After following ISPconfig ubuntu guide - server is an open relay

Discussion in 'Installation/Configuration' started by lspdev, Feb 11, 2012.

  1. lspdev

    lspdev New Member

    Hi

    I do not know what you need, but after following this guide:
    http://www.howtoforge.com/perfect-server-ubuntu-11.10-ispconfig-3

    Which was done months ago, and has been working fine.
    Today I decided to experiment with the idea of certificates from another guide on howtoforge...
    I ran some tests and have found that since day one my server is open for abuse.

    Basically I can log into the server using any mail client, any email address and no authentication and am able to sent email on port 25 to any domain....!!!

    This is not good...

    Please could someone help guide me to resolve this... from what I can see - It looks like it should not allow this, but it is...

    thanks
     
  2. lspdev

    lspdev New Member

    My postfix config

    Anyone?

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = /usr/share/doc/postfix

    # TLS parameters
    smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
    smtpd_tls_key_file = /etc/ssl/private/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = server.christiancoalition.co.za
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    myorigin = /etc/mailname
    mydestination = server.myserver.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf, hash:/var/lib/mailman/data/virtual-mailman
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_tls_security_level = may
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0
    smtpd_client_message_rate_limit = 100
    owner_request_special = no
    smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
    smtp_tls_security_level = may
    smtpd_tls_auth_only = no
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname
    smtpd_delay_reject = no
    disable_vrfy_command = yes

    Even with all these settings / changes... I still can easily connect to my server with any mail client, as any email address, without any authentication or security and it sends fine.... why???
     
  3. falko

    falko Super Moderator

  4. lspdev

    lspdev New Member

    that is just the thing, my setup is not that.

    mynetworks = 127.0.0.0/8
    and
    I am sending from my laptop on a seperate ADSL line and emailing via kmail using the server address port 25 no authentication and am able to send an email to hotmail and gmail no problems without any authentication???

    Thanks
     
  5. lspdev

    lspdev New Member

    Sorry, due to the nature and urgency of this matter, I have had to resort to making a new installation and trying again.
    This time around I will be following the guide of yours:
    http://www.howtoforge.com/virtual-u...rier-mysql-and-squirrelmail-centos-6.2-x86_64

    Then once this is complete and tested, will install the web element of the server.
    Luckily I am using a Virtual server and am able to switch off the current one, build another pretty quickly...

    The client needs this server up quickly so I am going to try your guide above...

    I would like to know, however, why after following the Ubuntu guide, having set it up directly as you said, that I am able to relay via my server from a random client, on a random ip address to ANY external email provider without any form of authentication on port 25 without glitch?

    And anything you can think of could make the Centos guide work better?

    Thanks
     
  6. lspdev

    lspdev New Member

  7. till

    till Super Moderator

    The Ubuntu guide does not result in a open relay normally. So there was either a misunderstanding while you tested the server (e.g. you tested to send a email to a domain which was configured as local on the system instead of using a test like this one:

    http://www.abuse.net/relay.html

    Or the server was a open relay before.

    To give you a more detailed answer, post the contant of the /etc/postfix/main.cf file and the result of the relay test that i posted above.

    Regarding Centos, I wont use that on a production system. Better use Ubuntu or Debian.
     
  8. lspdev

    lspdev New Member

    I have restored from backup to try and fix this problem - Here is the postfix main.cf file as requested. I feel it will be better to try and fix this server, as it will allow me to understand why it is doing this... and how I can resolve it... I have substitued my real server name with "servername" to protect it for now... PLEASE help...

    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = /usr/share/doc/postfix

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = server.myserver.co.za
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = server.myserver.co.za localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8 [::1]/128
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /var/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
    smtpd_tls_security_level = may
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    virtual_transport = maildrop
    header_checks = regexp:/etc/postfix/header_checks
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    body_checks = regexp:/etc/postfix/body_checks
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    message_size_limit = 0

    I can assure you - This was all set up generic and have not added my laptop or adsline or even email addresses to a safe list / allow list....

    But I can send via this server withouth ANY authentication to ANY email address.....

    What is my next move?
     
  9. falko

    falko Super Moderator

  10. lspdev

    lspdev New Member

    Something strange is happening:

    Firstly no - the relay test fails to connect....

    The second this - Since the reboot - I can no longer connect insecurely to the mail server.

    Now - I can pop3 ok - but I keep getting a time out on the SMTP side...

    It refuses to send email if my authentication is disabled (unable to relay / realay denied)
    But now I set security to STARTTLS / Normal Password and it just sits and sits and eventually times out??

    I am trying to find out why I am going from one extreme to the next..
     
