Re: open relay

[Timothy Mayo]

On Tue, Jun 26, 2001 at 12:58:22PM +0100, Tanuj Shah wrote:
> > -Original Message-
> > From: C P [mailto:[EMAIL PROTECTED]]
> > Sent: 26 June 2001 11:20
> > To: [EMAIL PROTECTED]
> > Subject: open relay
> > 
> > 
> > the problem is that even after running tcpserver it's 
> > allowing open relay...
> > 
> > what could be the possible reasons 
> > 
> > please suggest..
> 
> Use something like this:
> 
> 127.0.0.1:allow,RELAYCLIENT=""
> 20x.x.x.:allow,RELAYCLIENT=""
> :DENY

NO!!  This prevents the receipt of mail from any host except the two that
are also allowed to relay.  Bad idea.  The correct question to ask the original
poster is:

What are the contents of your /var/qmail/control/rcpthosts file?  Do you have
this file?

-- 
-
Timothy L. Mayo mailto:[EMAIL PROTECTED]
Senior System Administrator
The National Business Network Inc.
localconnect(sm)
http://www.localconnect.net/

The National Business Network Inc.  http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA  15146
(412) 810- Phone
(412) 810-8886 Fax

Re: open relay

[Vincent Schonau]

On Tue, Jun 26, 2001 at 12:58:22PM +0100, Tanuj Shah wrote:

> Use something like this:
 
> 127.0.0.1:allow,RELAYCLIENT=""
> 20x.x.x.:allow,RELAYCLIENT=""
> :DENY
 
> I just presume it's because there's no ':DENY' which blocks all else.

No, that will refuse connections from everywhere except the hosts explicitly
allowed. While this is a valid configuration, it will not work for servers
that are expected to receive email from the Internet.

Vince.

Re: open relay

[Vincent Schonau]

On Tue, Jun 26, 2001 at 03:50:20PM +0530, C P wrote:

> we are having problem regarding open relay. the tcp.smtp file looks like
> 20x.xx.xxx.x:allow,RELAYCLIENT=""
> 127.0.0.1:allow,RELAYCLIENT=""
 
> tcp server has been started as
> 
> tcpserver -x /etc/tcp.smtp.cdb -u 501 -g 2108 0 smtp
> /var/qmail/bin/qmail-smtpd &
> where uid and gid of qmaild are 501 and 2108

> the problem is that even after running tcpserver it's allowing open relay...
> 
> what could be the possible reasons 

Did you run 

tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.cdb.tmp < /etc/tcp.smtp

?

Does control/rcpthosts exist?


Vince.

RE: open relay

[Tanuj Shah]

> -Original Message-
> From: C P [mailto:[EMAIL PROTECTED]]
> Sent: 26 June 2001 11:20
> To: [EMAIL PROTECTED]
> Subject: open relay
> 
> 
> the problem is that even after running tcpserver it's 
> allowing open relay...
> 
> what could be the possible reasons 
> 
> please suggest..

Use something like this:

127.0.0.1:allow,RELAYCLIENT=""
20x.x.x.:allow,RELAYCLIENT=""
:DENY

I just presume it's because there's no ':DENY' which blocks all else.

HTH
-- 
Tanuj Shah
Enigma Health UK Limited

open relay

[C P]

hi all,


we are having problem regarding open relay. the tcp.smtp file looks like
20x.xx.xxx.x:allow,RELAYCLIENT=""
127.0.0.1:allow,RELAYCLIENT=""

tcp server has been started as

tcpserver -x /etc/tcp.smtp.cdb -u 501 -g 2108 0 smtp
/var/qmail/bin/qmail-smtpd &
where uid and gid of qmaild are 501 and 2108

the problem is that even after running tcpserver it's allowing open relay...

what could be the possible reasons 

please suggest..

thanks in adv,
pratibha







---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.247 / Virus Database: 120 - Release Date: 4/6/01

Re: Can't stop open relay

[Dave Sill]

"John Kuhn" <[EMAIL PROTECTED]> wrote:

>Can you people please stop sending me "you didn't read the docs" email.. I
>DID.. if I didn't I probably would have never got qmail up and running in
>the first place..

Then either you didn't read the right docs or you didn't understand
them.

>I'm am whole heartly sorry for being confused about
>something and asking for a little help..

There's no need to apologize for being confused. Just take a couple
deep breaths, calm down, and study:

  http://www.lifewithqmail.org/lwq.html#relaying

If it doesn't make sense, ask some specific questions about the bits
you don't get.

-Dave

Re: Can't stop open relay

[John Kuhn]

I did have rcpthosts set.. but I was under the impression that I could
secure my server with just tcp.smtp alone.. I was wrong.. I am sorry

>  Exception: If the environment variable RELAYCLIENT is set,
>  qmail-smtpd will ignore rcpthosts, and will append the value
> of RELAYCLIENT to each incoming recipient address.

Can you people please stop sending me "you didn't read the docs" email.. I
DID.. if I didn't I probably would have never got qmail up and running in
the first place.. I'm am whole heartly sorry for being confused about
something and asking for a little help..

John Kuhn

Re: Can't stop open relay

[Charles Cazabon]

John Kuhn <[EMAIL PROTECTED]> wrote:
> 
> can you explain this.. the docs state that by default qmail will not relay
> to anyone not in /etc/tcp.smtp

No, the documentation states that qmail will not relay if you populate
/var/qmail/control/rcpthosts properly.  The possible setting of the
RELAYCLIENT environment variable through tcpserver can then be used to
override this mechanism for particular hosts if desired.

> now that I do have my domain into rcpthosts it is the only way it will stop
> the open relay behavior because the server responds with "domain not in my
> rcpthosts" which is fine because I can bypass this with adding people to my
> tcp.smtp file
> 
> this is how it's supposed to work?

