[Mailman-Users] sendmail>>postfix - obtw...

Dan Wilder dan at ssc.com
Tue Dec 18 17:38:06 CET 2001

On Tue, Dec 18, 2001 at 09:53:21AM -0600, Chris Halverson wrote:
> Jay S Curtis <camel at lrllamas.com> writes:
> > Run one of the "relaycheck" utilities from a point outside your network
> > and you may find you **do** have an open relay. I was shocked to find this
> > to be true using 8.11.12 of sendmail - and nothing I changed in the config 
> > would close it.... so I got rid of it.
> Of course, Postfix will also generally trigger these as being "open",
> when in fact they are not. I routinely check my machines from off
> network, and have been probed by Orbs, Orbz, RBL, etc. and never had
> any problems with my sendmail installs. My Postfix ones, due to the
> nature of how postfix works (ie. it accepts the mail before rejecting
> it due to the fact that the programs are split up as opposed to a
> monolithic program like sendmail pre-8.12, 8.12+ uses two separate
> (one non-suid) programs much like postfix), are sometimes reported as
> open. This may be "fixed" in newer Postfixes, but I have never had an
> open sendmail relay for at least the past 5 years.

You must be talking about older Postfixes.  We've been running
Postfix on four internet-exposed servers for a couple of years
now, with no relay complaints, correct or defective.

I don't know what those relaycheck utilities do.  Here's a snapshot
of mine.  From a third-party host:

telnet www.ssc.com 25
Connected to www.ssc.com.
Escape character is '^]'.
220 www.ssc.com ESMTP Postfix
helo sunsite.unc.edu
250 www.ssc.com
mail from: <nobody.you.know at spamhost.org>
250 Ok
rcpt to: <wilder at eskimo.com>
554 <wilder at eskimo.com>: Recipient address rejected: Relay access denied

www.ssc.com runs Postfix of some but not great antiquity,
totally stock so far as its anti-relay settings go.

>From cascadia.a42.com I telnet to it and give a forged helo.
It accepts that.  That's a reasonable thing to do, amazingly
enough.  I then announce a forged envelope-from, which it
again accepts, and specify envelope-to an innocent third-party
victim.  Who is actually me.  I guess that disposes of any
claim of innocence!  At that point, after a short delay, Postfix
lowers the boom with a 554.  If I go on and say:


I get

503 Error: need RCPT command

Not sure what more a relaycheck utility could expect.  

 Dan Wilder <dan at ssc.com>   Technical Manager & Editor
 SSC, Inc. P.O. Box 55549   Phone:  206-782-8808
 Seattle, WA  98155-0549    URL http://embedded.linuxjournal.com/

More information about the Mailman-Users mailing list