HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   After following ISPconfig ubuntu guide - server is an open relay (http://www.howtoforge.com/forums/showthread.php?t=56140)

lspdev 11th February 2012 21:37

After following ISPconfig ubuntu guide - server is an open relay
 
Hi

I do not know what you need, but after following this guide:
http://www.howtoforge.com/perfect-se...10-ispconfig-3

Which was done months ago, and has been working fine.
Today I decided to experiment with the idea of certificates from another guide on howtoforge...
I ran some tests and have found that since day one my server is open for abuse.

Basically I can log into the server using any mail client, any email address and no authentication and am able to sent email on port 25 to any domain....!!!

This is not good...

Please could someone help guide me to resolve this... from what I can see - It looks like it should not allow this, but it is...

thanks

lspdev 12th February 2012 09:49

My postfix config
 
Anyone?

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server.christiancoalition.co.za
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = server.myserver.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0
smtpd_client_message_rate_limit = 100
owner_request_special = no
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtp_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
smtpd_delay_reject = no
disable_vrfy_command = yes

Even with all these settings / changes... I still can easily connect to my server with any mail client, as any email address, without any authentication or security and it sends fine.... why???

falko 12th February 2012 13:15

http://www.howtoforge.com/forums/sho...30&postcount=4

lspdev 12th February 2012 14:33

that is just the thing, my setup is not that.

mynetworks = 127.0.0.0/8
and
I am sending from my laptop on a seperate ADSL line and emailing via kmail using the server address port 25 no authentication and am able to send an email to hotmail and gmail no problems without any authentication???

Thanks

lspdev 12th February 2012 15:40

Sorry, due to the nature and urgency of this matter, I have had to resort to making a new installation and trying again.
This time around I will be following the guide of yours:
http://www.howtoforge.com/virtual-us...tos-6.2-x86_64

Then once this is complete and tested, will install the web element of the server.
Luckily I am using a Virtual server and am able to switch off the current one, build another pretty quickly...

The client needs this server up quickly so I am going to try your guide above...

I would like to know, however, why after following the Ubuntu guide, having set it up directly as you said, that I am able to relay via my server from a random client, on a random ip address to ANY external email provider without any form of authentication on port 25 without glitch?

And anything you can think of could make the Centos guide work better?

Thanks

lspdev 12th February 2012 16:26

Make that this guide: http://www.howtoforge.com/virtual-us...l-ubuntu-11.10

The Centos one is not headless and I have noticed that there are some utils missing from the shell and I know ubuntu better....

till 13th February 2012 10:14

Quote:

I would like to know, however, why after following the Ubuntu guide, having set it up directly as you said, that I am able to relay via my server from a random client, on a random ip address to ANY external email provider without any form of authentication on port 25 without glitch?
The Ubuntu guide does not result in a open relay normally. So there was either a misunderstanding while you tested the server (e.g. you tested to send a email to a domain which was configured as local on the system instead of using a test like this one:

http://www.abuse.net/relay.html

Or the server was a open relay before.

To give you a more detailed answer, post the contant of the /etc/postfix/main.cf file and the result of the relay test that i posted above.

Regarding Centos, I wont use that on a production system. Better use Ubuntu or Debian.

lspdev 13th February 2012 12:53

Quote:

Originally Posted by till (Post 273458)
The Ubuntu guide does not result in a open relay normally. So there was either a misunderstanding while you tested the server (e.g. you tested to send a email to a domain which was configured as local on the system instead of using a test like this one:

http://www.abuse.net/relay.html

Or the server was a open relay before.

To give you a more detailed answer, post the contant of the /etc/postfix/main.cf file and the result of the relay test that i posted above.

Regarding Centos, I wont use that on a production system. Better use Ubuntu or Debian.

I have restored from backup to try and fix this problem - Here is the postfix main.cf file as requested. I feel it will be better to try and fix this server, as it will allow me to understand why it is doing this... and how I can resolve it... I have substitued my real server name with "servername" to protect it for now... PLEASE help...

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server.myserver.co.za
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server.myserver.co.za localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

I can assure you - This was all set up generic and have not added my laptop or adsline or even email addresses to a safe list / allow list....

But I can send via this server withouth ANY authentication to ANY email address.....

What is my next move?

falko 13th February 2012 13:12

Did you test if your server is an open relay? http://www.spamhelp.org/shopenrelay/

lspdev 13th February 2012 14:20

Something strange is happening:

Firstly no - the relay test fails to connect....

The second this - Since the reboot - I can no longer connect insecurely to the mail server.

Now - I can pop3 ok - but I keep getting a time out on the SMTP side...

It refuses to send email if my authentication is disabled (unable to relay / realay denied)
But now I set security to STARTTLS / Normal Password and it just sits and sits and eventually times out??

I am trying to find out why I am going from one extreme to the next..


All times are GMT +2. The time now is 19:59.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.