Yes.  rcpthosts specifies what domains you are responsible for mail for (local
domains, virtual domains, plus any domains for which you are a secondary MX).
RELAYCLIENT lets you specify particular hosts in your network for which you
wish to act as a relay or smarthost.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: Can't stop open relay

[Henning Brauer]

On Wed, May 16, 2001 at 10:44:04AM -0400, John Kuhn wrote:
> can you explain this.. the docs state that by default qmail will not relay
> to anyone not in /etc/tcp.smtp

...as long as a rcpthosts file is existant, yes.

> now that I do have my domain into rcpthosts it is the only way it will stop
> the open relay behavior because the server responds with "domain not in my
> rcpthosts" which is fine because I can bypass this with adding people to my
> tcp.smtp file
> 
> this is how it's supposed to work?

Absolutely.

-- 
* Henning Brauer, [EMAIL PROTECTED], http://www.bsws.de *
* Roedingsmarkt 14, 20459 Hamburg, Germany   *
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: Can't stop open relay

[Rick Updegrove]

From: "John Kuhn" <[EMAIL PROTECTED]>
> the problem
> it's seems no matter what I put in /etc/tcp.smtp anyone can relay mail off
> my server it will not deny anyone I've taken everything out besides the
> localhost address and recompiled with tcprules

Once I forgot to run ./config-fast FQDN in the qmail source dir after make; make
setup check

Did you?

Hope that helped.


Rick Up

Re: Can't stop open relay

[Greg White]

On Wed, May 16, 2001 at 10:03:50AM -0400, John Kuhn wrote:
> I've managed compile and setup Qmail along with courier thanks to the
> fabulous docs and howto's on it.. but I'm running into a fairly serious
> problem here..

I suspect that you haven't really read them too well...
> 
> the problem
> it's seems no matter what I put in /etc/tcp.smtp anyone can relay mail off
> my server it will not deny anyone I've taken everything out besides the
> localhost address and recompiled with tcprules
> 
> 127.0.0.1:allow,RELAYCLIENT=""
> :allow
> 
> compile it.. restart qmail.. and it's still an open relay.. people from any
> network can bounce email off me.. the only way I can stop it is to add my
> domain to /var/qmail/rcpthosts which will then bounce any email not sent to
> my domain.


Can you tell us why, precisely, populating rcpthosts is a problem? That
is the way it is supposed to be configured. From 'man qmail-smtpd':

   rcpthosts
   
 Allowed  RCPT  domains.   If  rcpthosts  is supplied,
 qmail-smtpd  will  reject  any   envelope
 recipient address with a domain not listed in rcpthosts.

 Exception: If the environment variable RELAYCLIENT is set,
 qmail-smtpd will ignore rcpthosts, and will append the value
 of RELAYCLIENT to each incoming recipient address.


You _must_ populate rcpthosts.

P.S. If the documents you have read do not state that populating
rcpthosts is a requirement, please point them out to me, or the list, so
that I/we can tell the whole world to stay away from them.

-- 
Greg White
Those who make peaceful revolution impossible will make violent
revolution inevitable.
-- John F. Kennedy

Re: Can't stop open relay

[John Kuhn]

> How did you follow docs without having your domain in rcpthosts?
> It -should- be there.

I worded that incorrectly.. it was in there..

> The fact that it wasn't there caused your open relay behavior.
>
> AFTER you add your domain to rcpthosts, add your networks back
> into /etc/tcp.smtp with the RELAYCLIENT envrionment variable set.

can you explain this.. the docs state that by default qmail will not relay
to anyone not in /etc/tcp.smtp

but it does.. all I have is my localhost line in /etc/tcp.smtp.. now if I
try to send from another network the mail server should respond with "this
server does not allow relaying to this host" or something similar.. it
doesn't, it just relays..

now that I do have my domain into rcpthosts it is the only way it will stop
the open relay behavior because the server responds with "domain not in my
rcpthosts" which is fine because I can bypass this with adding people to my
tcp.smtp file

this is how it's supposed to work?

> This is -definitely- in the docs.

sorry I did read the docs and just needed something cleared up

thanks for the reply
John Kuhn

Re: Can't stop open relay

[Charles Cazabon]

John Kuhn <[EMAIL PROTECTED]> wrote:
> 
> the problem
> it's seems no matter what I put in /etc/tcp.smtp anyone can relay mail off
> my server it will not deny anyone I've taken everything out besides the
> localhost address and recompiled with tcprules
> 
> 127.0.0.1:allow,RELAYCLIENT=""
> :allow

Do you have a /var/qmail/control/rcpthosts file?  What's in it?  Post the
complete, unedited output of `qmail-showctl`.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Can't stop open relay

[John Kuhn]

I've managed compile and setup Qmail along with courier thanks to the
fabulous docs and howto's on it.. but I'm running into a fairly serious
problem here..

some background
I run a Debian box behind a DSL router on a NAT setup which works as a local
mail server for my office.. some are allowed acsess to send outer office
email and some are restricted to inner office only

the problem
it's seems no matter what I put in /etc/tcp.smtp anyone can relay mail off
my server it will not deny anyone I've taken everything out besides the
localhost address and recompiled with tcprules

127.0.0.1:allow,RELAYCLIENT=""
:allow

compile it.. restart qmail.. and it's still an open relay.. people from any
network can bounce email off me.. the only way I can stop it is to add my
domain to /var/qmail/rcpthosts which will then bounce any email not sent to
my domain.

I also start qmail with this line

/usr/bin/tcpserver -- \
-u `id -u qmaild` -R -g `id -g nobody` -x /etc/tcp.smtp.cdb 0
smtp \
/usr/sbin/qmail-smtpd 2>&1 | $logger -t qmail -p mail.notice &"

the only thing I added here was the -R to shut off ident service (thanks to
the million people on this mailing list to answer that for me :)

thanks to anyone with some insite on this..

