HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials - Security Issue in Mailserver after ISPConfig installation

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)

- Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=16)

- - Security Issue in Mailserver after ISPConfig installation (http://www.howtoforge.com/forums/showthread.php?t=7714)

Security Issue in Mailserver after ISPConfig installation

Hello folks,
i was going along lucky with ISPConfig for half a year but today in the morning I've received an email from our university network administrator. It states that the server I've set up after "The Perfect Setup of ISPConfig for Suse 9.3" has an open mail relay; and whether I could arrange for it to be closed please :eek:
I am a bit confused now as I thought the installation routine was quite worked out. Is it because we can send emails at the moment without requested authentication? Any help would be appreciated.

Thanks!!!

The howto configures your server not as open relay. Please post your main.cf file.

Here is /etc/postfix/main.cf

Code:



queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

unknown_local_recipient_reject_code = 550

debug_peer_level = 2

debugger_command =

         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

         xxgdb $daemon_directory/$process_name $process_id & sleep 5



sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = maildrop

html_directory = /usr/share/doc/packages/postfix/html

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/packages/postfix/samples

readme_directory = /usr/share/doc/packages/postfix/README_FILES

inet_protocols = all

biff = no

mail_spool_directory = /var/mail

canonical_maps = hash:/etc/postfix/canonical

#virtual_maps = hash:/etc/postfix/virtual

relocated_maps = hash:/etc/postfix/relocated

transport_maps = hash:/etc/postfix/transport

sender_canonical_maps = hash:/etc/postfix/sender_canonical

masquerade_exceptions = root

masquerade_classes = envelope_sender, header_sender, header_recipient

myhostname = alpheratz.$mydomain

program_directory = /usr/lib/postfix

inet_interfaces = all

masquerade_domains = 

#mydestination = $myhostname, localhost.$mydomain

defer_transports = 

disable_dns_lookups = no

relayhost = xxx name of our university server here xxx

mailbox_command = 

mailbox_transport = 

smtpd_sender_restrictions = hash:/etc/postfix/access

smtpd_client_restrictions = 

smtpd_helo_required = no

smtpd_helo_restrictions = 

strict_rfc821_envelopes = no

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains

smtp_sasl_auth_enable = no

smtpd_sasl_auth_enable = yes

smtpd_use_tls = yes

smtp_use_tls = yes

alias_maps = hash:/etc/aliases

mailbox_size_limit = 0

message_size_limit = 10240000

mydomain = xxx domain name of our university department xxx

smtpd_sasl_local_domain = 

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_tls_auth_only = no

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

#home_mailbox = Maildir/



#virtual_maps = hash:/etc/postfix/virtusertable



#mydestination = /etc/postfix/local-host-names

Hope it does help you till.
Thanks in beforehand for all the efforts!

What's the output of

Code:

postconf -d|grep mynetworks

and

Code:

postconf -n|grep mynetworks

Sorry for a late reply falko but our offices were closed during the weekend due to some technical problems. Here are outputs you wanted to see
postconf -d|grep mynetworks

Code:

mynetworks = 127.0.0.0/8 149.170.0.0/16

mynetworks_style = subnet

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks

smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

and
postconf -n|grep mynetworks

Code:

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains

Thanks again for all the hard work!

Please change mynetworks from:

mynetworks = 127.0.0.0/8 149.170.0.0/16

to:

mynetworks = 127.0.0.0/8

Do you have any relay domains defined?

Hi till,
cheers for the fast reply! I did change the "mynetworks" settings like you've said.
I didn't do anything different from the description given in the HOWTO "The Perfect Setup of ISPConfig for Suse 9.3". Hope this gives you the answer you wanted.
Is the problem with the open rely issue solved by applying the corrections you've suggested?

Many thanks!

The 149.170.0.0/16 told your network/postfix that anyone with an IP from149.170.0.1 to 149.170.255.254 was a local user and okay to use your mailserver. (about 64770 IP's)

Quote:

NetAddr 149.170.0.0/16
First Host 149.170.0.1
Last Host 149.170.255.254

Quote:

I didn't do anything different from the description given in the HOWTO "The Perfect Setup of ISPConfig for Suse 9.3". Hope this gives you the answer you wanted.
Is the problem with the open rely issue solved by applying the corrections you've suggested?

Many thanks!

Not sure about the Suse setup, but it should not be there!

Maybe do a rootkit scan, to see if you are okay?
More info @ www.rootkit.nl/