QMail acts as an open relay.

[Lurker]

I have the same problem using Plesk 8.01. Even if I set "Relaying" to "closed", I can still create new mails using SMTP without authentification.

I checked all hints in this thread now, but nothing did help. Any other ideas?

 

[phoenixisp]

How are you creating the emails?

 

[Lurker]

I'm using Telnet to test this:

telnet mail.cycit.de 25

220 host.cycit.de ESMTP
mail from:someone@somewhere.com
250 ok
rcpt to:someone@otherdomain.com
250 ok
data
354 go ahead
subject=test
content
.
250 ok 1151387948 qp 1062

qmail is stopped, so it's not possible to reproduce above behaviour currently.

Regards,
Juergen

 

[carliebentley]

Originally posted by phoenixisp
It indeed will increase your server load. And it doesn't appear that your server can take any more. What is running so heavily on your box? My servers generally run in the .05 - 1.5 range and it may jump to the 5's when a lot of mail comes and goes. But you have a server load of 12????

IMO - security is of the utmost importance!

Actually, strangely enough, after making a few changes to the MAPS configuration and Spamassassin I'm now seeing CPU stats down to a 15 minute average of .37 which is much happier. I'm still seeing spikes in CPU useage on inbound e-mail, but I think a lot of it was coming from defending against attacks.

I set the MAPS zones to:
sbl-xbl.spamhaus.org;bl.spamcop.net;relays.ordb.org;cbl.abuseat.org;multihop.dsbl.org

And then tailed the secure log, and noticed a significant decrease.

Hopefully this will help eliminate some of the **** that's been flowing through my server.

 

[carliebentley]

Originally posted by phoenixisp
It indeed will increase your server load. And it doesn't appear that your server can take any more. What is running so heavily on your box? My servers generally run in the .05 - 1.5 range and it may jump to the 5's when a lot of mail comes and goes. But you have a server load of 12????

IMO - security is of the utmost importance!

Oh, by the way:
I'm still having a bunch of "failure notice" e-mails in the queue with blank senders and non-local users, I can't figure out where these are coming from, but their numbers have decreased recently after the recent cahnges.

 

[phoenixisp]

Good stuff! Make sure, to speed up smtp, to add -Rt0 to the server_args line in /etc/xinet.d/smtp_psa like this:

server_args = -Rt0 /usr/sbin/rblsmtpd etc -etc -etc

Each time you change MAPS settings it rewrites the file.

 

[phoenixisp]

Those failure notices are messages that were heading into your server but bounced. However the addresses were probably spoofed therefore the bounce messages are stuck in you queue.

There are probably fewer in your queue because less spam is coming into your server. To combat this, in the domain's control panel, under Mail -> Preferences set it not to bounce messages to non-existant users. What I do is create a mail name with no mailbox and no redirect. The I set it to forward to that mail name. It sends the message to a black hole, so to speak.

 

[carliebentley]

Originally posted by phoenixisp
Good stuff! Make sure, to speed up smtp, to add -Rt0 to the server_args line in /etc/xinet.d/smtp_psa like this:

server_args = -Rt0 /usr/sbin/rblsmtpd etc -etc -etc

Each time you change MAPS settings it rewrites the file.

Ah, thanks, I'll do that. And thanks for your information.

 

[phoenixisp]

No problem, just don't swing that hammer this way

 

[DCNet_James]

Originally posted by crnunez
No, SWsoft use Exim as Mail Server!

Please try,
C:\telnet mail.swsoft.com 25 and you can view yourself.

At least the welcome message said Exim.?

Nope, it uses qmail, maybe it uses a win32 port of exim for the winblows version, I have no idea and doubt that, either way this is the Linux/Unix forum. Regardless, there isn't a version of PSA out there that uses Exim. Your xinetd or inetd is starting Exim instead of Qmail.

Don't be so quick raise exclamations...

