Home / server / Questions / 488244
Accepted
Razvan
Asked: 2013-03-16 09:18:12 +0800 CST

Ubuntu sendmail "Relaying denied. Ip name possibly forged" (in reply to rcpt to command)

  • 772

When I try to send an email (from a different server) to a local account on my server I get the following error:

Relaying denied. IP name possibly forged [W.X.Y.Z]

Here's what I do:

[email protected]:~$ telnet subdomain.domain.com 25
Trying A.B.C.D...
Connected to subdomain.domain.com.
Escape character is '^]'.
220 subdomain.domain.com ESMTP Sendmail 8.14.4/8.14.4/Debian-2ubuntu1; ...
HELO a-different-domain.com
250 subdomain.domain.com Hello ...
MAIL FROM: <[email protected]>
250 2.1.0 <[email protected]>... Sender ok
RCPT TO: <[email protected]>
550 5.7.1 <[email protected]>... Relaying denied. IP name possibly forged [W.X.Y.Z]

The problem is that I can send emails just fine if I use RCPT TO: <[email protected]> instead of RCPT TO: <[email protected]>

Please see below the configuration that I currently use.

DNS Configuration:

Host                 Type  Priority  Redirect to
subdomain.domain.com MX    10        mail.subdomain.domain.com
subdomain.domain.com A     10        A.B.C.D

Email server configuration:

OS: Ubuntu
Email Server: sendmail

In /etc/mail/access I have (among others):

mail.subdomain.domain.com
subdomain.domain.com

/etc/mail/local-host-names:

localhost
mail.subdomain.domain.com
subdomain.domain.com

Regarding the masquerading here is what I have in /etc/mail/sendmail.mc:

MASQUERADE_AS(`subdomain.domain.com')dnl
MASQUERADE_DOMAIN(`subdomain.domain.com.')dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl

Just for clarifications: mail.subdomain.domain.com and subdomain.domain.com point to the same IP address.

================= UPDATE1 =================

@Andrzej A. Filip

Yes, i restarted sendmail.

Here is the output of echo '$=w' | sendmail -Am -bt:

root@subdomain:/etc/mail# echo '$=w' | sendmail -Am -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> [A.B.C.D]
mail.subdomain.domain.com
[ip6-loopback]
localhost
subdomain
ip6-localhost
[127.0.0.1]
[127.0.0.2]
subdomain.domain.com
[ip6-localhost]
ip6-loopback

================= UPDATE2 =================

I tested and found out (without changing the DNS configuration) that if i add subdomainXXX.domain.com (where subdomainXXX is any string) to /etc/mail/local-host-names and then I test sending an email from a remote server it simply works:

user@remote-server:/# telnet subdomain.domain.com 25
Trying A.B.C.D...
Connected to subdomain.domain.com.
Escape character is '^]'.
220 subdomain.domain.com ESMTP Sendmail 8.14.4/8.14.4/Debian-2ubuntu1; ...
HELO remote-server
250 subdomain.domain.com Hello ....
MAIL FROM: <...>
250 2.1.0 <...>... Sender ok
RCPT TO: <[email protected]>
250 2.1.5 <[email protected]>... Recipient ok

So it works for any subdomain except for the one that I'm interested into (subdomain.domain.com - which is actually the hostname of the server).

ubuntu

3 Answers

  1. "Relaying denied"suggets that sendmail at mail.subdomain.domain.com does not treat subdomain.domain.com as a local email domain, email domain hosted by it.

    Have you restarted/reloaded sendmail server after modifying /etc/mail/local-host-name file at mail.subdomain.domain.com host?

    YES=> What is reported by the command below exececuted by root at mail.subdomain.domain.com host?

    echo '$=w' | sendmail -Am -bt
    • 1

  2. I had a look at my sendmail.cf. The error message that you give Relaying denied. IP name possibly forged happens in the Relay_ok rule set. Relay_ok is executed by Basic_check_rcpt, which in turn is executed by checkrcpt which in turn is executed by check_rcpt (confusing, I know). The error happens when the value for $&{client_resolve} is FORGED which means that the forward lookup does not match the reverse DNS lookup.

    So the question is: If all you change is either including or removing localhost.localdomain from /etc/mail/local-host-names, why does Relay_ok rejects or accepts email based on this fact? The interesting lines in Relay_ok is:

    SRelay_ok
R$*                     $: $&{client_addr}
:
R$*                     $: < $&{client_resolve} >

    When localhost.localdomain is not included in /etc/mail/local-host-name we get a <FORGED> reply from $&{client_resolve}. When it is included, we do not get this. So the decision about relaying happens before calling Relay_ok. This means that Rcpt_ok (again called in Basic_check_rcpt before Relay_ok) decides that.

    Now from the description that the OP gives, Ubuntu sendmail seems to not automatically include names in /etc/hosts into $=w and that is why localhost.localdomain needs to be included specifically. But why?

    [ Had the original poster posted the complete sendmail.mc it would have helped a lot ]

    • 1
  3. Best Answer

    And .. after several hours I found the issue:

    localhost.localdomain needs to be put alongside with subdomain.domain in /etc/mail/local-host-names.

    So, the correct content for /etc/mail/local-host-names should be:

    localhost
localhost.localdomain
subdomain.domain.com

    It does NOT WORK if you only use:

    localhost
subdomain.domain.com
    • 0