John Kuhn

Open Relay

[Marcilio Jorgensen Cassella]

Hello,

My SMTP server is in mail-abuse.org. Follow the Faq I did:

#cat .qmail-fixup-default
| [ "@$HOST" = "@fixme" ] || ( echo Permission denied; exit 100 )
| qmail-inject -f "$SENDER" -- "$EXT2"


#cat virtualdomains
fixme:fixup

#cat smtp.rules
200.18.178.:allow,RELAYCLIENT="@fixme"

All E-mail sent with , was not recived.
And it is keeping in Mailbox of alias.

- How do it, to this mail type have relay denied, like sendmail
?


Thanks for all,

Marcilio

Re: Open relay access based on domain

[Scott Gifford]

Bjorn Nilsen <[EMAIL PROTECTED]> writes:

> I need to allow open relay on my mail server for a certain domain eg:
> *.somedomain.com. tcpserver does not seem to support domain names is there
> some other way that I can do this?

You should be able to use

  =.somedomain.com:allow,RELAYCLIENT=""

with the latest version of tcpserver.  Earlier versions didn't support
this without a patch.

-ScottG.

Open relay access based on domain

[Bjorn Nilsen]

Hi,

I need to allow open relay on my mail server for a certain domain eg:
*.somedomain.com. tcpserver does not seem to support domain names is there
some other way that I can do this?

cheers,
Bjorn
-- 

Bjorn Nilsen <[EMAIL PROTECTED]>
Manux Solutions Ltd
Ph +64 3 343 2031   Fax +64 3 343 3064
Level 1, 39 Leslie Hills Drive, Riccarton
PO Box 3074 Christchurch

Re: No open relay but allowing authorized dynamic IP clients to postanywhere

[Frederik Vermeulen]

Geza I. Mark <[EMAIL PROTECTED]> wrote:
>The users access the
>Internet using their various ISPs where they have
>dynamic IP numbers. They are authenticated by their
>individual SSL certificates.
>
>The requirement would be to allow the users to send
>mail to anywhere and to receive mail from anywhere
>while atill preventing the machine to became an open relay.
>
>My idea is the following. I'd set up two copies of qmail,

It is possible with a single qmail implementing RFC2487 (STARTTLS).
Qmail-smtpd will then relay mail iff the connection is
authenticated with an SSL certificate, otherwise only mail to
local users will be accepted.

I have been experimenting with that and have a patch on
http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch
(server temporarily down, should be back tomorrow).

Regards,

Frederik

No open relay but allowing authorized dynamic IP clients to post anywhere

[Geza I. Mark]

Hi,

I am sorry if it was discussed before but I post this
question because I found no answer in the DOCS, FAQ,
and mailing list archive.

I run a freeBSD system where security is highest priority.
Normal users reach the machine only through  SSLProxy
channels for WWW and POP access. The users access the
Internet using their various ISPs where they have
dynamic IP numbers. They are authenticated by their
individual SSL certificates.

The requirement would be to allow the users to send
mail to anywhere and to receive mail from anywhere
while atill preventing the machine to became an open relay.

My idea is the following. I'd set up two copies of qmail,
one for incoming, another for outgoing mail. The two copies
of qmail would of course live in entirely different directories.

The first qmail copy would receive mails from anywhere
on port 25 but deliver nowhere but to the localhost.
Users download their mail using POP through an
SSLProxy channel. (Normal unencrypted POP port is disabled
by  tcp wrapper  for anyone except localhost.)

The second qmail copy would work on another port different
from 25 say 26. It would deliver mails to anywhere and
also receive mails from anywhere BUT receive only through
an SSLProxy channel. (Normal unencrypted port 26 would be
disabled by  tcp wrapper  for anyone except localhost.)

Do you think this plan is working and if yes how should
I setup qmail for this? Or is there a better solution
to my problem?

Thanks in advance,



Ge'za I. Ma'rk
http://www.phy.bme.hu/mg/index.html
[EMAIL PROTECTED]

Re: QMAIL SMTP OPEN RELAY

[Henning Brauer]

Am Mittwoch, 13. Dezember 2000 09:31 schrieb Jimmy Newell:

> How do I completely open up my qmail smtp server to be a smtp relay?

nice joke.

-- 

Henning Brauer |  BS Web Services
Hostmaster BSWS|  Roedingsmarkt 14
[EMAIL PROTECTED] |  20459 Hamburg
www.bsws.de|  Germany

Re: QMAIL SMTP OPEN RELAY

[defender of the protocol]

just out of curiosity, why would you want to do that?

- jeremy

At 06:20 PM 12/12/2000 -0600, joshua stein wrote:
>Jimmy Newell wrote:
> > How do I completely open up my qmail smtp server to be a smtp relay?
>
>don't.
>
> > I've searched the archives is deleting the
> > /var/qmail/control/rcpthosts file all I need to do?
>
>no.

Re: QMAIL SMTP OPEN RELAY

[Frank Precissi]

Unless you are running the server on an internal LAN, I *high*
discourage you from opening up a smtp relay.. Not only will you be
frowned upon by the internet community for being a spam-haven, but you
and your ISP could be put on the RBL (which is very bad)..  But to
answer your question, deleting the rcpthosts should do the trick.

Frank


Jimmy Newell wrote:

> How do I completely open up my qmail smtp server to be a smtp relay?
> I've searched the archives is deleting the
> /var/qmail/control/rcpthosts file all I need to do? What are the
> symptoms of not compiling the DNS patch,  I don't remember if I
> patched it.

