OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sendmail security?
From: Colin Stefani (colinsPRO2NET.COM)
Date: Thu Aug 31 2000 - 02:24:20 CDT

You are not too far off base. Resolving names is important for anti-spam
measures, but not the end-all-be-all of security solutions for email. You
will have to make the call if it's worth it, since some domains don't
reverse correctly or resolve correctly. This is due to sys admin sloppiness
and human error on down to the intended misconfigurations for doing no-good.

A couple of things that immediately pop in my mind are:

1) They messed up their DNS records (type, SOA, ip address error, calling an
A record a CNAME, etc.) and the primary is not considered a valid,
authoritative server anymore and is notifying out to secondaries a bad
record for somewhere.com, which are rejecting it all together causing
resolution problems and the non-authoritative answers.

2) What do the Sendmail errors say, if anything? /var/log/maillog?
/var/log/messages? Sendmail is good about yelling when it has a problem.

3) Is it only that one domain? or several? maybe your machine is having
problems looking up names, is your /etc/resolv.conf setup correct to a valid
and active name server (don't scoff, it's a common error, but I imagine
you've gone this route already).

4) Maybe your primary DNS that the machine points to is having problems?
(unlikely is other mail is ok).

My guess is it's more likely to be one of the first two.

my $0.02

colin.s

-----Original Message-----
From: Nate Faerber
To: FOCUS-LINUXSECURITYFOCUS.COM
Sent: 8/30/00 5:13 PM
Subject: sendmail security?

My mail queue has been filling up with mails being sent to domains where
their primary nameservers are not giving authoritative answers for them.
Example:

EG.-------------------------------------------------->8
C:\>nslookup -type=soa somewhere.com
Server: ns1.myplace.com
Address: X.X.X.X

Non-authoritative answer:
somewhere.com
        primary name server = primary.somewhere.com
        responsible mail addr = sysop.somewhere.com
        serial = 2820744025
        refresh = 10800 (3 hours)
        retry = 3600 (1 hour)
        expire = 432000 (5 days)
        default TTL = 38400 (10 hours 40 mins)

somewhere.com nameserver = gateway.somewhere.com
somewhere.com nameserver = primary.somewhere.com
somewhere.com nameserver = mail.somewhere.com
gateway.somewhere.com internet address = X.X.X.X
mail.somewhere.com internet address = X.X.X.X

>nslookup -type=NS somewhere.com
Server: ns1.myplace.com
Address: X.X.X.X

Non-authoritative answer:
somewhere.com nameserver = gateway.somewhere.com
somewhere.com nameserver = primary.somewhere.com
somewhere.com nameserver = mail.somewhere.com

gateway.somewhere.com internet address = X.X.X.X
mail.somewhere.com internet address = X.X.X.X

>nslookup somewhere.com primary.somewhere.com
Server: primary.somewhere.com
Address: X.X.X.X

Non-authoritative answer: <----- shouldn't this be
authoritative??
Name: somewhere.com
Address: X.X.X.X
----------------------------------------------------->8

My mailq has messages like this:
e7SKCli14484 7582 Mon Aug 28 13:12 <memyplace.com>
                 (host map: lookup (somewhere.com): deferred)
                                       <personsomewhere.com>

I am referencing the primary server for that domain so it should be
authoritative, right? I believe my sendmail is setup to defer these
messages as a security feature. Is this correct? Should I change my
sendmail configuration to deliver to these servers? Where/How...I
haven't
been able to find documentation on this. Could there be a different
reason
for all the deferred messages?

Any suggestions?

Almost forgot:
Sendmail Switch 2.0.0
Sendmail 8.10.0
Redhat 6.2

thanks
nate