LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-05-2006, 09:08 AM   #1
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Rep: Reputation: 0
mail relay open or closed


Morning all, I took over the job managing our server farms with 2 years or so of red hat experience, more just knowing what I have done to fix it vs. 'learning why'

Well just got an email from abuse.net saying they have numerous complaints and will have to shut the IP down soon if its not fixed and they say it's an open relay. Most test sites come back that it's closed, yet they say it is. They gave a specific domain to which I then asked if it's a webform perhaps that someone took advantage of, they said no, as they could telnet it and somehow send mail to some domains but not others.

The box is a Cent-OS4 with all up to date packages. It was setup with vpop and qmail is NOT used at all to send mail, is there a easy way to just say don't ever send mail (except websites that send mail)? While I wait for their email with more details, is there any advice, or ideas on what to do?

A port scan simply shows;
(The 65520 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
443/tcp open https
747/tcp open fujitsu-dev
953/tcp open rndc
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt

Don't think that really helps, but it might.

Actually still learning / poking around, found some odd / large files in the /var / qmail / queue / remote/ folder. Most were small, each folder had one much larger, see below;
20 Sep 5 02:12 18629988
7752 Sep 1 06:49 24035586

When I tailed that large file it was loaded with email addresses so I guess the mail is going into the .remote folder but don't know enough about how it get's there, how to shut it down, etc.

Thanks again in advance.

Lance

Last edited by sir-lancealot!; 09-05-2006 at 09:12 AM.
 
Old 09-05-2006, 09:19 AM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Have you tried looking at something like

http://www.spamlinks.net/prevent-secure-relay-test.htm

If I read your post correctly, you don't send mail from this server. Why don't you ensure that outbound port 25 is closed? I assume by your website sending comment you mean people sending via external websites, which doesn't count
 
Old 09-05-2006, 09:36 AM   #3
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Since they said they did via telnet, thats what I tried 1st, after the 200 or so attempts, it got;

"System appeared to accept 1 relay attempts
Connection closed by foreign host."

so it looks in fact like it did.

As for the website comment, I meant that this box hosts a few websites. On them are registration forms, etc. which after they are complete they (using .php) insert a record into a database and send a confirmation using the php mail() command. So if outbound 25 is closed, I assume that might fix the outbound problem but then not allow that mail from the webform to be sent, am I correct?
 
Old 09-05-2006, 09:38 AM   #4
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
That's what I'd have thought (re port 25 outbound)
 
Old 09-05-2006, 09:42 AM   #5
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Sorry, I didn't word that correctly, port 25 is currently open. I meant to word it as, if I close 25 outbound, will the box still be able to send mail through a webform (I would doubt it) and I guess could try it.
 
Old 09-05-2006, 10:37 AM   #6
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Well I am stumped. Tried to close 25 and nothing but errors. Since this is CentOS, maybe it's a bit different than FC but the iptables file looks like this;

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
COMMIT


and an iptables -L shows;
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp

I've tried a few ways to close 25 from what I read none of which worked so I am at a crossroad. I see the forum added a server forum, think I should try that (or is that considered a cross post and frowned upon) but they say they are going to shut it down if it doesnt stop, so lq seems to be the best forum I can find, but thank you for the prompt replies and suggestions.

lr
 
Old 09-05-2006, 11:48 AM   #7
sir-lancealot!
LQ Newbie
 
Registered: Aug 2006
Posts: 19

Original Poster
Rep: Reputation: 0
Another update (shorter one this time)... still trying to figure it out, did a ps-fax |grep qmail and got the following;

anonymous@server yokaitis@aol.com
25329 ? S 0:00 | \_ qmail-remote aol.com anonymous@server dgiles54@aol.com
25330 ? S 0:00 | \_ qmail-remote aol.com anonymous@server nlrdrg@aol.com
25331 ? S 0:00 | \_ qmail-remote aol.com

So it looks like they ar being sent via qmail. When I did a qmailctrl stop, I got the following;
Stopping qmail...
qmail-smtpd
qmail-send

So the question seems, can you start qmail-smtp to still receive but not start qmail-send? And if you can start w/o qmail send, would you still be able to send mail via websites and squirrelmail?

By stopping qmail though it does fail the telnet tests.
The search continues
 
Old 09-05-2006, 03:32 PM   #8
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Sorry, I don't know qmail
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Open Mail Relay without spam. dlublink Linux - Software 2 04-25-2006 11:46 AM
LXer: Survey: Open source developers jump on bugs, open to closed tech LXer Syndicated Linux News 0 12-21-2005 01:46 PM
Postfix as a mail relay (getting relay access denied) hypexr Linux - Software 3 09-13-2005 07:15 PM
is my mail server open to relay??? luca2005 Linux - Security 5 12-30-2004 08:27 PM
relay mail to sendmail relay server??? lemay_jeff Linux - Newbie 0 07-06-2004 04:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration