Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have postfix setup to use gmail as a relay host. My postfix accepts mail to my domain (say foo.org).
Everything works fine, I'm able to send email through google no problem.
I THOUGHT I was not an open-relay, but I found my "Sent" folder in google flooded with sent junk (chinese), my mailq had over 200,000 msgs, and postfix went crazy (basically I was DoS'd).
postfix/main.cf
Code:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (WuZzY)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#home_mailbox = /var/mail/maildir/ #Maildir/
mail_spool_directory = /var/mail/maildir/
# SASL stuff
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_relay_domains
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = wuzzy.foo.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = foo.org
mydestination = foo.org, localhost.localdomain, localhost
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/example_gmail-cert.pem
smtp_tls_key_file = /etc/postfix/example_gmail-key.pem
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
mynetworks = 0.0.0.0/0 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
When I telnet to the server
Code:
Connected to wuzzy.
Escape character is '^]'.
220 wuzzy.foo.org ESMTP Postfix (WuZzY)
EHLO bar.org
250-wuzzy.foo.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Sample from log file:
Code:
Oct 17 21:12:57 wuzzy postfix/smtp[2805]: C07141C1854: to=<qs_ying@yahoo.com.tw>, relay=smtp.gmail.com[74.125.157.109]:587, delay=16, delays=15/0.01/1.1/0.05, dsn=4.7.0, status=deferred (host smtp.gmail.com[74.125.157.109] said: 421 4.7.0 Try again later, closing connection. (MAIL) p1sm3750463ybn.5 (in reply to MAIL FROM command))
I would look very carefully at how you configured your relay host (gmail). I would also suggest running one of the tests on the open relay test web sites to be sure.
I have already setup smtpd_recipient_restrictions (in main.cf) to "permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_relay_domains" .
Which obviously doesn't look correct. I will fix this and see if it helps, but I'm not sure what a good way to test this would be (I had already tested my configuration before and failed to send without being authenticated. Not sure how the attackers did it..but then again I'm kind of a mail-server noob). I will look for a open-relay testing site.
OK, I used http://www.abuse.net/relay.html to test my server before making any changes. It reported that my message was accepted (but may have been discarded by postfix still), so it MAY be an open relay. I checked the log and it was NOT discarded.
It definitely seemed like the "mynetworks" thing. I removed the "permit_mynetworks" from the recipient restrictions, and re-ran the test:
All tests performed, no relays accepted.
So that solves the problem.
As a side note, postfix claims to be a non-open-relay by "default" (I read that in their documentation somewhere), but I find having smtpd_recipient_restrictions = permit_mynetworks and mynetworks = 0.0.0.0/0 by default to be a contradiction.
That is a good find. If I am not mistaken, my networks = 0.0.0.0/0 means accept ALL networks. Naturally, you would want to permit your networks and include localhost (127.0.0.1) and this was probably a mistaken attempt to do that. Out of curiosity, you mention this being a default. Was this a default from the install or from a how to document?
I just installed postfix on another machine (running the same OS, Fedora13), and the default config file did NOT contain mynetworks=0.0.0.0, so it must have been a howto I've followed.
I guess it's my fault. I should check to see what I'm following.
Thank you for following up on this. This is good information that might also help someone else in the future. If you are able to find the how-to that contains this, you might want to contact the author or at least make a comment on their blog regarding the 'mistake'.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.