Re: Strange open relay problem with qmail due to bad configuration.
On Mon, Sep 13, 1999 at 09:47:14AM +0100, Petr Novotny wrote: If you told us the IP of your machine so that we could look up on the ORBS site the exact problem, we could be more helpful. I guess I didn't express myself clear enough. The problem is fixed. I just thought someone might be interested since one usualy think one is protected when one uses qmail's rcpthosts file. The problem was that my secondary mail server allowed third party relaying of this form user%domain@[ipnumber] where ipnumber is my secondary mail server's ipnumber and the primary mailserver allows percent hack for allowed relayers. The reason this was worked, was because "me" was set to the domain name that the server was secondary mailserver for and not the hostname. The problem could be solved in three ways: * changing me to something that the mailhost was primary for (like its hostname). * Turning off percent hack at the primary mailserver. * Don't accepting the secondary mailserver as an allowed relayer at the primary mailserver. I choose the first option. The second option will be implemented shortly when we upgrade the primary mailserver. /Sebastian
Strange open relay problem with qmail due to bad configuration.
I just got a nasty letter from ORBS telling me that one of my SMTP servers was an open relay. The host was a secondary mailserver for some of our domains and it had no hosts in locals and a correctly configured rcpthosts. Its virtualhosts was also empty and it was not configured to allow percent hack. Still user%domain@[ipnumber], where ipnumber was the hosts IP number, was allowed stright through. me was set to a local domain, where another server was was primary and that server was configured to allow relaying for this server. [ipnumber] was changed to the default domain and that was in the rcpthosts file so it was ok. The message was forwarded to the primary smtp server for that domain and that server saw that the mail came from an authorized relayer and past it along... /Sebastian
Re: Potential hole?
On Wed, Sep 08, 1999 at 11:24:45AM +0500, Dmitry Niqiforoff wrote: Is there any suggestions about how to avoid all the potential problems? Yes. 1) Hack qmail-local to deny | usage for your users (check the gid?). 2) Prevent the users from creating .qmail files. Our users homedirs are owned by someone else. We give them subdirectories to use. Any dot file that we allow them to use are a symbolic link to a normal file in a sub directory. That way we don't have to worry about all other possible dot files that might give them the right to run something. We use a simple web page that let them configure forwarding, instead of letting them modify the files. 3) Hack qmail-local to chroot to the users' homedirs before running any commands. That way you can limit the damage the user may do and still let them run some programs. We do this for our users cgi programs. Don't forget resource limits if you follow this path... /Sebastian