  11. till

    till Super Moderator

    See mail.log for error messages. You might want to check if smtps and submission is activated in postfix master.cf file.
     
  12. lspdev

    lspdev New Member

    I have run tail /var/log/mail.err

    Here is what it is saying:
    Feb 11 14:11:10 server postfix/error[19874]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
    Feb 11 14:11:10 server postfix/error[19875]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
    Feb 11 14:11:11 server postfix/qmgr[19866]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
    Feb 11 14:16:08 server amavis[19872]: (19872-01) (!!)TROUBLE in process_request: connect_to_sql: unable to connect to any dataset at (eval 105) line 241, <GEN33> line 4.
    Feb 11 14:16:08 server amavis[19876]: (19876-01) (!!)TROUBLE in process_request: connect_to_sql: unable to connect to any dataset at (eval 105) line 241, <GEN33> line 4.
    Feb 11 14:16:10 server postfix/smtp[19942]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
    Feb 11 14:16:10 server postfix/smtp[19943]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
    Feb 11 14:16:13 server postfix/error[19948]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
    Feb 11 14:16:13 server postfix/error[19949]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem
    Feb 11 14:16:14 server postfix/qmgr[19941]: fatal: mysql:/etc/postfix/mysql-virtual_relaydomains.cf(0,lock|fold_fix): table lookup problem


    What is now going on?
     
  13. lspdev

    lspdev New Member

    and mail.log

    Feb 13 14:21:21 server postfix/qmgr[1591]: 71E29E2C71: removed
    Feb 13 14:22:04 server postfix/smtpd[13181]: connect from 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]
    Feb 13 14:22:10 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL PLAIN authentication failed: no mechanism available
    Feb 13 14:22:11 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL LOGIN authentication failed: no mechanism available
    Feb 13 14:22:16 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL PLAIN authentication failed: no mechanism available
    Feb 13 14:22:17 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL LOGIN authentication failed: no mechanism available
    Feb 13 14:22:18 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL PLAIN authentication failed: no mechanism available
    Feb 13 14:22:19 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL LOGIN authentication failed: no mechanism available
    Feb 13 14:22:19 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL PLAIN authentication failed: no mechanism available
    Feb 13 14:22:20 server postfix/smtpd[13181]: warning: 196-210-252-237.dynamic.isadsl.co.za[196.210.252.237]: SASL LOGIN authentication failed: no mechanism available
     
  14. lspdev

    lspdev New Member

  15. lspdev

    lspdev New Member

    Cool - the above link fixed the security issue, I can now send email using authentication without hastle....

    What about those error logs? Is that related to the same problem?

    Thank you
     
  16. till

    till Super Moderator

    Seems as if mysql was stopped for a short period of time. So if you can send an receive now, then it sould be ok.
     
  17. lspdev

    lspdev New Member

    Thank you everyone, Till, falko, everyone for your help!
    It is working fine now....
    I have taken a full snapshot of the server in its working state, to fall back on if need be.

    I am now going to attempt falko's guide below:
    http://www.howtoforge.com/securing-...h-a-free-class1-ssl-certificate-from-startssl

    To set up a SSL class 1 ssl certificate to the system.

    Thanks again...Lets hope I have no problems with that.
    :D
     
  18. lspdev

    lspdev New Member

    It is strange, nothing since this was all working has been done on the server, yet, now when I connect - thunderbird comes back immediately with "An Error Occured - Unable to establish a secure link with the SMTP server ..... using STARTTLS since it doesnt advertise that feature...switch off STARTTLS for that server.."

    Why would this happen?

    Thank you
     
  19. lspdev

    lspdev New Member

    The /var/log/syslog

    Feb 19 13:00:02 server pop3d: Connection, ip=[::ffff:127.0.0.1]
    Feb 19 13:00:02 server pop3d: Disconnected, ip=[::ffff:127.0.0.1]
    Feb 19 13:00:02 server imapd: Connection, ip=[::ffff:127.0.0.1]
    Feb 19 13:00:02 server imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0
    Feb 19 13:00:03 server postfix/smtpd[6533]: connect from localhost.localdomain[127.0.0.1]
    Feb 19 13:00:03 server postfix/smtpd[6533]: lost connection after CONNECT from localhost.localdomain[127.0.0.1]
    Feb 19 13:00:03 server postfix/smtpd[6533]: disconnect from localhost.localdomain[127.0.0.1]
     
  20. lspdev

    lspdev New Member

    I am highly confused to what is the cause:

    When I set smtp auth to none instead of STARTTLS and then also - NO username and password - the mail sends fine!

    Yet, open relay test fails?


    I am very confused and am at your mercy as to why this is doing its own thing....
     

Share This Page