QMail acts as an open relay.

[optize]

Greetings.

We seem to have a really weird problem with qmail/xinetd. It will allow everyone to relay spam through us (which we don't want!)

Here is my smtpd_psa in /etc/xinet.d;

service smtp
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
server = /var/qmail/bin/tcp-env
server_args = /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}


So let's telnet to our server to test it out since qmail-smtpd is running off xinetd.

220 x.x.x.x ESMTP
HELO
250 x.x.x.x
MAIL FROM:hi@hi.org
250 ok
RCPT TO:ajslfkj@asdf.com
250 ok
data
354 go ahead

But if we run /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true manually;

[root@x.x.x.x etc]# /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
220 x.x.x.x ESMTP
HELO
250 x.x.x.x
MAIL FROM:hi@hi.org
250 ok
RCPT TO:lkasjflkajsf@asdf.com
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

So the only difference is running xinetd with /var/qmail/bin/tcp-env in front of the qmail programs and when I do that, it allows relaying again.

PLEASE HELP!! I'm going crazy.

 

[optize]

If it happens, I have servers that work fine.

This is their ps aux | grep qmail-smtpd

qmaild 19805 0.0 0.2 4444 696 ? S 08:59 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true


This is the one that doesn't work right;

root 24437 0.4 0.1 3804 860 ? SNs 23:56 0:00 bin/qmail-smtpd
root 26617 0.3 0.1 3800 856 ? SNs 23:56 0:00 bin/qmail-smtpd
root 30874 0.4 0.1 3800 860 ? SNs 23:57 0:00 bin/qmail-smtpd
root 3246 0.9 0.1 3804 860 ? SNs 23:57 0:00 bin/qmail-smtpd
root 4848 0.5 0.1 3804 860 ? SNs 23:57 0:00 bin/qmail-smtpd

 

[optize]

Figured it out

There were 2 files in /etc/xinetd.d which wanted to use smtp. Sendmail and qmail. It decided it would use sendmail and allow everyone to spam through it.

 

[crnunez]

We have a big trouble with this.

Please view:

>telnet mail.swsoft.com 25
220 mail.sw-soft.com ESMTP Exim 4.30 Fri, 23 June 2006 15:10:17 -0400
MAIL FROM:info@swsoft.com
250 OK
RCPT TO:tech@swsoft.com
250 Accepted

Why does Swsoft use Exim and not Qmail?

 

[optize]

They do use QMail. Make sure you're not starting up both on accident.

 

[crnunez]

No, SWsoft use Exim as Mail Server!

Please try,
C:\telnet mail.swsoft.com 25 and you can view yourself.

At least the welcome message said Exim.?

 

[optize]

Oh, I see what you're saying.

Well it accepted it because you sent it to a domain local to the server. If you tried to send it to a hotmail address, it would fail.

 

[crnunez]

A good feature request is "deny relay for local sender addresses" in the control panel. Very important option.

At this moment Plesk has open our server to spammers.

In other servers I have this great option.

 

[crnunez]

Other important fact is that anybody can does relay through sendmail.

If any domain has a "contact us" form, then server has a high security trouble, INJECTION by PHP and SENDMAIL ...

 

[vIPERTX]

hi

i have the self problem !

PLEASE FIX THIS !!!!! AND ADD THE FEATURE

deny relay for local sender addresses

many people how use plesk 7 or 8 HAVE ALL THE SAME PROBLEM ! what i have read in german forums !!!

100% are using plesk ! are spam relay´s !

PLEASE FAST !

deny relay for local sender addresses

and

QMAIL SMTP AUTH PATCH !

PLEASSSSSSSSSSE

greetz

vIPER

 

[carliebentley]

This obviously needs to be fixed.

My Environment:

RHE with latest updates.
Plesk 8.0 (I'm afraid ot update to 8.0.1)

My problem:

SMTP Relaying for local domains.

I've enabled SMTP Authorization, and yet it still allows SMTP spoofing to happen from people that do not seem to have to use SMTP to send mail from my server.

If I tail the secure log:

tail -f /var/log/secure

I can watch connections from IP addresses I know for a fact do not have authorization to use SMTP on my server.

I have to stop this, and as a "stop-gap" measure I've been adding unauthorized IP addresses to my firewall module to prevent habitual spammers from using my server.

