> Ok; we had to be sure there wasn't something listening on 25/tcp
True.
> yet I can't understand why, as you reported
Which is why I made the original post. :-)
> seems to indicate that there must be something else running on the
> system and allowing to reach the SMTP server
> using the loopback address; such a program has to be listening on a
> public IP and "tunnelling" the connection toward 127.0.0.1
For the life of me, I can't guess what it might be. It might be
obvious if it were a hack that sent many e-mails. All I can see is the
occasional single e-mail (unless I just happen to get one of
thousands). My first thought was that amavisd was the culprit, since
it was present in the header, but it seems to be there only because
Postfix calls it. Also, the chain is from the outside directly to
Postfix. I'd be surprised that there was anything missing in the
chain. Here it is again, so you can see what I mean:
Return-Path: <paym...@cenbank.org>
Received: from mymxserver.com ([unix socket])
by mymxserver.com (Cyrus v2.3.8-OS X Server 10.5: 9G69) with
LMTPA;
Tue, 28 Jul 2009 14:32:48 -0400
X-Sieve: CMU Sieve 2.3
Received: from localhost (localhost [127.0.0.1])
by mymxserver.com (Postfix) with ESMTP id 8AB13B16DA2
for <u...@myvirtualdomain.com>; Tue, 28 Jul 2009 14:32:48 -0400 (EDT)
X-Quarantine-ID: <7pa9PF6Mj5nV>
X-Virus-Scanned: amavisd-new at myserver.com
Received: from mymxserver.com ([127.0.0.1])
by localhost (mymxserver.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7pa9PF6Mj5nV for <u...@myvirtualdomain.com>;
Tue, 28 Jul 2009 14:32:46 -0400 (EDT)
Received: from mout3.freenet.de (localhost [127.0.0.1])
by mymxserver.com (Postfix) with ESMTP id 9868FB16D96
for <u...@myvirtualdomain.com>; Tue, 28 Jul 2009 14:32:46 -0400 (EDT)
Received: from [195.4.92.15] (helo=5.mx.freenet.de)
by mout3.freenet.de with esmtpa (ID ngt5...@justmail.de) (port 25)
(Exim 4.69 #92)
id 1MVTzj-0002vQ-JV; Mon, 27 Jul 2009 19:28:15 +0200
Received: from ml82.128.2.28.multilinks.com ([82.128.2.28]:3927
helo=User)
by 5.mx.freenet.de with esmtpa (ID ngt5...@justmail.de) (port 25)
(Exim 4.69 #93)
id 1MVTzg-0004nD-SO; Mon, 27 Jul 2009 19:28:15 +0200
The mail is sent by a user at multilinks.com to 5.mx.freenet.de, which
ships it to mout3.freenet.de, which, in turn, talks (apparently)
directly to my server's Postfix. If the structure of your suggestion
is the cause of the problem, I'm surprised that there's no
intermediary process at 127.0.0.1 between mout3.freenet.de and
Postfix. I'd have expected one more "Received:" (if that phantom
process is acting as a mail server; unless, of course, someone hacked
my machine that skillfully that the hack masked its presence by faking
a direct conversation between mout3.freenet.de and my Postfix).
> the public IP listening port may even not be 25;
True, but I'd have expected some evidence of another process at
127.0.0.1.
> so, the next step may be running nmap against the listening ports
> and grabbing the "banner" to see if one of those ports returns the
> SMTP server banner;
I'm not a CLI guru. Could you help a little with the right command?
Thanks.
> I'd check if the server is running any kind of web service;
It is.
> in such a case the "assp bypass" may come from some page or cgi
> allowing to directly send emails
True. But, again, I'd expect in the header some evidence of where the
mail came from. I'm not seeing that. It would surely have required
that whatever came through the web server would have masked itself as
5.mx.freenet.de and mout3.freenet.de, which I'm not seeing. I suppose
it could be lying about the port 25, too.... :-/
Thoughts?
T.
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
