Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Actually, that's a bad way to do it. You don't want to get yourself blackholed if you are accidentally an open relay.
There's a very easy way to test. From a remote host (a friend's box, a shell account, etc) use telnet to connect to port 25/tcp on your box and try to send a message through your server to another domain.
For example, assume your domain is called "yourdomain.tld" and your mail server is "mail.yourdomain.tld". There is some third party domain (that you don't host) called "otherdomain.tld".
Code:
$ telnet mail.yourdomain.tld 25
Trying 10.1.1.1...
Connected to mail.yourdomain.tld.
Escape character is '^]'.
220 SMTP Proxy Server Ready
ehlo otherdomain.tld
250-mail.yourdomain.tld ESMTP Server Ready
250-SIZE 52428800
250-STARTTLS
250-TLS
250-AUTH LOGIN
250-AUTH=LOGIN
250 DSN
mail from: foo@otherdomain.tld
250 +OK Sender OK
rcpt to: foo@otherdomain.tld
571 Cannot relay. Mailbox not available foo@otherdomain.tld
rset
250 +OK Reset
quit
221 Service closing transmission channel closing connection
Connection closed by foreign host.
It should look something like the above. If you get "250 +OK Recipient OK" instead of "571 Cannot relay. Mailbox not available foo@otherdomain.tld", then you're an open relay and need to lock yourself down.
If you are an open relay, review the instructions found at the MAPS TSI Anti-Relay site.
Chort is right. Don't use orbs. That's like calling the cops to come over and test those wild plants in your backyard to see if they contain THC.
You probably are NOT an open relay unless you really tried to mess with your MTA's settings. Every contemporary MTA ships with default settings that prohibit relaying.
Getting a response from the system doesn't not automatically imply that it's a relay. As chort suggested, try to sent email to a user at another domain that is not handled by this system.
Ya, if you don't get a responce from outside people won't be able to send mail to you
And just so you know, orbs never blacklists you the first time, they give you about a week before they retest, if you aren't fixed by then, you are screwed.
Connected to mail.mydomain.com.
Escape character is '^]'.
220 myserver.mydomain.com ESMTP Postfix
ehlo otherdomain.com
250-myserver.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-XVERP
250 8BITMIME
mail from: foo@otherdomain.com
250 Ok
rcpt to: foo@otherdomain.com
250 Ok
does this mean my server is an open relay?
and also when i check the maillog it only displays info on connect and disconnect from the remote host i am using , no sending mail is taken place
hi, i have just tested my mail server using the MAPS TSI advice
by telnet into relay-test.mail-abuse.org, and the results are my server is not an open relay
Code:
Feb 16 14:46:56 Server postfix/smtpd[26279]: 59C1E84D7: client=Cygnus.mail-abuse.org[168.61.4.13]
Feb 16 14:47:08 Server postfix/smtpd[26279]: 59C1E84D7: reject: RCPT from Cygnus.mail-abuse.org[168.61.4.13]: 554 <nobody%mail-abuse.org>: Relay access denied; from=<spamtest@> to=<nobody%mail-abuse.org> proto=SMTP helo=<cygnus.mail-abuse.org>
this snippet is from my maillog
however sometimes my mailserver can get a bit wierd like sending out mail to addresses i dun even know , however most of the times it got deffered but sometimes it got sent out too.
for example:
Code:
Feb 11 01:48:04 Server postfix/qmgr[21175]: 1CF2C2FFF8: from=<>, size=12716, nrcpt=1 (queue active)
Feb 11 01:49:02 Server postfix/smtp[22811]: 1CF2C2FFF8: to=<20040206000016208.1476421367@errors.postmasterdirect.com>, relay=errors.postmasterdirect.com[64.14.49.48], delay=58, status=sent (250 ok 1076442275 qp 20957)
Feb 16 12:47:54 Server postfix/smtp[25922]: D3CF12FFFD: to=<jean@qmedsr54re.com>, relay=none, delay=176617, status=deferred (connect to 218.106.116.147[218.106.11
Feb 11 01:48:04 Server postfix/qmgr[21175]: 1CF2C2FFF8: from=<>, size=12716, nrcpt=1 (queue active)
is this some kind of virus or script planted into my server?
if so, how can i check and get rid of the script/virus??
