Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 11th February 2012, 20:37
lspdev lspdev is offline
Junior Member
 
Join Date: Nov 2011
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
Default After following ISPconfig ubuntu guide - server is an open relay

Hi

I do not know what you need, but after following this guide:
http://www.howtoforge.com/perfect-se...10-ispconfig-3

Which was done months ago, and has been working fine.
Today I decided to experiment with the idea of certificates from another guide on howtoforge...
I ran some tests and have found that since day one my server is open for abuse.

Basically I can log into the server using any mail client, any email address and no authentication and am able to sent email on port 25 to any domain....!!!

This is not good...

Please could someone help guide me to resolve this... from what I can see - It looks like it should not allow this, but it is...

thanks
Reply With Quote
Sponsored Links
  #2  
Old 12th February 2012, 08:49
lspdev lspdev is offline
Junior Member
 
Join Date: Nov 2011
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
Default My postfix config

Anyone?

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server.christiancoalition.co.za
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = server.myserver.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0
smtpd_client_message_rate_limit = 100
owner_request_special = no
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtp_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
smtpd_delay_reject = no
disable_vrfy_command = yes

Even with all these settings / changes... I still can easily connect to my server with any mail client, as any email address, without any authentication or security and it sends fine.... why???
Reply With Quote
  #3  
Old 12th February 2012, 12:15
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

http://www.howtoforge.com/forums/sho...30&postcount=4
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 12th February 2012, 13:33
lspdev lspdev is offline
Junior Member
 
Join Date: Nov 2011
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
Default

that is just the thing, my setup is not that.

mynetworks = 127.0.0.0/8
and
I am sending from my laptop on a seperate ADSL line and emailing via kmail using the server address port 25 no authentication and am able to send an email to hotmail and gmail no problems without any authentication???

Thanks
Reply With Quote
  #5  
Old 12th February 2012, 14:40
lspdev lspdev is offline
Junior Member
 
Join Date: Nov 2011
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Sorry, due to the nature and urgency of this matter, I have had to resort to making a new installation and trying again.
This time around I will be following the guide of yours:
http://www.howtoforge.com/virtual-us...tos-6.2-x86_64

Then once this is complete and tested, will install the web element of the server.
Luckily I am using a Virtual server and am able to switch off the current one, build another pretty quickly...

The client needs this server up quickly so I am going to try your guide above...

I would like to know, however, why after following the Ubuntu guide, having set it up directly as you said, that I am able to relay via my server from a random client, on a random ip address to ANY external email provider without any form of authentication on port 25 without glitch?

And anything you can think of could make the Centos guide work better?

Thanks
Reply With Quote
  #6  
Old 12th February 2012, 15:26
lspdev lspdev is offline
Junior Member
 
Join Date: Nov 2011
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Make that this guide: http://www.howtoforge.com/virtual-us...l-ubuntu-11.10

The Centos one is not headless and I have noticed that there are some utils missing from the shell and I know ubuntu better....
Reply With Quote
  #7  
Old 13th February 2012, 09:14
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,991
Thanks: 825
Thanked 5,375 Times in 4,222 Posts
Default

Quote:
I would like to know, however, why after following the Ubuntu guide, having set it up directly as you said, that I am able to relay via my server from a random client, on a random ip address to ANY external email provider without any form of authentication on port 25 without glitch?
The Ubuntu guide does not result in a open relay normally. So there was either a misunderstanding while you tested the server (e.g. you tested to send a email to a domain which was configured as local on the system instead of using a test like this one:

http://www.abuse.net/relay.html

Or the server was a open relay before.

To give you a more detailed answer, post the contant of the /etc/postfix/main.cf file and the result of the relay test that i posted above.

Regarding Centos, I wont use that on a production system. Better use Ubuntu or Debian.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 13th February 2012, 11:53
lspdev lspdev is offline
Junior Member
 
Join Date: Nov 2011
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
The Ubuntu guide does not result in a open relay normally. So there was either a misunderstanding while you tested the server (e.g. you tested to send a email to a domain which was configured as local on the system instead of using a test like this one:

http://www.abuse.net/relay.html

Or the server was a open relay before.

To give you a more detailed answer, post the contant of the /etc/postfix/main.cf file and the result of the relay test that i posted above.

Regarding Centos, I wont use that on a production system. Better use Ubuntu or Debian.
I have restored from backup to try and fix this problem - Here is the postfix main.cf file as requested. I feel it will be better to try and fix this server, as it will allow me to understand why it is doing this... and how I can resolve it... I have substitued my real server name with "servername" to protect it for now... PLEASE help...

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server.myserver.co.za
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server.myserver.co.za localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_tls_security_level = may
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
message_size_limit = 0

I can assure you - This was all set up generic and have not added my laptop or adsline or even email addresses to a safe list / allow list....

But I can send via this server withouth ANY authentication to ANY email address.....

What is my next move?
Reply With Quote
  #9  
Old 13th February 2012, 12:12
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Did you test if your server is an open relay? http://www.spamhelp.org/shopenrelay/
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 13th February 2012, 13:20
lspdev lspdev is offline
Junior Member
 
Join Date: Nov 2011
Posts: 19
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Something strange is happening:

Firstly no - the relay test fails to connect....

The second this - Since the reboot - I can no longer connect insecurely to the mail server.

Now - I can pop3 ok - but I keep getting a time out on the SMTP side...

It refuses to send email if my authentication is disabled (unable to relay / realay denied)
But now I set security to STARTTLS / Normal Password and it just sits and sits and eventually times out??

I am trying to find out why I am going from one extreme to the next..
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ubuntu Server, postfix, gmail relay sjau Server Operation 3 14th December 2010 18:20
Ftp problems timeout reny2000 General 6 23rd December 2009 11:09
I don't recieve mail. privir Installation/Configuration 2 3rd June 2009 22:08
Webmail Relay Error palkat General 17 23rd April 2006 18:12
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16


All times are GMT +2. The time now is 16:16.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.