[gentoo-user] Open Relay - What Happened?

[gentoo-user] Open Relay - What Happened?

[Randy Barlow]

So I'm running postfix on Gentoo, and have been doing so happily since
about November.  Until today I got a rejection for relayed mail notice
from Road Runner.  I read on their site that this happens when your IP
address sends more than 1000 e-mails in 24 hours.  My first thought was
my windows-using roommates, but then I checked my e-mail server from the
outside and indeed it was open.  This is weird though, because I believe
I have it configured for authenticated users only.  I even tried setting
it to only allow connections from this host, and still it happily
accepts connections from outside and tries to relay those e-mails to
other domains (of course, I would expect it to accept mail for
electronsweatshop.com.)  Here are some settings in /etc/postfix/main.cf
that I think are relevant, anybody have any comments/criticisms/suggestions?

myorigin = $myhostname
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetworks_style = subnet # I tried setting to host to see if that would
                            # solve the problem (nope)
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
# I've tried the following also adding
reject_unauth_destination,reject_unknown_client, but that didn't solve
the problem either
smtpd_client_restrictions = permit_sasl_authenticated
smtp_use_tls = yes
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
relayhost = smtp-server.carolina.rr.com
# I actually have several domains listed here.  Does anyone know how to
get it to allow me to relay to all domains once I have properly
authenticated?
relay_domains = bunchofdomains.com
smtpd_tls_security_level = may

I fully appreciate any help anyone can offer.  I made this setup just by
following some guides I found here and there online, and don't really
have a good grasp on the 6 volume manual that is postfix docs  :)
-- 
Randy Barlow
http://electronsweatshop.com

But you are a chosen race, a royal priesthood, a holy nation, a people 
for his own possession, that you may proclaim the excellencies of him 
who called you out of darkness into his marvelous light. Once you were 
not a people, but now you are God's people; once you had not received 
mercy, but now you have received mercy. ~1 Peter 2:9-10

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Open Relay - What Happened?

[Vladimir Rusinov]

[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]

On 6/28/07, Randy Barlow <randy@electronsweatshop.com> wrote:
>
> So I'm running postfix on Gentoo, and have been doing so happily since
> about November.  Until today I got a rejection for relayed mail notice
> from Road Runner.  I read on their site that this happens when your IP
> address sends more than 1000 e-mails in 24 hours.


You have problems with client restrictions.
It is very weird that spammer haven't attacked your server since November.

Try the following:

smtpd_helo_required = yes
disable_vrfy_command = yes
unknown_hostname_reject_code = 550
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_invalid_hostname,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        permit_mx_backup,
        reject_unauth_pipelining,
        reject_unauth_destination,
        check_relay_domains,
        reject

Or just
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_relay_domains,
        reject

-- 
Vladimir Rusinov
GreenMice Solutions: IT-решения на базе Linux
http://greenmice.info/

[-- Attachment #2: Type: text/html, Size: 2324 bytes --]

Re: [gentoo-user] Open Relay - What Happened?

[Randy Barlow]

Vladimir Rusinov wrote:
> You have problems with client restrictions.
> It is very weird that spammer haven't attacked your server since November.

Thanks for your help Vladimir, I believe my e-mail server is secure now!

-- 
Randy Barlow
http://electronsweatshop.com

But you are a chosen race, a royal priesthood, a holy nation, a people 
for his own possession, that you may proclaim the excellencies of him 
who called you out of darkness into his marvelous light. Once you were 
not a people, but now you are God's people; once you had not received 
mercy, but now you have received mercy. ~1 Peter 2:9-10

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Open Relay - What Happened?

[Kent Fredric]

On 6/29/07, Randy Barlow <randy@electronsweatshop.com> wrote:
> Vladimir Rusinov wrote:
> > You have problems with client restrictions.
> > It is very weird that spammer haven't attacked your server since November.
>
> Thanks for your help Vladimir, I believe my e-mail server is secure now!
>
> --
> Randy Barlow
> http://electronsweatshop.com
>
> But you are a chosen race, a royal priesthood, a holy nation, a people
> for his own possession, that you may proclaim the excellencies of him
> who called you out of darkness into his marvelous light. Once you were
> not a people, but now you are God's people; once you had not received
> mercy, but now you have received mercy. ~1 Peter 2:9-10
>
> --
> gentoo-user@gentoo.org mailing list
>
>


Just be aware bounce-mails are not nessicarily an indication of a
compromised box. Lately some spammers have learn't they can double
their audience and halve their own send rate by putting victim1 as the
"to" address, and victim2 as the "from" field, so that way when
servers send a 'sorry, cant deliver this message'  it bascially acts
as a open-relay-on-bounce ( if theres any doubt, check the headers of
the bounced message, sometimes you'll find your server never touched
it )
-- 
Kent
ruby -e '[1, 2, 4, 7, 0, 9, 5, 8, 3, 10, 11, 6, 12, 13].each{|x|
print "enNOSPicAMreil kdrtf@gma.com"[(2*x)..(2*x+1)]}'
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Open Relay - What Happened?

[Randy Barlow]

Kent Fredric wrote:
> Just be aware bounce-mails are not nessicarily an indication of a
> compromised box. Lately some spammers have learn't they can double
> their audience and halve their own send rate by putting victim1 as the
> "to" address, and victim2 as the "from" field, so that way when
> servers send a 'sorry, cant deliver this message'  it bascially acts
> as a open-relay-on-bounce ( if theres any doubt, check the headers of
> the bounced message, sometimes you'll find your server never touched
> it )

Right, but the headers in my instance definitely confirmed that I had 
been blocked by my ISP.  Also, e-mails that I had personally sent to 
people I know were getting bounced.  But thanks for the tip!

-- 
Randy Barlow
http://electronsweatshop.com

But you are a chosen race, a royal priesthood, a holy nation, a people 
for his own possession, that you may proclaim the excellencies of him 
who called you out of darkness into his marvelous light. Once you were 
not a people, but now you are God's people; once you had not received 
mercy, but now you have received mercy. ~1 Peter 2:9-10

-- 
gentoo-user@gentoo.org mailing list