--
-=-=-=-=-=-8<-=-=-=-=-=-
'I sense much NT in you. NT leads to blue screen, blue screen leads to
downtime, downtime leads to much suffering.' --- unknown linux jedi

http://www.vadept.com/pgp-public.txt

Re: QMAIL SMTP OPEN RELAY

[Brett Randall]

On Wed, 13 Dec 2000, [EMAIL PROTECTED] wrote:

> How do I completely open up my qmail smtp server to be a smtp relay?
> 
> I've searched the archives is deleting the
> /var/qmail/control/rcpthosts file all I need to do?

And make sure that you aren't passing tcpserver a -x argument (checks
to make sure the originating IP address is allowed to relay)
-- 
  B r e t t  R a n d a l l
   http://xbox.ipsware.com/
brett  _ @ _  ipsware.com

Re: QMAIL SMTP OPEN RELAY

[joshua stein]

Jimmy Newell wrote:
> How do I completely open up my qmail smtp server to be a smtp relay?

don't.

> I've searched the archives is deleting the
> /var/qmail/control/rcpthosts file all I need to do?

no.

QMAIL SMTP OPEN RELAY

[Jimmy Newell]

How do I completely open up my qmail smtp server to 
be a smtp relay?
 
I've searched the archives is deleting the 
/var/qmail/control/rcpthosts file all I need to do?
 
What are the symptoms of not compiling the DNS 
patch,  I don't remember if I patched it.

Re: Open Relay questionnaire

[Henning Brauer]

Am Dienstag,  5. Dezember 2000 04:18 schrieb Bruce Guenter:

> I believe relay-ctrl is the only one that supports Courier
> IMAP, but other than that all the ones I'm aware of do the same thing.

Hmm, open-smtp's concept is so clear, easy and powerfull that it's really 
easy to add support. I'm using qmail-ldap and therefore no checkpassword 
there, but it was really easy to patch auth_pop (the checkpassword 
replacement) to call pop3-record from open-smtp. Same with auth_imap, it 
should be fairly easy for any other authentification modules.  

-- 

Henning Brauer |  BS Web Services
Hostmaster BSWS|  Roedingsmarkt 14
[EMAIL PROTECTED] |  20459 Hamburg
www.bsws.de|  Germany

Re: Open Relay questionnaire

[Bruce Guenter]

On Mon, Dec 04, 2000 at 05:12:07PM -0600, Eric Walters wrote:
> Is there a compelling reason to use one form of smtp auth vs. another?

If you're referring to the various SMTP-after-POP/IMAP packages, not
really.  I believe relay-ctrl is the only one that supports Courier
IMAP, but other than that all the ones I'm aware of do the same thing.
-- 
Bruce Guenter <[EMAIL PROTECTED]>   http://em.ca/~bruceg/

 PGP signature

RE: Open Relay questionnaire

[Eric Walters]

Is there a compelling reason to use one form of smtp auth vs. another?



 -Original Message-
From:   Charles Cazabon [mailto:[EMAIL PROTECTED]]
Sent:   Monday, December 04, 2000 3:18 PM
To: [EMAIL PROTECTED]
Subject:Re: Open Relay questionnaire

Eric Walters <[EMAIL PROTECTED]> wrote:
> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between
security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to:
or
> mail from: contain a local domain qmail will not deliver the message?

Yes, it's theoretically possible.  Someone may have already implemented it,
but
I don't know of one offhand.  But this is not a happy medium.  Many spammers
are now forging the MAIL FROM: address as being from the host it is
connecting
to.  The above would provide no security, and essentially act as an open
relay.

> So far I have implemented relayclient but that is a real pain to
administer
> and an inconvenience to my users.

Not sure what you're referring to above; do you mean setting the RELAYCLIENT
variable based on static IP addresses?  That's completely transparent to
non-roaming users.  Or you could be referring to SMTP-after-POP, such as
implemented by Bruce Guenter's relay-ctrl package.  That's very convenient
for users -- all they have to do is check their mail before sending mail.

Charles
--
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: Open Relay questionnaire

[defender of the protocol]

smtp is outdated, it needs to be replaced

my 2c

- jeremy


At 04:25 PM 12/4/2000 -0500, you wrote:
>On Mon, Dec 04, 2000 at 02:24:39PM -0600, Eric Walters wrote:
> > I am looking for some input on this as it relates to virtual hosting.  My
> > users are all remote and I am trying to find a happy medium between 
> security
> > and user-friendliness.  Is there a way to ensure that unless the rcpt 
> to: or
> > mail from: contain a local domain qmail will not deliver the message?
>
>Relaying based on the envelope sender address causes your server to be
>an open relay by my standards, a spammer only needs to know the secret
>(using certain envelope senders) to use your MTA as a relay.

RE: Open Relay questionnaire

[Eric Walters]

I am using the RELAYCLIENT as a work around for now.  It is a temporary fix
only because I have to know the IP subnet they are coming from or a specific
static address.  I know it's not really intended to be used this way though.





 -Original Message-
From:   Charles Cazabon [mailto:[EMAIL PROTECTED]]
Sent:   Monday, December 04, 2000 3:18 PM
To: [EMAIL PROTECTED]
Subject:    Re: Open Relay questionnaire

Eric Walters <[EMAIL PROTECTED]> wrote:
> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between
security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to:
or
> mail from: contain a local domain qmail will not deliver the message?

Yes, it's theoretically possible.  Someone may have already implemented it,
but
I don't know of one offhand.  But this is not a happy medium.  Many spammers
are now forging the MAIL FROM: address as being from the host it is
connecting
to.  The above would provide no security, and essentially act as an open
relay.

> So far I have implemented relayclient but that is a real pain to
administer
> and an inconvenience to my users.

Not sure what you're referring to above; do you mean setting the RELAYCLIENT
variable based on static IP addresses?  That's completely transparent to
non-roaming users.  Or you could be referring to SMTP-after-POP, such as
implemented by Bruce Guenter's relay-ctrl package.  That's very convenient
for users -- all they have to do is check their mail before sending mail.

