[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: system/3502: Sendmail vs. Verisign
I'm not an OpenBSD team member, but I've been bitten by this issue,
and it's not an OpenBSD bug. I'm gonna top-post to answer this, and
be damned by the rest of the list. I'll also copy it to misc@, since
it may well be relevant to others.
When you send mail _from_ your OpenBSD system (e.g. daily script),
it's actually the message submission program CF file that's used,
submit.cf (generated from submit.mc). The line in this that's
relevant is:
FEATURE(`msp')dnl
Accoring to /usr/share/sendmail/README:
msp Defines config file for Message Submission Program. See
sendmail/SECURITY for details and cf/cf/submit.mc how to
use it. An optional argument can be used to override
the default of `[localhost]' to use as host to send all
e-mails to. Note that MX records will be used if the
specified hostname is not in square brackets (e.g.,
[hostname]). If `MSA' is specified as second argument
then port 587 is used to contact the server. Example:
FEATURE(`msp', `', `MSA')
Some more hints about possible changes can be found below
in the section MESSAGE SUBMISSION PROGRAM.
Note: Due to many problems, submit.mc uses
FEATURE(`msp', `[127.0.0.1]')
(So OpenBSD doesn't actually use the recommended msp line.)
Changing the msp line to
FEATURE(`msp', `[127.0.0.1]')dnl
as suggested, and rebuilding submit.cf, should actually clear up
the problem. (This is what I do, and it works for me.)
Note that using a service switch file (as you suggest) won't help,
because, according to the Sendmail Installation and Operation Guide,
/usr/share/doc/smm/08.sendmailop:
Notice: since sendmail must access MX records for
correct operation, it will use DNS if it is configured
in the ServiceSwitchFile file. Hence an entry like
hosts files dns
will not avoid DNS lookups even if a host can be found
in /etc/hosts.
In other words, Verislime is messing lots of stuff up. Specifically,
they respond to an MX query on localhost.your.domain and point it to
their mail rejector.
Hope this helps
Tom
>>> "kbk@shore.net" 2-Oct-03 15:31 >>>
>Number: 3502
>Category: system
>Synopsis: Sendmail: Verisign DNS Causes Local Mail to be Dropped
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Oct 02 14:40:01 GMT 2003
>Closed-Date:
>Last-Modified:
>Originator: Kurt B. Kaiser
>Release: OPENBSD_3_3_BASE
>Organization:
net
>Environment:
System : OpenBSD 3.3
Architecture: OpenBSD.i386
Machine : i386
>Description:
I'm using localhost.cf. When Verisign changed the DNS protocol, I started
losing all the OpenBSD diagnostic email. Investigation reveals that the
system is using DNS to resolve all mail addresses. The Verisign mta stub
is returning no such user. OpenBSD then trys to notify the sender, ends
up at Verisign again, trys to notify the postmaster, ends up at Verisign,
and then panics and drops the mail.
This happens in spite of the fact that the address is resolvable via
/etc/hosts, and /etc/resolv.conf contains "lookup file bind".
I fixed this by adding an /etc/mail/service.switch file. Initially, I
tried:
hosts files dns
but this doesn't work, sendmail still goes for dns and ignores my hosts
file. The order of the "hows" doesn't matter.
hosts files
works, and I suggest that you add this file to the base system to avoid
the problem.
However, there is another surprise. With "hosts files" sendmail is supposed
to ignore dns. This isn't the case, if the recipient can't be resolved
using /etc/hosts, sendmail will still use dns even though the docs indicate
that the nodns feature is deprecated and the way to avoid dns is
"hosts files". So a typo will still expose hosts on my lan to Verisign.
>How-To-Repeat:
You will need to add a nameserver line to /etc/resolv.conf.
>Fix:
Add /etc/mail/service.switch:
hosts files
>Release-Note:
>Audit-Trail:
>Unformatted: