URGENT! Need to close open relay

22 posts / 0 new
Last post
#1 Thu, 04/05/2007 - 16:05
kcackler

URGENT! Need to close open relay

OK, in setting up webmin/virtualmin/postfix/server, I managed to set postfix up to run as an open relay. Obviously this is not wanted (machine is being attacked right now to send out thousands of emails..) The following is my postconf. Please help me close postfix to further attacks...

[pre]alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

broken_sasl_auth_clients = yes

canonical_maps = hash:/etc/postfix/canonical

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

html_directory = no

inet_interfaces = all

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mydestination = localhost.$mydomain, $mydomain, $myhostname

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES

sample_directory = /usr/share/doc/postfix-2.3.3/samples

sender_canonical_maps = hash:/etc/postfix/canonical

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

unknown_local_recipient_reject_code = 550

virtual_alias_maps = hash:/etc/postfix/virtual[/pre]

Thu, 04/05/2007 - 17:15
Joe
Joe's picture

Hey Kevin,

I don't see any rules in that list that would open Postfix, as it is closed by default.

You're going to want to look at smtpd_recipient_restrictions. In the vast majority of cases, the following will do what you want:

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

--

Check out the forum guidelines!

Thu, 04/05/2007 - 17:31
kcackler

That's what several server admins have told me..they see nothing wrong with it, but it is inherently open. I just adjusted the recipient_restrictions and was still able to telnet in and send mail unauthorized.

What would you recommend in this case? Is there a walkthrough somewhere on setting up postfix to work with virtualmin and virtual domains so that I could uninstall and then reinstall following steps? What screwed up my installation was that I had to make weird changes to get it to work like I wanted and I'm afraid of uninstalling and losing those changes...

Fri, 04/06/2007 - 07:34
DanLong

The most expdient solution would be to shut down telnet, then, I suppose

Fri, 04/06/2007 - 09:19
kcackler

Unfortunately, that did no good. DNSReport still shows the server as an open relay...

Fri, 04/06/2007 - 12:13 (Reply to #5)
DanLong

I don't use postfix, but you should be able to set postfix up for SMTP by authentication only. Check your SMTP options

make sure "Allow untrusted routing" is set to no and set HELO to yes

Fri, 04/06/2007 - 12:45
kcackler

OK, after having another server administrator look at it, and having him be unsuccessful at closing it, I've decided to scrap postfix and restart, getting help along the way.

Let me explain how I need the users set up:

This server hosts multiple (read hundreds) of domains. Naturally, each of these domains needs email access. Therefore, creating a simple 'user' unix user will not work here. Instead we must create a user@domain user and a user-domain user (we must create two users because postfix doesn't like the users to have user@domain type usernames). Mail is stored in a file called user-domain

I had all of this working before (after lots of hacking and whatnot) but had also somehow opened up postfix. I've uninstalled postfix and now reinstalled, and we're working with a clean slate. What is the first step I need to take here to get the following things working:

1. Have postfix accept mail for all of these domains on the server
2. Have postfix allow authenticated sending for all users, using the user@domain login form

This is quite urgent, so any help and/or walkthroughs you have will be helpful.
Kevin

Fri, 04/06/2007 - 12:50
kcackler

Just a quick update here. By adding the following lines (from my old main.cf), I've now got postfix accepting POP3 and SMTP logins for all of the users on the box. (and we're still a closed relay) Now the only thing failing is that any mail sent to a user is bounced. Ex: If I send mail to kevin@domain.com, it bounces saying that postfix couldn't find the user kevin....Obviously it's just looking for the part before the @ for the user...How do I tell it to look for the full address as the u ser?

Fri, 04/06/2007 - 12:54 (Reply to #8)
DanLong

THis is one of the reasons I stay with Sendmail, frankly.

Fri, 04/06/2007 - 18:01 (Reply to #9)
Joe
Joe's picture

Hey Kevin,

Sounds like you're missing the virtual map.

Add this line:

virtual_alias_maps = hash:/etc/postfix/virtual

This file needs to know about all of your users. If you already have a file (I assume since things were working before?), you'll just need to restart postfix to have it pick up the change. If you don't already have the file, you'll need to generate it. You can probably use the batch capabilities in Virtualmin to do so.

--

Check out the forum guidelines!

Fri, 04/06/2007 - 12:54
kcackler

Oops...the lines were:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
sender_canonical_maps = hash:/etc/postfix/canonical
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, reject_rbl_client xbl.spamhaus.org

Fri, 04/06/2007 - 18:20
kcackler

I thought about that earlier and re-added that line and restarted, all to no avail. Does virtualmin adjust this file when I add/delete email addresses? If not, I had it working some other way, because i never adjusted that file after the initial setup, but all emails continued to work...

This is something very simple I know. I have a feeling that if I added one line to that file and then rebuilt the postmap that things would work...Anybody know what the syntax for adding a line is?
Kevin

Fri, 04/06/2007 - 18:25
kcackler

OK - We're so close it makes me sick...
I added the following mapping via webmin-->postfix-->virtual domains...

Map kevin@thatscriptguy.com to kevin-thatscriptguy.com

Was able to send a mail to that address and retrieve it without a problem..AWESOME!

Now the problem, of course, is
A)How do I add all of the already created email addresses to this database
B)How do I make virtualmin create this mapping when I create a new email address?

So close....
Kevin

Sun, 04/08/2007 - 13:15 (Reply to #13)
Joe
Joe's picture

Hey Kevin,

Glad to hear things are shaping up.

