Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 26th October 2006, 18:46
bogdinator bogdinator is offline
Member
 
Join Date: Dec 2005
Posts: 58
Thanks: 0
Thanked 0 Times in 0 Posts
Post Security Issue in Mailserver after ISPConfig installation

Hello folks,
i was going along lucky with ISPConfig for half a year but today in the morning I've received an email from our university network administrator. It states that the server I've set up after "The Perfect Setup of ISPConfig for Suse 9.3" has an open mail relay; and whether I could arrange for it to be closed please
I am a bit confused now as I thought the installation routine was quite worked out. Is it because we can send emails at the moment without requested authentication? Any help would be appreciated.

Thanks!!!
Reply With Quote
Sponsored Links
  #2  
Old 26th October 2006, 19:08
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

The howto configures your server not as open relay. Please post your main.cf file.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 26th October 2006, 20:19
bogdinator bogdinator is offline
Member
 
Join Date: Dec 2005
Posts: 58
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Here is /etc/postfix/main.cf
Code:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = maildrop
html_directory = /usr/share/doc/packages/postfix/html
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/packages/postfix/samples
readme_directory = /usr/share/doc/packages/postfix/README_FILES
inet_protocols = all
biff = no
mail_spool_directory = /var/mail
canonical_maps = hash:/etc/postfix/canonical
#virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = alpheratz.$mydomain
program_directory = /usr/lib/postfix
inet_interfaces = all
masquerade_domains = 
#mydestination = $myhostname, localhost.$mydomain
defer_transports = 
disable_dns_lookups = no
relayhost = xxx name of our university server here xxx
mailbox_command = 
mailbox_transport = 
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions = 
smtpd_helo_required = no
smtpd_helo_restrictions = 
strict_rfc821_envelopes = no
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
smtpd_use_tls = yes
smtp_use_tls = yes
alias_maps = hash:/etc/aliases
mailbox_size_limit = 0
message_size_limit = 10240000
mydomain = xxx domain name of our university department xxx
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#home_mailbox = Maildir/

#virtual_maps = hash:/etc/postfix/virtusertable

#mydestination = /etc/postfix/local-host-names
Hope it does help you till.
Thanks in beforehand for all the efforts!
Reply With Quote
  #4  
Old 27th October 2006, 16:13
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

What's the output of
Code:
postconf -d|grep mynetworks
and
Code:
postconf -n|grep mynetworks
?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 30th October 2006, 12:27
bogdinator bogdinator is offline
Member
 
Join Date: Dec 2005
Posts: 58
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Sorry for a late reply falko but our offices were closed during the weekend due to some technical problems. Here are outputs you wanted to see
postconf -d|grep mynetworks
Code:
mynetworks = 127.0.0.0/8 149.170.0.0/16
mynetworks_style = subnet
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
and
postconf -n|grep mynetworks
Code:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,check_relay_domains
Thanks again for all the hard work!
Reply With Quote
  #6  
Old 31st October 2006, 10:45
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Please change mynetworks from:

mynetworks = 127.0.0.0/8 149.170.0.0/16

to:

mynetworks = 127.0.0.0/8

Do you have any relay domains defined?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 31st October 2006, 12:37
bogdinator bogdinator is offline
Member
 
Join Date: Dec 2005
Posts: 58
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi till,
cheers for the fast reply! I did change the "mynetworks" settings like you've said.
I didn't do anything different from the description given in the HOWTO "The Perfect Setup of ISPConfig for Suse 9.3". Hope this gives you the answer you wanted.
Is the problem with the open rely issue solved by applying the corrections you've suggested?

Many thanks!
Reply With Quote
  #8  
Old 31st October 2006, 12:48
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
Default

The 149.170.0.0/16 told your network/postfix that anyone with an IP from149.170.0.1 to 149.170.255.254 was a local user and okay to use your mailserver. (about 64770 IP's)

Quote:
NetAddr 149.170.0.0/16
First Host 149.170.0.1
Last Host 149.170.255.254

Last edited by edge; 31st October 2006 at 13:03.
Reply With Quote
  #9  
Old 31st October 2006, 13:00
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,044
Thanks: 269
Thanked 154 Times in 133 Posts
 
Default

Quote:
I didn't do anything different from the description given in the HOWTO "The Perfect Setup of ISPConfig for Suse 9.3". Hope this gives you the answer you wanted.
Is the problem with the open rely issue solved by applying the corrections you've suggested?

Many thanks!
Not sure about the Suse setup, but it should not be there!

Maybe do a rootkit scan, to see if you are okay?
More info @ www.rootkit.nl/
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig after installation CoDonCo Installation/Configuration 46 14th July 2010 17:54
How to use an external mailserver within ISPConfig? Hans General 8 3rd September 2009 20:37
newbie ububtu 6.0.6 error PHP binary line 816 davidsky73 Installation/Configuration 8 17th September 2006 12:51
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 16:16
Installing ISPConfig ssl installation certificate to a site? lyndros Installation/Configuration 6 20th March 2006 04:54


All times are GMT +2. The time now is 14:03.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.