[GLLUG] sendmail puzzle

Philip Hands phil at hands.com
Tue Oct 11 16:09:56 UTC 2022 

Ken Smith via GLLUG <gllug at mailman.lug.org.uk> writes:

> Marco van Beek via GLLUG wrote:
>>
>>
>> On 10/10/2022 22:54, Ken Smith via GLLUG wrote:
>>>
>>> I'm trying to sort out a Rocky 8.5 server that has sendmail 
>>> installed. (Please don't go on a diversion about how I should tell 
>>> the owner to dump sendmail and switch to exim or postfix - save that 
>>> for another thread please. )
>>>
>>> I'm pretty good with sendmail but this problem has me a bit foxed. 
>>> I'd value some suggestions of where to look as I think I'm not seeing 
>>> the wood for the trees.
>>>
>>> It will send from addresses in the local network, without auth, 
>>> because I have "connect:192.168.123   relay" in the access file - 
>>> that being the local LAN.
>>>
>>> I've tested sasl auth and that is authenticating.
>>>
>>> Using telnet from an IP off their LAN (over a VPN) I can connect 
>>> using TLS (openssl s_client etc etc) and authenticate (perl 
>>> -MMIME::Base64 etc etc)  it accepts my credentials and then if I try 
>>> to send a message I get "Relaying denied. IP name lookup failed [my 
>>> local ip]" The same happens with a test using Thunderbird.
>>>
>>> If I do the same test from the host that sendmail is on, it works fine.
>>>
>>> Also if I do the same test from another host on the same LAN it works 
>>> fine.
>>>
>>> Somehow its complaining about the source IP in authenticated sessions 
>>> outside the LAN range.
>>>
>>> In the test from my local LAN (172.16.0.x), over a VPN, the remote 
>>> dns can't resolve the reverse dns of my LAN. I've done a similar test 
>>> with another sendmail site and remote auth is working fine.
>>>
>>> Maybe sendmail is doing reverse DNS when it shouldn't be.
>>>
>>> Suggestions most welcome....
>>>
>>> Thanks
>>>
>>> Ken
>>>
>>>
>>>
>>>
>> Hi,
>>
>> It might be the difference between a missing entry in a zone file, and 
>> a missing zone file. Maybe it is the lookup mechanism that fails, 
>> rather than it checking the IP address itself. It might be another 
>> rule set that is trying to do a reverse lookup (eg hostname), and it 
>> barfs out at that point.
>>
>> Maybe increase the logging verbosity and check the logs again?
>>
>> Cheers,
>>
>> Marco
>
> Thank you - Not sure where my error was but, probably a typo on my 
> part.  I reconfigured it from the ground up using the template config 
> files I've kept from other setups and its working fine now. Didn't touch 
> any thing to do with DNS or /etc/hosts.
>
> All fixed. Yay :-) Ken

Hi,

I'd recommend installing etckeeper, which stores your /etc in git, and
will then allow you to do stuff like:

  cd /etc
  git diff '@{last week}'

and immediately see what's different from when the thing in question was
working/broken.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20221011/0b7c86f4/attachment.sig>

More information about the GLLUG mailing list