Linode Forum
https://forum.linode.com/

(Slightly) open relay
https://forum.linode.com/viewtopic.php?f=11&t=2149		 Page 1 of 1
Author:  stocksy [ Sun Mar 12, 2006 4:57 am ]
Post subject:  (Slightly) open relay
I've been trying to set postfix up to act as a backup mail server. I tested it using the tools at ordb.org, and it reported that it does not appear to be an open relay. When I checked the logs, however, I found a couple of lines like this:
Code:
Feb 28 18:33:38 mail2 postfix/smtp[21592]: 03FA457EED: to=<xxx@yyy.gov.tw>, relay=smssmtp93.yyy.gov.tw[xxx.29.159.xx], delay=15, status=sent (250 M2006030102441004449 Message accepted for delivery)
Mar  1 13:05:21 mail2 postfix/smtp[2707]: 2B26557EE4: to=<xxx@yyy.com>, relay=mail.yyy.com[xxx.114.216.xxx], delay=147106, status=sent (250 2.0.0 k21D5aMO014409 Message accepted for delivery)


When I saw this, I shut down postfix right away, but I can't see how this is happening. Here's my config:

main.cf:
Code:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
inet_interfaces = all
relay_domains = hash:/etc/postfix/relays
transport_maps = hash:/etc/postfix/transport
smtpd_recipient_restrictions = check_relay_domains


relays:
Code:
my.domain.tld OK


transport:
Code:
my.domain.tld smtp:mail.my.domain.tld


Can anyone see the problem?
Author:  SirPallas [ Tue Mar 14, 2006 7:34 pm ]
Post subject:  Check to see who it's from.
I don't use Postfix, but you might check to see where the messages say they're from. It might be accepting and forwarding mail that looks like it's from a user@my.domain.tld and is to other@somedomain.org
Author:  ptomblin [ Wed Mar 15, 2006 3:07 pm ]
Post subject:  Re: (Slightly) open relay
stocksy wrote:
I've been trying to set postfix up to act as a backup mail server. I tested it using the tools at ordb.org, and it reported that it does not appear to be an open relay. When I checked the logs, however, I found a couple of lines like this:
Code:
Feb 28 18:33:38 mail2 postfix/smtp[21592]: 03FA457EED: to=<xxx@yyy.gov.tw>, relay=smssmtp93.yyy.gov.tw[xxx.29.159.xx], delay=15, status=sent (250 M2006030102441004449 Message accepted for delivery)
Mar  1 13:05:21 mail2 postfix/smtp[2707]: 2B26557EE4: to=<xxx@yyy.com>, relay=mail.yyy.com[xxx.114.216.xxx], delay=147106, status=sent (250 2.0.0 k21D5aMO014409 Message accepted for delivery)



Those are two different outgoing messages. How about posting the full transaction, incoming and outgoing?

I'm not a postfix expert, but it looks like you're accepting email from anybody who claims to be from your my.domain.tld with no verification that they're coming from a trusted host. I have
Code:
mynetworks = 192.168.0.0/16,127.0.0.0/8
smtpd_recipient_restrictions =
      reject_invalid_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_sender,
      reject_non_fqdn_recipient,
      reject_unknown_sender_domain,
      reject_unauth_pipelining,
      permit_mynetworks,
      reject_unauth_destination,
      reject_rbl_client sbl-xbl.spamhaus.org,
      reject_rbl_client relays.ordb.org,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client korea.services.net,
      permit
Author:  stocksy [ Wed Mar 15, 2006 5:43 pm ]
Post subject:  Bingo!
Thanks for your replies. ptomblin, you were right in saying that I needed to examine the whole transaction.
Code:
Mar 10 06:45:09 mail2 postfix/smtpd[27979]: connect from unknown[xxx.xxx.202.132]
Mar 10 06:45:10 mail2 postfix/smtpd[27979]: warning: support for restriction "check_relay_domains" will be removed from Postfix; use "reject_unauth_destination" instead
Mar 10 06:45:10 mail2 postfix/smtpd[27979]: warning: restriction `reject_unauth_destination' after `check_relay_domains' is ignored
Mar 10 06:45:10 mail2 postfix/smtpd[27979]: E3BF157EA1: client=unknown[xxx.xxx.202.132]
Mar 10 06:45:11 mail2 postfix/cleanup[27983]: E3BF157EA1: message-id=<000001c6440e$3d624880$02cfa8c0@ybb62>
Mar 10 06:45:11 mail2 postfix/qmgr[21151]: E3BF157EA1: from=<beulahhir@xxxxxx.or.jp>, size=3451, nrcpt=1 (queue active)
Mar 10 06:45:12 mail2 postfix/smtpd[27979]: disconnect from unknown[xxx.xxx.202.132]
Mar 10 06:45:13 mail2 postfix/smtp[27984]: E3BF157EA1: to=<eepolito@stocksy.co.uk>, relay=mail.toastputer.net[69.93.127.12], delay=3, status=bounced (host mail.toastputer.net[69.93.127.12] said: 550 <eepolito@stocksy.co.uk>: Recipient address rejected: User unknown in virtual mailbox table (in reply to RCPT TO command))
Mar 10 06:45:13 mail2 postfix/cleanup[27983]: E1B5A57ED7: message-id=<20060310064513.E1B5A57ED7@mail2.toastputer.net>
Mar 10 06:45:13 mail2 postfix/qmgr[21151]: E3BF157EA1: removed
Mar 10 06:45:13 mail2 postfix/qmgr[21151]: E1B5A57ED7: from=<>, size=5454, nrcpt=1 (queue active)
Mar 10 06:45:28 mail2 postfix/smtp[27984]: E1B5A57ED7: to=<beulahhir@xxxxxx.or.jp>, relay=mailgw1.xxxxxx.or.jp[xxx.xxx.106.55], delay=15, status=sent (250 ok 1141973167 qp 27149)
Mar 10 06:45:28 mail2 postfix/qmgr[21151]: E1B5A57ED7: removed

Like a moron, I was just grepping the log for 'status=sent' where the recipient was not one of my domains. I was failing to account for bounce messages. I guess I need to read up on reducing backscatter!
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/