Hello,

Hope someone can help me. I've been having problems with qpopper and sendmail lately. Both go down very often.

When a take a look at the maillog, I see records like these:

Jul 29 08:37:19 www sendmail[31887]: g6TCbI131887: from=<david@servepath.dgnet.ltd.uk>, size=24361, class=0, nrcpts=1, msgid=<200207291137.g6TBbKS14059@servepath.dgnet.ltd.uk>, proto=ESMTP, daemon=MTA, relay=64.125.131.163.servepath.com [64.125.131.163] (may be forged)

Jul 29 08:37:15 www sendmail[31881]: g6TCbE131881: from=<vinehsmith@earthlink.net>, size=2615, class=0, nrcpts=1, msgid=<001501c236ba$14317e00$1a0cf4d8@cel>, proto=ESMTP, daemon=MTA, relay=swan.mail.pas.earthlink.net [207.217.120.123]

Does this mean that david@servepath.dgnet.ltd.uk and vinehsmith@earthlink.net are relaying mail through my server? Those domains are not being hosted by me.

Thanks in advance for your help.
Regards,

Adrián

Not necessarily. See the message ID... there will be two entries for each ID, corresponding to the inbound and outbound transaction.

For example, on the first entry, the ID is g6TCbI131887. Next time you find a message like this, look immediately after this entry for a matching outbound entry with the same message ID.

Or, pick a suspect log entry and do this as root:

cat maillog | grep {message ID}

as in

cat maillog | grep g6TCbI131887

You should get two entries...If the last entry shows an outbound SMTP transaction to a user NOT on your RaQ, you're being used as an open relay.

Given the problems with sendmail, you very well could be in trouble. Is POP-before-SMTP installed and enabled in your control panel? Do you have a RaQ3 (must install patch) or 4 (comes standard)? Do you have any insecure form processing scripts on your server, such as Formmail from Matt's Script Archive? Do any of your users?

Good luck,

Brandon