From owner-freebsd-security Tue Mar 4 11:53:26 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE16737B401 for ; Tue, 4 Mar 2003 11:53:20 -0800 (PST) Received: from blueyonder.co.uk (pcow034o.blueyonder.co.uk [195.188.53.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB4B143F75 for ; Tue, 4 Mar 2003 11:53:19 -0800 (PST) (envelope-from bbdl21548@blueyonder.co.uk) Received: from orion ([62.31.178.34]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.757.75); Tue, 4 Mar 2003 19:55:17 +0000 Message-ID: <007801c2e287$b3075620$0200010a@orion> Reply-To: "Jasvinder S. Bahra" From: "Jasvinder S. Bahra" To: Subject: Tripwire (Cron /usr/local/sbin/tripwire --check --cfgfile /etc/tripwire/tw.cfg) Date: Tue, 4 Mar 2003 19:53:16 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Evening folks. I'm having some problems receiving my tripwire reports. I have a gateway-firewall system, running this version of FreeBSD... FreeBSD foo.bar.org 4.6.2-RELEASE-p7 FreeBSD 4.6.2-RELEASE-p7 #0 (Please note that throughout this e-mail, domain details have been = replaced with FOO.BAR.ORG - this is not the real domain info, for = obvious reasons. I should point out that the domain is just something = i've set locally. No services are open on the internet side of the = machine.) : ) Now, tripwire runs at regular intervals using cron, and the reports are = then e-mailed to me (/etc/rc.config has a 'sendmail_enable=3D"NO"' entry = so that the reports can be sent). Entry in crontab... 0 23 * * * root = /usr/local/sbin/tripwire --check --cfgfile /etc/tripwire/tw.cfg I have set root's e-mail address in /etc/mail/aliases... root: jazz,my_external_email_address@domain.com ...and run the command 'newaliases', after I updated the aliases file. = Now, as far as I understand, this setup should run a tripwire security = check at 11 in the evening, and then e-mail the report to the root = e-mail address set in the aliases file. After a fashion, this does work. The e-mail has a subject of 'Returned = mail: see transcript for details', a body displayed below, and two = attachments... ---------------------------------------------------------------8<--------= -------------------------------------------------------- The original message was received at Fri, 28 Feb 2003 23:00:28 GMT from root@localhost =20 ----- The following addresses had permanent fatal errors ----- root (reason: 553 5.1.8 ... Domain of sender = address root@foo.bar.org does not exist) (expanded from: root) =20 ----- Transcript of session follows ----- ... while talking to localhost.my.domain.: >>> MAIL From: SIZE=3D4771 <<< 553 5.1.8 ... Domain of sender address = root@foo.bar.org does not exist 501 5.6.0 Data format error ---------------------------------------------------------------8<--------= -------------------------------------------------------- The first attachment show the following... ---------------------------------------------------------------8<--------= -------------------------------------------------------- Reporting-MTA: dns; sirius.differentreality.org Arrival-Date: Sat, 1 Mar 2003 23:00:28 GMT =20 Final-Recipient: RFC822; root@foo.bar.org Action: failed Status: 5.1.8 Diagnostic-Code: SMTP; 553 5.1.8 ... Domain of = sender address root@foo.bar.org does not exist Last-Attempt-Date: Sat, 1 Mar 2003 23:06:55 GMT ---------------------------------------------------------------8<--------= -------------------------------------------------------- The second attachment is the tripwire report itself - it has a subject = of... Cron /usr/local/sbin/tripwire --check --cfgfile = /etc/tripwire/tw.cfg Now, the first attachment shows that the mail server is doing a dns = lookup when it receives the e-mail, and its because the lookup fails = that the e-mail is received in this fashion. Does anyone know a way to = get around this? The same thing is also happening for the 'foo.bar.org = daily run output'. Admittedly this is somewhat minor - the reports *are* = being received after all, but for neatness's sake, i'd like to clear it = up. *shrugs* Regards, Jazz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message