Charles
--
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

RE: Open Relay questionnaire

[Eric Walters]

I have also heard that some email clients like M$'s Outlook Express are
hard-coded to send first.  Is there a work around to this other than tell
them to use another client or just ignore the message the first time they
connect?

Eric

 -Original Message-
From:   Eric Walters [mailto:[EMAIL PROTECTED]]
Sent:   Monday, December 04, 2000 4:16 PM
To: 'Alex Pennace'; 'Eric Walters'
Cc: [EMAIL PROTECTED]
Subject:RE: Open Relay questionnaire

That makes sense.  I am getting the impression that most people support some
form of SMTP auth like Vpopmail?  Any recommendations here?

Eric

 -Original Message-
From:   Alex Pennace [mailto:[EMAIL PROTECTED]]
Sent:   Monday, December 04, 2000 3:25 PM
To: Eric Walters
Cc: [EMAIL PROTECTED]
Subject:Re: Open Relay questionnaire

 << File: ATT00013.dat >> On Mon, Dec 04, 2000 at 02:24:39PM -0600, Eric
Walters wrote:
> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between
security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to:
or
> mail from: contain a local domain qmail will not deliver the message?

Relaying based on the envelope sender address causes your server to be
an open relay by my standards, a spammer only needs to know the secret
(using certain envelope senders) to use your MTA as a relay.

RE: Open Relay questionnaire

[Eric Walters]

Based on Alex's comments this is still "security by obscurity" so I am less
vulnerable, but still vulnerable.



 -Original Message-
From:   schmonz [mailto:schmonz]  On Behalf Of Amitai Schlair
Sent:   Monday, December 04, 2000 2:52 PM
To: [EMAIL PROTECTED]
Subject:    Re: Open Relay questionnaire

Eric Walters wrote:

> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between
security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to:
or
> mail from: contain a local domain qmail will not deliver the message?

If by "local domain" you mean "locally hosted virtual domain", then I
think qmail already does this by default. Perhaps I misunderstand. At
any rate, you may find the following patch helpful:

http://www.palomine.net/qmail/relaymailfrom.patch>

- Amitai

RE: Open Relay questionnaire

[Eric Walters]

That makes sense.  I am getting the impression that most people support some
form of SMTP auth like Vpopmail?  Any recommendations here?

Eric

 -Original Message-
From:   Alex Pennace [mailto:[EMAIL PROTECTED]]
Sent:   Monday, December 04, 2000 3:25 PM
To: Eric Walters
Cc: [EMAIL PROTECTED]
Subject:Re: Open Relay questionnaire

 << File: ATT00013.dat >> On Mon, Dec 04, 2000 at 02:24:39PM -0600, Eric
Walters wrote:
> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between
security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to:
or
> mail from: contain a local domain qmail will not deliver the message?

Relaying based on the envelope sender address causes your server to be
an open relay by my standards, a spammer only needs to know the secret
(using certain envelope senders) to use your MTA as a relay.

Re: Open Relay questionnaire

[Henning Brauer]

Am Montag,  4. Dezember 2000 21:52 schrieb Amitai Schlair:
> Eric Walters wrote:
> > I am looking for some input on this as it relates to virtual hosting.  My
> > users are all remote and I am trying to find a happy medium between
> > security and user-friendliness.  Is there a way to ensure that unless the
> > rcpt to: or mail from: contain a local domain qmail will not deliver the
> > message?
>
> If by "local domain" you mean "locally hosted virtual domain", then I
> think qmail already does this by default. Perhaps I misunderstand. At
> any rate, you may find the following patch helpful:
>
> http://www.palomine.net/qmail/relaymailfrom.patch>

This is _really_ insecure. Spend a few more seconds on qmail.org and look for 
smtp-after-pop. There's one called open-smtp, works great.

> - Amitai

-- 

Henning Brauer |  BS Web Services
Hostmaster BSWS|  Roedingsmarkt 14
[EMAIL PROTECTED] |  20459 Hamburg
www.bsws.de|  Germany

Re: Open Relay questionnaire

[Alex Pennace]

On Mon, Dec 04, 2000 at 02:24:39PM -0600, Eric Walters wrote:
> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to: or
> mail from: contain a local domain qmail will not deliver the message?

Relaying based on the envelope sender address causes your server to be
an open relay by my standards, a spammer only needs to know the secret
(using certain envelope senders) to use your MTA as a relay.

 PGP signature

Re: Open Relay questionnaire

[Charles Cazabon]

Eric Walters <[EMAIL PROTECTED]> wrote:
> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to: or
> mail from: contain a local domain qmail will not deliver the message?

Yes, it's theoretically possible.  Someone may have already implemented it, but
I don't know of one offhand.  But this is not a happy medium.  Many spammers
are now forging the MAIL FROM: address as being from the host it is connecting
to.  The above would provide no security, and essentially act as an open relay.

> So far I have implemented relayclient but that is a real pain to administer
> and an inconvenience to my users.

Not sure what you're referring to above; do you mean setting the RELAYCLIENT
variable based on static IP addresses?  That's completely transparent to
non-roaming users.  Or you could be referring to SMTP-after-POP, such as
implemented by Bruce Guenter's relay-ctrl package.  That's very convenient
for users -- all they have to do is check their mail before sending mail.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: Open Relay questionnaire

[Amitai Schlair]

Eric Walters wrote:

> I am looking for some input on this as it relates to virtual hosting.  My
> users are all remote and I am trying to find a happy medium between security
> and user-friendliness.  Is there a way to ensure that unless the rcpt to: or
> mail from: contain a local domain qmail will not deliver the message?