Let's address these in reverse order, because I'm hoping you've got a backup of the "virtual" file somewhere. ;-)

<i>B)How do I make virtualmin create this mapping when I create a new email address?</i>

That's what Virtualmin does. There's no way to configure it not to if you're using postfix. Thus, the reason it was working before was that Virtualmin had created all of the necessary virtual map file entries for you. If you have the virtual file from before you blew away your installation, you can just copy it back into place and regen the postmap. You do have backups, right? (I'm afraid I already know the answer...nobody keeps backups. We've really gotta work on making the backup features easier to use, since no one seems to use them as they are now.)

Otherwise, we'll need to import all of the existing users. Which brings us to:

<i>A)How do I add all of the already created email addresses to this database</i>

I'm not sure, off-hand. ;-)

There's an easy way to import whole domains, including mailboxes based on group membership (this probably only works if your system uses groups the way Virtualmin expects)...but I don't know if there's a super easy way to import just users. There's a batch create mode to the users and groups module, but it doesn't get the Virtualmin stuff. I'll poke around and see what we can do.

--

Check out the forum guidelines!

Fri, 04/06/2007 - 21:02
kcackler

This thread is being continued in a new thread that better described my current problem...

Sun, 04/08/2007 - 13:19
kcackler

To be quite honest Joe, I've already re-added 90% of the email address mappings by hand. So making virtualmin batch add them isn't much of a priority for me, at least, anymore. My main issue is that postfix isn't accepting mail unless I explicitly tell it to accept mail for domains x, y, and z in the virtual_alias_domains parameter. I thought it pulled the domains from the virtual_alias_maps, but I guess i was wrong there.

So basically - I've got it working like I want, but I'm having to remember to add each virtual domain to that parameter. I figured virtualmin updated a file somewhere, but I've been unable to find it if it does..
Kevin

Sun, 04/08/2007 - 13:25 (Reply to #16)
Joe
Joe's picture

Hey Kevin,

Virtualmin does set this stuff up, and you don't need a virtual_alias_domains directive if virtual_alias_maps are configured correctly.

Perhaps you're missing the domain definition line? It's just the domain name without any username attached, like:

virtualmin.com virtualmin.com

Every domain has to have an entry like this, or I believe you'll get the behavior you're seeing. (I believe this is equivalent to using virtual_alias_domains directly, but Virtualmin can and does manage it for you.)

--

Check out the forum guidelines!

Sun, 04/08/2007 - 13:25 (Reply to #17)
Joe
Joe's picture

BTW-That line appears in /etc/postfix/virtual

--

Check out the forum guidelines!

Sun, 04/08/2007 - 13:35
kcackler

AHA! Right you are my friend. I need to add a mapping for each domain to domain and voila, it is accepting mail for the domains again.

Edit - You'll never guess what I just found...My old virtual database. Copied it over and regenerated the postmap and we're in business :)

Thanks for your help Joe.

Mon, 04/09/2007 - 03:46
sgrayban

This thread is a perfect example why to use sendmail instead.

Sorry but postfix is the most confusing mail server I have ever had to deal with. There is nothing *logical* when setting it up.

Mon, 04/09/2007 - 19:22 (Reply to #20)
Joe
Joe's picture

<i>This thread is a perfect example why to use sendmail instead.

Sorry but postfix is the most confusing mail server I have ever had to deal with. There is nothing *logical* when setting it up. </i>

That's a classic. Scott, you and I have different definitions of &quot;confusing&quot;. ;-)

Extracted from a sendmail.mc I found on the web:

<i>
divert(-1)
dnl This is the macro config file used to generate the /etc/sendmail.cf
dnl file. If you modify thei file you will have to regenerate the
dnl /etc/sendmail.cf by running this macro config through the m4
dnl preprocessor:
dnl
dnl m4 /etc/mail/sendmail.mc] /etc/mail/sendmail.cf
dnl
dnl You will need to have the sendmail-cf package installed for this to
dnl work.
divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID',``8:12'')dnl
define(`SMART_HOST',`smtp.myisp.net.')dnl
undefine(`UUCP_RELAY')
undefine(`BITNET_RELAY')
define(`confAUTO_REBUILD')
define(`confTO_CONNECT', `1m')
define(`confTRY_NULL_MX_LIST',true)
define(`confDONT_PROBE_INTERFACES',true)
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
define(`LOCAL_RELAY', localhost)dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
LOCAL_USER(`root')dnl
TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
FEATURE(stickyhost)dnl
FEATURE(redirect)dnl
FEATURE(use_cw_file)dnl
FEATURE(local_procmail)dnl
FEATURE(nouucp, nospecial)dnl
FEATURE(`allmasquerade')dnl
...
</i>

And that's the <i>simplified</i> M4 version of the sendmail configuration. sendmail.cf is a creature from the blackest depths of hell.

Of course, we're happy to support folks using sendmail--it's a fine MTA. Really quite nice in a lot of ways...but man is it ever confusing (I've been administering mail servers for years and I always have to consult the documentation when configuring sendmail...almost never with Postfix).

--

Check out the forum guidelines!

Tue, 04/10/2007 - 16:32
DanLong

Boys, Boys, behave!!!! ;-)

As I pointed out, without the Webmin M4 config module sendmail would really be the pits to setup. When I used Slackware it didn't even come configured with M4, just the Slack rendition of Sendmail which wasn't enterprise friendly at all.

I stick with Sendmail because I use it and feel comfortable with it with less modifications. Postfix made a descision on the @domain username and has stuck with it, kudos for not changing canoes. I prefer the @domain without the kluges to expand the username possibilities bill@domain.com, bill@domain.net, bill@domain.info (noted in a different thread).

just my 2cents