This is a critical problem, and should be addressed immediately. Apparently this has been the case since Version 7.5.4 or earlier.

My server has been reported to spamcop as being a spammer and I know for a fact that no spam is originating from any of my users.

SWsoft needs to fix this immediately, I would hate to have to move to a different control panel, but if this problem isn't fixed I will.

 

[snikos]

The following relaying settings were added since version 7.5:

Server > Mail

Relaying
- open
- closed
- authorization is required

 

[carliebentley]

Originally posted by snikos
The following relaying settings were added since version 7.5:

Server > Mail

Relaying
- open
- closed
- authorization is required

I'm well aware of these settings, and they are all enabled.

However, the server is still allowing connections to the SMTP server from spammers spoofing the "from" address.

 

[phoenixisp]

Check to see if you have sendmail installed, if so, that's your problem. The path to sendmail is /usr/sbin/sendmail.

What should be there is a symlink to /etc/alternatives/mta which in turn should point to /var/qmail/bin/sendmail. Also, you may try using the MAPS feature. I notice that optize's server_args in his original post doesn't make reference to any MAPS servers.

 

[carliebentley]

Originally posted by phoenixisp
Check to see if you have sendmail installed, if so, that's your problem. The path to sendmail is /usr/sbin/sendmail.

What should be there is a symlink to /etc/alternatives/mta which in turn should point to /var/qmail/bin/sendmail. Also, you may try using the MAPS feature. I notice that optize's server_args in his original post doesn't make reference to any MAPS servers.

Thanks for the information, however,

lrwxrwxrwx 1 root root 21 Apr 9 11:36 sendmail -> /etc/alternatives/mta

Which seems to point to:

lrwxrwxrwx 1 root root 23 Jun 26 20:39 mta-in_libdir -> /var/qmail/bin/sendmail

And I have also enabled MAPS SPAM Protection using bl.spamcop.net as a zone, but I haven't installed additional zones.

Yet, this still hasn't stopped the issue.

Any other ideas?
Thanks

 

[phoenixisp]

You could add more zones to MAPS. I only use sbl-xbl.spamhaus.org and have no such problems - try adding it to spamcop.

I'm well aware of these settings, and they are all enabled.

They can't be all enabled. You should have authorization is required checked and SMTP checked, that's it.

And one last item, are you sure you don't have a script on your server that is being exploited? If you have all else setup properly, that could be the case.

 

[carliebentley]

Originally posted by phoenixisp
You could add more zones to MAPS. I only use sbl-xbl.spamhaus.org and have no such problems - try adding it to spamcop.


They can't be all enabled. You should have authorization is required checked and SMTP checked, that's it.

And one last item, are you sure you don't have a script on your server that is being exploited? If you have all else setup properly, that could be the case.

Yeah, I realized that they're not all enabled. Bonehead moment on my part.

I've triple checked all 253 sites as well as, had "Watchdog" scan for vulnerable scripts. The server has come up clean each time. I'll try adding spamhaus to the MAPS zones and see if that makes a difference.

The biggest difference I've seen in reducing the amount of spam is to tail the secure log and completely block offending IP addresses. However the firwall rule set is getting huge, but it's made a remarkable difference.

 

[phoenixisp]

Another alternative would be to use ART's qmail-scanner. It combines qmail-scanner with Spamassassin and ClamAV. It scans outgoing emails as well as incoming. If set up properly it can help.

 

[carliebentley]

Originally posted by phoenixisp
Another alternative would be to use ART's qmail-scanner. It combines qmail-scanner with Spamassassin and ClamAV. It scans outgoing emails as well as incoming. If set up properly it can help.

Any idea of the increases on the server load by running this? Since moving to 8.0.1 I've noticed the process utilization has jumped, as well as the RAM useage. I'm not blaming 8.0.1 but there seems to be a trend in increased process utilization since moving from 7.5.4.

My server used to maintain about .1 to .8 and now it's running firmly in the 8. to 12. utilization.

Performance isn't suffering, but I'm afraid adding an additional scanner might bump me into the range of decreased performance at the cost of increased security.

 

[phoenixisp]

It indeed will increase your server load. And it doesn't appear that your server can take any more. What is running so heavily on your box? My servers generally run in the .05 - 1.5 range and it may jump to the 5's when a lot of mail comes and goes. But you have a server load of 12????

IMO - security is of the utmost importance!