If by "local domain" you mean "locally hosted virtual domain", then I
think qmail already does this by default. Perhaps I misunderstand. At
any rate, you may find the following patch helpful:

http://www.palomine.net/qmail/relaymailfrom.patch>

- Amitai

Open Relay questionnaire

[Eric Walters]

I am looking for some input on this as it relates to virtual hosting.  My
users are all remote and I am trying to find a happy medium between security
and user-friendliness.  Is there a way to ensure that unless the rcpt to: or
mail from: contain a local domain qmail will not deliver the message?

So far I have implemented relayclient but that is a real pain to administer
and an inconvenience to my users.

SMTP Auth pros and cons?

Any suggestions so I don't reinvent the wheel?

Thanks,

Eric

Re: Help with open relay questions

[Charles Cazabon]

Eric Walters <[EMAIL PROTECTED]> wrote:
> 
> I have an qmail server setup and running,  but am having difficulty getting
> it to selectively relay.
> 
> I have a server setup so that it is using virtualdomains.  The users of the
> mail system connect to it from the Internet to send and receive email.
> Therefore I need it to allow people to send messages from a local user to a
> remote user.  It seems to be allowing all email to pass through.

You've probably got no /var/qmail/control/rcpthosts file, and are therefore
an open relay.  This is Very Bad (tm).

The file should contain lines for each domain you are willing to accept email
for -- this should be 'localhost', any proper names for the box and its local
domains (contents of /var/qmail/control/locals) and the domains in
virtualdomains.

Then, to allow your virtualdomain users on the net at large to send mail 
through you, install a POP-before-SMTP solution which allows people to relay
from any IP address _if_ they successfully check their mail with POP3
first.  The best POP-before-SMTP package (IMO) is Bruce Guenter's
excellent relay-ctrl.

See http://em.ca/~bruceg/relay-ctrl/ for more info.

As an alternative, your virtualdomain users really should be relaying their
mail through the SMTP server of their ISP -- this is what the ISP's SMTP
servers are for.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Help with open relay questions

[Eric Walters]

I have an qmail server setup and running,  but am having difficulty getting
it to selectively relay.

I have a server setup so that it is using virtualdomains.  The users of the
mail system connect to it from the Internet to send and receive email.
Therefore I need it to allow people to send messages from a local user to a
remote user.  It seems to be allowing all email to pass through.

I conducted the following test:  The test user is obviously not a valid
local user and the nms2001.com is not my qmail server and therefore not in
the virtualdomains file.  How can I prevent it from accepting these messages
but allow my Internet connected local users to use the system without it
being insecure like this.

@40003a1b0df124a9df34 new msg 4182335
@40003a1b0df124b03c1c info msg 4182335: bytes 221 from
<[EMAIL PROTECTED]>
 qp 756 uid 1003
@40003a1b0df1296d81c4 starting delivery 1: msg 4182335 to remote
ewalters@nm
s2001.com
@40003a1b0df12973791c status: local 0/10 remote 1/20
@40003a1b0df21194b98c delivery 1: success:
209.184.27.2_accepted_message./Re
mote_host_said:_250_Message_Accepted_for_Delivery./
@40003a1b0df211c47064 status: local 0/10 remote 0/20
@40003a1b0df211d1a34c end msg 4182335

How does one configure a 1-way open relay?

[Toby Steel]

Title: How does one configure a 1-way open relay?






How does one set up qmail as a oneway outgoing email only relay?
Of course one does not want an open relay to be accessible to incoming
SMTP messages, but we need to have sender/recipient be anyone/anyone.


I have remove control/rcpthosts to enable the open relay, but I need
to ensure that message requests come from the local network and 
not from anywhere else. Do you think this is a firewall configuration issue?
I.e. place the mail-server in between firewalls and accept only SMTP requests
from local IP. But wouldn't that prevent the handshake with a remote mailserver
to enable a message to be sent?


Toby Steel


Echoworx Inc.
[EMAIL PROTECTED]


 

RE: open relay test

[Hubbard, David]

http://www.abuse.net/relay.html is a good way.

Dave

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 17, 2000 7:13 PM
To: [EMAIL PROTECTED]
Subject: open relay test


How do I check for open relay?
I saw something once with a simple test.
could someone please point me to something
similar
-- 
Kind regards

Kevin Waterson
CEO OceaniaTLA

open relay test

[kevin]

How do I check for open relay?
I saw something once with a simple test.
could someone please point me to something
similar
-- 
Kind regards

Kevin Waterson
CEO OceaniaTLA

Re: Are we acting as an open relay?

[Greg White]

Jen Franklin wrote:
> 
> Today the postmaster "account" recevied about 20 messages stating unable
> to deliver mail, unable to return to sender. Neither address was a local
> address in any of these cases.
> 
> Our rcpthosts file only lists our domains.
> When I telneted into port 25 however and tried to mail from: a remote
> address and rcpt to: a remote address I recevied a 250 ok.
> 
> I am new to qmail but I have read the "Qmail newbie's guide to relaying"
> and I thought when I sent from  a remote email address to a remote email
> address I should have received a 553 domain not in allowed rcpthosts
> message. None of the mail i was trying to deliver has appeared in the
> remote accounts I was using.
> 
If the mail never got there, you're not relaying. An open relay would
have immediately sent the mail on to the proper SMTP host for delivering
to the account in question. The part of qmail that talks to the network
has no idea about the part of qmail that knows what users are local, and
what are not.  At least I can reassure you on that score Perhaps
others on the list could be more helpful as to why your server does
_not_ say:


553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

like mine do...

GW

RE: abuse.net results...was 'RE: Are we acting as an open relay?'

[Greg Owen]

> > You can use an automated relay tester, but beware that 
> > qmail appears not to pass the "[EMAIL PROTECTED]"
> > test (and the test usually says "This is not conclusive
> > unless you actually got mail").  
>
> It appears that my Qmail setup allows relaying when % is 
> between uername and domain. Why would that happen?
 