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
According to the first snippet you posted, you are an open relay. Try issuing the data command to see if it will actually accept your message. The first Postfix log message is just one type of relaying that was denied, probably a number of others were tried. Did you check to make sure they all got rejected?
The part about a message being deferred means it couldn't be delivered because of some type of connection failure. By the looks of it, it was spam being bounced and the responsible server didn't accept it.
Connected to mail.mydomain.com.
Escape character is '^]'.
220 myserver.mydomain.com ESMTP Postfix
ehlo otherdomain.com
250-myserver.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-XVERP
250 8BITMIME
mail from: foo@otherdomain.com
250 Ok
rcpt to: foo@otherdomain.com
250 Ok
data
354 End data with <CR><LF>.<CR><LF>
this is just a test :)
.
250 Ok: queued as 901FF84D6
and in maillog it 's like this
Code:
Feb 17 14:49:56 Server postfix/smtpd[28061]: connect from Server.mydomain.com[ip add]
Feb 17 14:50:10 Server postfix/smtpd[28061]: 901FF84D6: client=Server.mydomain.com[ip add]
Feb 17 14:51:41 Server postfix/cleanup[28065]: 901FF84D6: message-id=<20040217075010.901FF84D6@Server.mydomain.com>
Feb 17 14:51:41 Server postfix/qmgr[1742]: 901FF84D6: from=<foo@otherdomain.com>, size=439, nrcpt=1 (queue active)
Feb 17 14:51:41 Server postfix/qmgr[1742]: 901FF84D6: to=<foo@otherdomain.com>, relay=none, delay=91, status=deferred (deferred transport)
Feb 17 14:51:43 Server MailScanner[27116]: Postfix queue structure is depth 1
Feb 17 14:51:43 Server MailScanner[27116]: New Batch: Scanning 1 messages, 787 bytes
Feb 17 14:51:43 Server MailScanner[27116]: MCP Checks completed at 787 bytes per second
Feb 17 14:51:43 Server MailScanner[27116]: Spam Checks: Starting
Feb 17 14:51:54 Server MailScanner[27116]: Spam Checks completed at 71 bytes per second
Feb 17 14:51:54 Server MailScanner[27116]: Virus and Content Scanning: Starting
Feb 17 14:51:55 Server MailScanner[27116]: Virus Scanning completed at 787 bytes per second
Feb 17 14:51:56 Server MailScanner[27116]: Uninfected: Delivered 1 messages
Feb 17 14:51:56 Server MailScanner[27116]: Virus Processing completed at 787 bytes per second
Feb 17 14:51:56 Server MailScanner[27116]: Disinfection completed at 787 bytes per second
Feb 17 14:51:56 Server MailScanner[27116]: Batch completed at 71 bytes per second (787 / 11)
Feb 17 14:51:56 Server MailScanner[27116]: MailScanner child dying of old age
Feb 17 14:51:56 Server MailScanner[28076]: MailScanner E-Mail Virus Scanner version 4.26.8 starting...
Feb 17 14:51:56 Server MailScanner[28076]: Enabling SpamAssassin auto-whitelist functionality...
Feb 17 14:52:04 Server MailScanner[28076]: Using locktype = flock
Feb 17 14:52:12 Server postfix/qmgr[1828]: 6F8FE2FF27: from=<foo@otherdomain.com>, size=563, nrcpt=1 (queue active)
Feb 17 14:52:53 Server postfix/smtp[28078]: 6F8FE2FF27: to=<foo@otherdomain.com>, relay=pop.otherdomain.com[ip add], delay=163, status=sent (250 ok 1077004161 qp 31054)
douh!!!!
how and where can i set my mailserver into not an open relay???
help please
but how come the one i use from MAPS TSI print out relay denied?
wierd will try to telnet to the above given add from MAPS again .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.