<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2655.35">
<TITLE>RE: Port 25</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>RedHat's sendmail config by default only listens on 127.0.0.1</FONT>
</P>
<P><FONT SIZE=2>Try doing...</FONT>
</P>
<P><FONT SIZE=2>netstat -an | grep :25</FONT>
</P>
<P><FONT SIZE=2>and see what addresses sendmail is listening on.</FONT>
</P>
<P><FONT SIZE=2>To modify this, look at /etc/mail/sendmail.mc</FONT>
</P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: mikea [<A HREF="mailto:mikea@mikea.ath.cx">mailto:mikea@mikea.ath.cx</A>]</FONT>
<BR><FONT SIZE=2>Sent: Wednesday, June 25, 2003 9:41 AM</FONT>
<BR><FONT SIZE=2>To: MAILSCANNER@jiscmail.ac.uk</FONT>
<BR><FONT SIZE=2>Subject: Re: Port 25</FONT>
</P>
<BR>
<P><FONT SIZE=2>On Wed, Jun 25, 2003 at 08:30:06AM -0500, Steve Douglas wrote:</FONT>
<BR><FONT SIZE=2>> I am running RedHat version 9 with f-prot, dcc, and razor. I am using</FONT>
<BR><FONT SIZE=2>> MailScanner version 4.21-9.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> When I started I use the command check_MailScanner and receive the following</FONT>
<BR><FONT SIZE=2>> results in my mail log:</FONT>
<BR><FONT SIZE=2>> - MailScanner child caught a SIGH</FONT>
<BR><FONT SIZE=2>> - MailScanner child caught a SIGH</FONT>
<BR><FONT SIZE=2>> - MailScanner E-Mail Virus Scanner version 4.21-9 starting...</FONT>
<BR><FONT SIZE=2>> - Enabling SpamAssassin auto-whitelist functionality...</FONT>
<BR><FONT SIZE=2>> - Using locktype = flock</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> I get the above for each instance of child process that is running (five</FONT>
<BR><FONT SIZE=2>> MailScanner instances when I do a "ps -A"</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>> My firewall is completely off for the moment to remove any potential</FONT>
<BR><FONT SIZE=2>> barriers and scanning does not show port 25. In addition, when I send a</FONT>
<BR><FONT SIZE=2>> test email nothing is forwarded.</FONT>
</P>
<P><FONT SIZE=2>Try doing `telnet <name-of-machine> 25`. If something answers and</FONT>
<BR><FONT SIZE=2>puts up a banner, then there's a listener on 25, which probably is</FONT>
<BR><FONT SIZE=2>your MTA. The banner will tell you what's there.</FONT>
</P>
<P><FONT SIZE=2>Mine gives this:</FONT>
</P>
<P><FONT SIZE=2> $ telnet 127.0.0.1 25</FONT>
<BR><FONT SIZE=2> 220- ESMTP</FONT>
<BR><FONT SIZE=2> 220-</FONT>
<BR><FONT SIZE=2> 220-</FONT>
<BR><FONT SIZE=2> 220-It is a violation of applicable law to send spam</FONT>
<BR><FONT SIZE=2> 220-to this server, and such violations may be prosecuted.</FONT>
<BR><FONT SIZE=2> 220-</FONT>
<BR><FONT SIZE=2> 220 Be aware: Oklahoma has Long Arm clauses in its computer crime statute.</FONT>
</P>
<P><FONT SIZE=2>but I'm paranoid and nasty, and longer banners tend to do ugly things to</FONT>
<BR><FONT SIZE=2>badly-written ratware. I'm willing to do what I can to break ratware.</FONT>
</P>
<P><FONT SIZE=2>If you don't get a connection, then probably sendmail (or exim or</FONT>
<BR><FONT SIZE=2>postfix or other_MTA) is not running, and you need to investigate that.</FONT>
<BR><FONT SIZE=2>Try the "ps" command; on FreeBSD it would be something like</FONT>
<BR><FONT SIZE=2> `ps awwwwux | grep -i mail`</FONT>
<BR><FONT SIZE=2>(without the "`") to catch all processes that have the character</FONT>
<BR><FONT SIZE=2>string "mail" in any combination of upper/lower case.</FONT>
</P>
<P><FONT SIZE=2>If you get a connection but no banner, then *something* is listening</FONT>
<BR><FONT SIZE=2>on port 25, but it may not be an MTA. That *definitely* merits serious</FONT>
<BR><FONT SIZE=2>investigation, and the "netstat" command can be a great help.</FONT>
</P>
<P><FONT SIZE=2>--</FONT>
<BR><FONT SIZE=2>Mike Andrews</FONT>
<BR><FONT SIZE=2>mikea@mikea.ath.cx</FONT>
<BR><FONT SIZE=2>Tired old sysadmin since 1964</FONT>
</P>
</BODY>
</HTML>