I apologize, I don't seem to have worded that correctly.

"qmail appears not to pass the mail%target... test, BUT IT DOES
PASS; that particular subtest is a false positive for qmail"

So, failing that one test is a false positive; ignore it and
consider yourself safe.

-- 
gowen -- Greg Owen -- [EMAIL PROTECTED]

Re: abuse.net results...was 'RE: Are we acting as an open relay?'

[Peter van Dijk]

On Tue, Sep 19, 2000 at 04:19:50PM -0500, zealot wrote:
> Results from http://www.abuse.net/cgi-bin/relaytest show that 8 out of 9
> relay tests fail when probing my machine. However, the last test produced
> the following message:
> 
>   Relay test 9
>   >>> RSET
>   <<< 250 flushed
>   >>> MAIL FROM:
>   <<< 250 ok
>   >>> RCPT TO:<"relaytest%abuse.net">
>   <<< 250 ok
> 
> It appears that my Qmail setup allows relaying when % is between uername and
> domain. Why would that happen?

It just *accepted* the message, it never said it will relay, and, if
your box is configured correctly, it *won't*.

Greetz, Peter
-- 
dataloss networks
'/ignore-ance is bliss' - me

abuse.net results...was 'RE: Are we acting as an open relay?'

[zealot]

Results from http://www.abuse.net/cgi-bin/relaytest show that 8 out of 9
relay tests fail when probing my machine. However, the last test produced
the following message:

  Relay test 9
  >>> RSET
  <<< 250 flushed
  >>> MAIL FROM:
  <<< 250 ok
  >>> RCPT TO:<"relaytest%abuse.net">
  <<< 250 ok

It appears that my Qmail setup allows relaying when % is between uername and
domain. Why would that happen?



> -Original Message-
> From: Greg Owen [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 19, 2000 2:43 PM
> Subject: RE: Are we acting as an open relay?
>

>
>   You can use an automated relay tester, but beware that qmail appears
> not to pass the "[EMAIL PROTECTED]" test (and the test
> usually says
> "This is not conclusive unless you actually got mail").  There's a test at
> http://www.abuse.net/relay.html.

Re: Are we acting as an open relay?

[wolfgang zeikat]

i telnetted into port 25 (not sure if this is the machine you wrote about
tho) and got this:
220 info.load-otea.hrdc-drhc.gc.ca ESMTP
mail from: <[EMAIL PROTECTED]>  
250 ok
rcpt to: <[EMAIL PROTECTED]>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)


if you telnet from a machine that is in your relayclients, you wont get
the 553, could that explain it?

if someone sent mail(s) to non-existent_users@your_machine with a
non-existing envelope sender adress (as spammers often do), the mail
failure notes could not be delivered and would bounce ...

wolfgang


Also sprach Jen Franklin <[EMAIL PROTECTED]> on
19.09.2000:

Our rcpthosts file only lists our domains.
When I telneted into port 25 however and tried to mail from: a remote
address and rcpt to: a remote address I recevied a 250 ok.

RE: Are we acting as an open relay?

[Greg Owen]

> I am new to qmail but I have read the "Qmail newbie's guide 
> to relaying" and I thought when I sent from  a remote email
> address to a remote email address I should have received a
> 553 domain not in allowed rcpthosts message. None of the
> mail i was trying to deliver has appeared in the
> remote accounts I was using.

That is not correct - the newbies guide to relaying tells you how to
configure your mail server to accept mail from anyone, to anyone, as long as
the connection is from a trusted address.  The list of trusted addresses is
in the /etc/tcp.smtp file (compiled into tcp.smtp.cdb and referenced in the
tcpserver command line).

Following those instructions, if you test from your own box and your
tcp.smtp file allows that box to relay, then the test will work.  The real
test is what happens when mail is sent from an outside address, one not
owned by you or your users.

> I am concerned that we may be acting as an open relay. How 
> can I check/fix this?

You can use an automated relay tester, but beware that qmail appears
not to pass the "[EMAIL PROTECTED]" test (and the test usually says
"This is not conclusive unless you actually got mail").  There's a test at
http://www.abuse.net/relay.html.

If you have an external account, you can try to test from there,
manually.

-- 
gowen -- Greg Owen -- [EMAIL PROTECTED]
 

Are we acting as an open relay?

[Jen Franklin]

Today the postmaster "account" recevied about 20 messages stating unable
to deliver mail, unable to return to sender. Neither address was a local
address in any of these cases.

Our rcpthosts file only lists our domains.
When I telneted into port 25 however and tried to mail from: a remote
address and rcpt to: a remote address I recevied a 250 ok.

I am new to qmail but I have read the "Qmail newbie's guide to relaying"
and I thought when I sent from  a remote email address to a remote email
address I should have received a 553 domain not in allowed rcpthosts
message. None of the mail i was trying to deliver has appeared in the
remote accounts I was using.

I am concerned that we may be acting as an open relay. How can I check/fix
this?

Jjen

Jennifer Franklin
Assistant Application Designer
Labour Operations Applications Development
Human Resources Development Canada

Re: Open relay test.

[John Gonzalez/netMDC admin]

On 8 Sep 2000, John R. Levine wrote:

| (Friendly hint: if you ignore the ugly blinking message and send me
| mail anyway saying that the tester claimed that your system is an open
| relay because it accepted the test message, I'll write back and call
| you a moron.)
| 

Hrmm.. i just ran the test through my servers john, and for some reason,
i dont see any blinking text... only in pure black text:

>>> RSET
<<< 250 flushed
>>> MAIL FROM:<[EMAIL PROTECTED]>
<<< 250 ok
>>> RCPT TO:<"relaytest%abuse.net">
<<< 250 ok

Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.