J

 

[DCNet_James]

Another alternative layer of security. I have my PSA servers sitting behind mailgates I built using Qmail/Simscan/Spamassassin/ClamAv and the only MX record for each domain points to the mailgate cluster. Further the mail is then host routed to the PSA servers. I disable popb4smtp, allow smtp auth, use MAPS protection rbl-xbl.spamhaus.org, and have only the local IP's to the box and the localhost IP of 127.0.0.1/32 whitelisted. I've also disabled Drweb because its a garbage product that eats up extra memory and processor.

Setup like this, I've lightened the server loads dramatically by letting the mail gates do the majority of processing for spam and viruses and if I were to ever take a direct hit, to my mailgates, PSA servers are all generally OK.

ART has a project called Project Gamera that is similar to this. The idea is not new, other products out there get pricey, but I've seen barracuda's work well. Another thing you could do is just disable relay all together and build a seperate smtp auth box standalone for your customers to use.

Theres lots of ways to lock down the PSA mail environment. Not all have to be so elaborate. I've only ever once had someone spam off my box since PSA 7.0.x and that was because of a user's weak shell password.

If you need some assistance I've done a ton of mail server lockdown work. I can even provide you with the mailgate service if need be for a nominal fee.

Thats my 2 cents,
J

 

[uagent]

Originally posted by Lurker
I'm using Telnet to test this:

telnet mail.cycit.de 25

220 host.cycit.de ESMTP
mail from:someone@somewhere.com
250 ok
rcpt to:someone@otherdomain.com
250 ok
data
354 go ahead
subject=test
content
.
250 ok 1151387948 qp 1062

If you're familiar w/ SSH, check to make sure there's something in /var/qmail/control/rcpthosts, then stop/start qmail and xinetd. I thought I had the same problem on my box, but I there's some weird localhost trusted sending going on, 'cuz I tried it from another server I have, and I got the standard 553 response I was hoping for. You can have abusenet test your server at http://www.abuse.net/relay.html. Also, make sure that you link smtp_psa to smtp then restart xinetd.

 

[Lurker]

Originally posted by optize
Figured it out

There were 2 files in /etc/xinetd.d which wanted to use smtp. Sendmail and qmail. It decided it would use sendmail and allow everyone to spam through it.

Damn, actually the solution was already inside this thread. Had the same problem, after deletion of sendmail in above folder the Plesk Settings are used.

It is just strange, I filled /var/qmail/control/badmailfrom yesterday with some hosts, and when I tried to create mails from these domains I got the 553-message. So I was sure that qmail is used for sending. Anyway, it is working now!

Cheers,
Juergen

 

[crnunez]

Hello,
How is possible put a limit on the wrong commands on SMTP?
Example:

telnet sw-swsoft.com 25

220 mail.sw-soft.com ESMTP Exim 4.30 ....
badcommand1
500 unrecognized command
badcommand2
500 unrecognized command
badcommand3
500 unrecognized command
badcommand4
500 Too many unrecognized commands

Now, on my server never appear "Too many unrecognized commands" Do you have any idea for set number of bad commands?

Thanks a lot!

 

[crnunez]

Do any people how count_unrecognized_commands on qmail?

This one closes the connection if the sender makes mistakes. Why this is necessary is a bit long to explain, though.

 

[crnunez]

Any help, please?

 

[raulica]

I have requested for a resolution on many forums, I found one, an easy one.

It can be found here:

http://forums.ev1servers.net/showthread.php?t=62567

It worked fine for me.

 

[vIPERTX]

push to top !

dont forget the problem SWSOFT !

greetz

vIPER

 

[artfuldrone]

Originally posted by phoenixisp
Check to see if you have sendmail installed, if so, that's your problem. The path to sendmail is /usr/sbin/sendmail.

What should be there is a symlink to /etc/alternatives/mta which in turn should point to /var/qmail/bin/sendmail. Also, you may try using the MAPS feature. I notice that optize's server_args in his original post doesn't make reference to any MAPS servers.

I use qmail and am having this same problem with spam qeueing up the remote server.

I can see sendmail under /var/qmail/bin/sendmail but am not sure how to create a "symlink to /etc/alternatives/mta which in turn should point to /var/qmail/bin/sendmail".

I'm newbie to Linux. Could you please help me with the procedure?