Qmail acting as an open relay for local network

[ComNet]

Hi,
I'm seeing a strange behavior on my Plesk 10.4.4: other hosts from the public subnet I purchased from my ISP are able to use unauthenticated SMTP as an open relay, while the rest of the world can't (I followed the steps and double-checked, to be sure, the official KB article at http://kb.parallels.com/en/1394).
The whitelist has only ::1 and 127.0.0.0/8 on the allowed entries, and nothing is blacklisted.
Do you have any idea why is it open-relaying from local subnet's hosts, and how to stop that?
Thanks,

Marco

 

[ComNet]

Tried to restrict from 127.0.0.0/8 to 127.0.0.1/32, still seeing same behavior from other hosts in the same subnet.
Any hint?

 

[Faris Raouf]

Do you have pop-before-relay enabled? If so, and someone is doing pop3 logins from a particular IP then there will be a window where no smtp auth will be required. If the window is set to, say, 5 minutes and the user logs in every 5 minutes then effectively that IP is going to be able to use smtp anytime they want.

 

[ComNet]

Do you have pop-before-relay enabled? If so, and someone is doing pop3 logins from a particular IP then there will be a window where no smtp auth will be required. If the window is set to, say, 5 minutes and the user logs in every 5 minutes then effectively that IP is going to be able to use smtp anytime they want.

Thanks for your answer; unfortunately, that's quite not the case for two reasons:

1. I don't relay ("SMTP relay closed"). Simple as that.
2. The other hosts in the subnet are servers, so no POP3 authentication shall ever come from there.

 

[Faris Raouf]

Check /etc/xinetd.d/smtp_psa to make sure the settings you have configured in Plesk are actually reflected there, just in case?

 

[ComNet]

Check /etc/xinetd.d/smtp_psa to make sure the settings you have configured in Plesk are actually reflected there, just in case?

Thanks; I've been looking for a tcp-env configuration (as seen on this qmail page for "selective relaying" http://qmail.3va.net/qdp/qmail-antirelay.html), but I found none.
This is my smtp_psa started from xinetd:

service smtp
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        disable         = no
        user            = root
        instances       = UNLIMITED
        env             = SHORTNAMES=1
        server          = /var/qmail/bin/tcp-env
        server_args     = -Rt0 /var/qmail/bin/relaylock /usr/sbin/rblsmtpd -r sbl.spamhaus.org -r xbl.spamhaus.org /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

 

[Faris Raouf]

OK, I have no ideas at all I'm afraid.

Well, I do have one, but it should not make any difference. I notice you have shortnames enabled. How about changing it to off (in the panel, not editing the file). Yes, I know, it should have nothing to do with anything. But maybe it will kickstart something somewhere And if it makes no difference, put it back to how it was, obviously ;-)