LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page Qmail Appears To Be Open Relay
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-08-2007, 02:38 PM   #1
ajayre
LQ Newbie
 
Registered: Jun 2007
Posts: 2

Rep: Reputation: 0
Question Qmail Appears To Be Open Relay

We are running a server with Debian Sarge and Qmail and we have noticed that people are sending spam through the server, even though all our tests indicate is not an open relay. We are now at a loss as to what to check next. Here are the details. Note that I have carefully changed the name of our server to h0000000 and mydomain.com. These are the only changes I've made to the output.

We have /var/qmail/control/rcpthosts set up to list our virtual domains. For example:

Code:
localhost
h0000000.serverkompetenz.net
mydomain.com
/var/qmail/control/locals contains:

Code:
localhost
h0000000.serverkompetenz.net
/var/qmail/control/virtualdomains contains:

Code:
mydomain.com:mydomain.com
/etc/tcp.smtp is set up to stop relaying from external servers:

Code:
127.0.0.1:allow,RELAYCLIENT=""
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
tcpserver is running as:

Code:
/bin/tcpserver -R -H -u 64011 -g 65534 -x /etc/tcp.smtp.cdb 0 smtp /usr/sbin/qmail-smtpd /var/vpopmail/bin/vchkpw /bin/true
Here are the headers of an example email we found in /var/qmail/queue/mess:

Code:
Received: (qmail 4053 invoked by uid 64020); 8 Jun 2007 19:38:36 +0200
Received: from 200.241.73.131 by h0000000 (envelope-from <fqqgvh@mydomain.com>, uid 64011) with qmail-scanner-1.25st
 (spamassassin: 3.0.3. perlscan: 1.25st.
 Clear:RC:0(200.241.73.131):.
 Processed in 2.250737 secs); 08 Jun 2007 17:38:36 -0000
Received: from unknown (HELO SERVER251) (info@200.241.73.131)
  by mydomain.com with SMTP; 8 Jun 2007 19:38:34 +0200
From: "Ftlbpz" <fqqgvh@mydomain.com>
To: "liu15519" <liu15519@tom.com>
Subject: =?GB2312?B?17/Uvc/6ytu8xsTczOHJ/bXEOLj2sr3W6DM5MA==?=
Date: Sat, 9 Jun 2007 01:37:53 +0800
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Qmail-Scanner-Message-ID: <11813243159224042@h1105258>
I then tried manually sending a message with the same details:

Code:
220 h0000000.serverkompetenz.net ESMTP
helo SERVER251
250 h0000000.serverkompetenz.net
mail from: "Ftlbpz" <fqqgvh@mydomain.com>
250 ok
rcpt to: "liu15519" <liu15519@tom.com>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
We also used the relay check at abuse.net to check if our server was an open relay. It passed all tests.

So how are these emails getting into the send queue? If we reboot the server and clear the send queue then they stop for about half an hour before starting again.

If there is any information missing let me know and I will gladly post it.

Andy
 
Old 07-02-2007, 10:55 AM   #2
spamgrind
LQ Newbie
 
Registered: Jul 2007
Posts: 10

Rep: Reputation: 0
Just because the From:"" tag is set from some domain, and the To:"" tag is set to some address outside your network does not mean that you have an open relay. Those tags are injected by the mailer application (for example, Outlook) or whatever script people are using to send you spam. What looks like is happening is that the actual SPAM is being delivered to E-mail addresses on your box, they are being sent from here:

Received: (qmail 4053 invoked by uid 64020); 8 Jun 2007 19:38:36 +0200
Received: from 200.241.73.131 by h0000000 (envelope-from <fqqgvh@mydomain.com>, uid 64011) with qmail-scanner-1.25st
(spamassassin: 3.0.3. perlscan: 1.25st.
Clear:RC:0(200.241.73.131):.
Processed in 2.250737 secs); 08 Jun 2007 17:38:36 -0000
Received: from unknown (HELO SERVER251) (info@200.241.73.131)
by mydomain.com with SMTP; 8 Jun 2007 19:38:34 +0200
From: "Ftlbpz" <fqqgvh@mydomain.com>
To: "liu15519" <liu15519@tom.com>

If these messages are not on your outgoing queue for processing, they are not being forwarded, of course, they may also be on your outgoing queue as a bounce to the sender for an non-existent recipient on your box, but those should be clearly marked as a bounce.
 
Old 07-02-2007, 10:59 AM   #3
ajayre
LQ Newbie
 
Registered: Jun 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for replying. All emails were received on port 25 and then sent back out on port 25, not marked as a bounce. This was confirmed with tcpdump.

I wrote a perl script and found out that if you keep hitting qmail with a random username and password then it eventually lets you in and you can send to whoever you want! This bypasses the rcpthosts restriction.

So we dumped the POS qmail and switched to Postfix.

thanks, Andy
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
qmail: using external relay hamish Linux - Software 2 08-01-2006 12:19 AM
Qmail: Am I an open relay? mustangfanatic01 Slackware 5 05-05-2006 10:53 AM
qmail + relay ... help.. rincewind Linux - Software 2 01-24-2005 09:49 AM
Qmail OPEN EMAIL RELAY QUESTION kemplej Linux - Security 3 04-02-2004 01:46 PM
qmail open relay iwa Linux - Security 2 11-12-2003 07:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:11 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration