WPSecurity@meiszl.de, ctladdr=www (80/80), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30751, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (235HVufB088098 Message accepted for delivery)
Apr 5 19:31:57 l3router sm-mta[88100]: 235HVufB088098: to=XXX, ctladdr=<www@l3router.meiszl.de> (80/80), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=61525, dsn=2.0.0, stat=Sent
Apr 5 19:31:57 l3router sm-mta[88100]: 235HVufB088098: to="| /usr/local/etc/BanWPFromMail", ctladdr=failmail (26/0), delay=00:00:00, xdelay=00:00:00, mailer=prog, pri=61525, dsn=2.0.0, stat=Sent
Apr 5 19:31:57 l3router sm-mta[88100]: 235HVufB088098: done; delay=00:00:00, ntries=1
instead of the reject, the mail was finally accepted and delivered !!!
(ok this example is a bit bad, the "recipient" is an alias and the message is forwarded to "XXX" and a fail2ban script. But both destinations got the mail!
Searching the logs for "not authenticated" showed quite a lot of these "rejects". (there is no need for authentication within the local net, this is the mail dump for everything and everybody within the lan).
So I am about to think, that this message is just fake news spread by sendmail to make the admin wonder and panic...
Or, can anybody explain what is going on and why the message shows up at all?
(btw: dear spammers: no need to try those email addresses from the listing, they are not accessible from the outside)
