Spam through our servers.

9 posts / 0 new
Last post
#1 Thu, 06/22/2006 - 21:18
AdamHolt

Spam through our servers.

Im not sure what I need to do to prevent this.

I created a bogus account in my outlook express email program and inputed a username of LudOm with no password and used the incoming and outgoing server as our domain name.

I sent the message and sure enough it was sent out from our server.

So I need to know how to stop this because apparently anyone can send an email through our servers which opens us up to all kinds of problems.

Thanks,

Thu, 06/22/2006 - 22:37
Joe
Joe's picture

Hey Adam,

That's not the default behavior, though I'm not sure exactly what has been changed to make it happen.

If you installed before the installer knew how to setup SMTP authentication for outgoing mail automatically (added about 2-3 months ago), you might have made a mistake when following the FAQ about configuring it--I know at least one person did something along these lines when following the FAQ.

What's your "Restrictions on recipient addresses" option in Postfix:SMTP Options set to? It ought to be "permit_mynetworks permit_sasl_authenticated reject_unauth_destination", at minimum. If you've modified the mynetworks variable, that's a potential source of trouble (though probably not a major issue unless set to something ridiculous like 0.0.0.0/0.0.0.0).

--

Check out the forum guidelines!

Fri, 06/23/2006 - 00:11
AdamHolt

The Restrictions on recipients addresses was
permit_mynetworks,reject_unauth_destination

I've never messed with the smtp settings of postfix, now it reads
permit_mynetworks,reject_unauth_destination,reject_unauth_destination

I've tried resending the message via the account I setup in outlook express with no login credentials and the mail still gets sent out, so adding the reject_unauth_destination didn't seem to help the situation.

Where is this FAQ that you speak of, I obviously need to read or re-read it in hopes that it will close up this hole so that strangers can't send mail through our server.

By the way, the only thing that got me thinking about this was when I was looking through our routers logs and saw a bunch of strange requests coming into or out of port 25, once I did a reverse ip lookup I saw that the ip address reported was not a known clients ip address nor any isp of known clients. So to others, might I suggest that you look into your routers log at the bare minimum if not your servers complete logs to see whats going on when your back is turned on your server.

Okay, wheres this faq, and what do you suggest next to stop this problem Joe.

Thanks,
Adam

Fri, 06/23/2006 - 00:26 (Reply to #3)
Joe
Joe's picture

<i>Where is this FAQ that you speak of, I obviously need to read or re-read it in hopes that it will close up this hole so that strangers can't send mail through our server.</i>

http://www.virtualmin.com/faq/one-faq?faq_id=1511#33021

But this FAQ is about <i>opening</i> up access for logged in users--not for securing an open relay. The default configuration of Postfix is pretty much locked up tight, with no mail able to come in or out. It has to be explicitly configured to allow any mail to pass through.

<i>I've tried resending the message via the account I setup in outlook express with no login credentials and the mail still gets sent out, so adding the reject_unauth_destination didn't seem to help the situation.</i>

As I said in the previous post, the only other possibility that immediately comes to mind is the mynetworks directive (named &quot;Local networks&quot; in the Postfix General Options page). This probably ought to be empty, since using SMTP authentication is the better way to go.

<i>By the way, the only thing that got me thinking about this was when I was looking through our routers logs and saw a bunch of strange requests coming into or out of port 25, once I did a reverse ip lookup I saw that the ip address reported was not a known clients ip address nor any isp of known clients. So to others, might I suggest that you look into your routers log at the bare minimum if not your servers complete logs to see whats going on when your back is turned on your server.</i>

The /var/log/maillog is worth keeping an eye on. This is where all mail transactions are logged. You'll see a lot of crap on any system with a lot of active mailboxes, but it's also pretty easy to spot local user accounts being abused once you learn how to read the log. This is far more accurate and informative than router logs will be for this specific task. But router data can certainly give you a heads up if traffic suddenly spikes without apparent legitimate cause.

--

Check out the forum guidelines!

Fri, 06/23/2006 - 00:15
AdamHolt

I've now changed the setting to permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

Which also still lets unknown users send mail through our servers.

Fri, 06/23/2006 - 00:44
AdamHolt

The Local Networks setting in the general settings of Postfix configuration are set to &quot;Default (all attached networks)&quot;

Should it be defined to something specific?

Fri, 06/23/2006 - 00:50
AdamHolt

Okay, so I should change the radio box on the local networks setting from default to just blank settings so that it no longer is checked as the default setting, correct?

It seems that by check marking the option for local networks to not be the default setting seems to stop me from sending out with a relay denied message in outlook express.

I can only hope this has stopped the problem and dread to think just how many emails may have been relayed through our server over the last 5,6,7 or however long we have had Virtualmin and our server running here. Oh well, better late than never I suppose.

Fri, 06/23/2006 - 01:14 (Reply to #7)
Joe
Joe's picture

No, the default value is almost certainly fine (and changing it will break local mail service, I'm pretty sure). I'm out of ideas for obvious culprits (it's really pretty hard to make postfix an open relay, and those are the only two directives that I can think of off the top of my head that can do it).

Send along your postfix configuration and I'll have a closer look. It's stored in /etc/postfix/main.cf.

Here's a command to see it without comments and empty lines:

sed -e 's/#.*//;/^s*$/d' /etc/postfix/main.cf

(It's nearly always recommended to strip comments and empty lines when posting around these parts, so it's easier for folks to spot changes.)

--

Check out the forum guidelines!

Fri, 06/23/2006 - 01:20 (Reply to #8)
Joe
Joe's picture

<i>I can only hope this has stopped the problem and dread to think just how many emails may have been relayed through our server over the last 5,6,7 or however long we have had Virtualmin and our server running here. Oh well, better late than never I suppose.</i>

On this concern, I'm still not seeing how you could have ended up with an open relay. The two directives that can easily be configured wrong don't appear to be misconfigured on your box.

Are you sure you're box is actually relaying? There are several circumstances where sending mail without authentication would work:

[ol]

[*]Mail being sent to a user on your system. No auth needed for this.[/*]

[*]Mail sent to a domain that you've setup to relay for. Again, no auth needed, and it's probably not a problem.[/*]

[*]Your sending system is in the local networks definition (though I think we've ruled this one out by you're disabling local networks access entirely, which should be undone before your work is called finished).[/*]

[/ol]

Finally, when in doubt about what's happening, look in the logs! /var/log/maillog is the log to watch. Look at it when you are performing all of your send tests. This will almost certainly tell you a lot more than my guesses can.

--

Check out the forum guidelines!