-- 
  ___   _  __   _  
__  /___ ___    /__  John Gonzalez/Net.Tech
__  __ \ __ \  __/_  __ `__ \/ __  /_  ___/ MDC Computers/netMDC!
_  / / / `__/ /_  / / / / / / /_/ / / /__ (505)439-0200/fax-437-3052
/_/ /_/\___/\__/ /_/ /_/ /_/\__,_/  \___/ http://www.netmdc.com
[-[system info]---]
  1:10pm  up 1 day, 18:39,  3 users,  load average: 0.22, 0.12, 0.10

Re: Open relay test.

[John R. Levine]

>*duh* - telnetting into the world from our mail server is prohibited by
>the firewall hehe.
>mail-abuse.org accepts mail from me via that server tho (relay reports).

You're welcome to use my experimental tester at
http://www.abuse.net/relay.html.  It's more or less the same tests
that the MAPS RSS uses, and is pretty similar to but less aggressive
than ORBS.

It also does the user%dom1@dom2 test, because that's a famous relay
hole in a lot of sendmail systems.  If you have qmail, the tester will
note that it accepted the message, then say in large ugly blinking
letters that your system is only an open relay if it actually forwards
the message back.  If you're a registered abuse.net user, it can
assign you a temporary abuse.net forwarding address so you can test
your own server using an address not in your own domain.

(Friendly hint: if you ignore the ugly blinking message and send me
mail anyway saying that the tester claimed that your system is an open
relay because it accepted the test message, I'll write back and call
you a moron.)

-- 
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
[EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, 
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail

Re: Open relay test.

[Stephen F. Bosch]

"OK 2 NET - André Paulsberg" wrote:
> 
> > I imagine that more than one person on this list has spoken to ORBS
> > about their misleading relay test? How many people have ended up on the
> > ORBS list simply because their qmail installations accepted emails with
> > "%" or "!" in the To: field?
> 
> NO ONE!
> 
> ORBS tester requires the E-Mail to reach them at their test account,
> this can only happen if you are an Open Relay server.
> They also keep the relayed message at their site for verification.

AH good.

=)

-Stephen-

Re: Open relay test.

[OK 2 NET - André Paulsberg]

> I imagine that more than one person on this list has spoken to ORBS
> about their misleading relay test? How many people have ended up on the
> ORBS list simply because their qmail installations accepted emails with
> "%" or "!" in the To: field?

NO ONE!

ORBS tester requires the E-Mail to reach them at their test account,
this can only happen if you are an Open Relay server.
They also keep the relayed message at their site for verification.


MVH André Paulsberg

Re: Open relay test.

[Peter van Dijk]

On Sun, Sep 03, 2000 at 02:07:25PM -0700, Eric Cox wrote:
[snip]
> > I am adding the non-colors, table feature.. I do not like the colors or
> > tags. GUI people like it.. I will add a Bool for the Graphics and table
> > format.. so that you can switch from either mode.. however as you reported
> > at the bottom it is not considered a open relay.. But if ORBS runs the test
> > and it fails then you are added to the ORBS database..
> 
> I don't think that's true.  They bad-mouth qmail for doing this in their 
> tech section, but I'm almost certain that the mail has to actually be 
> relayed to get listed. 

The badmouthing at www.orbs.org is about qmail being an open relay if
rcpthosts doesn't exist.

And yes, orbs only lists you if the relay test message gets delivered.

Greetz, Peter.
-- 
[ircoper][EMAIL PROTECTED] - Peter van Dijk / Hardbeat
[student]Undernet:#groningen/wallops | IRCnet:/#alliance
[developer]_
[disbeliever - the world is backwards](__VuurWerk__(--*-

Re: Open relay test.

[Russ Allbery]

Sean C Truman <[EMAIL PROTECTED]> writes:

> I agree the ORBS test are dumb and don't really pertain to 95% of the
> mail servers out there. But if you are in the ORBS database then some mail
> is going to be rejected.

Except that ORBS doesn't actually add people who "fail" that test but
don't relay the mail.  So it's not true that your tester is using the same
tests as ORBS is.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Re: Open relay test.

[Eric Cox]

"Stephen F. Bosch" wrote:
> 
> I imagine that more than one person on this list has spoken to ORBS
> about their misleading relay test? How many people have ended up on the
> ORBS list simply because their qmail installations accepted emails with
> "%" or "!" in the To: field?

None.  ORBS doesn't do this.  If none of the mails are relayed back to 
one of the ORBS recieving machines, the tested machine is not listed.
 
> This seems extraordinarily stupid to me...

It would be if it were true...

Eric

Re: Open relay test.

[Eric Cox]

Sean C Truman wrote:
> 
> I am adding the non-colors, table feature.. I do not like the colors or
> tags. GUI people like it.. I will add a Bool for the Graphics and table
> format.. so that you can switch from either mode.. however as you reported
> at the bottom it is not considered a open relay.. But if ORBS runs the test
> and it fails then you are added to the ORBS database..

I don't think that's true.  They bad-mouth qmail for doing this in their 
tech section, but I'm almost certain that the mail has to actually be 
relayed to get listed. 

Eric

Re: Open relay test.

[Stephen F. Bosch]

I imagine that more than one person on this list has spoken to ORBS
about their misleading relay test? How many people have ended up on the
ORBS list simply because their qmail installations accepted emails with
"%" or "!" in the To: field?

This seems extraordinarily stupid to me...

-Stephen-

Re: Open relay test.

[Sean C Truman]

Magnus,

Newbieproof the script.. Gottcha.. That all you had to say.. Sorry.. :)

Sean
- Original Message -
From: Magnus Bodin <[EMAIL PROTECTED]>
To: qmail list <[EMAIL PROTECTED]>
Sent: Sunday, September 03, 2000 12:02 PM
Subject: Re: Open relay test.


> On Sun, Sep 03, 2000 at 11:42:22AM -0400, Sean C Truman wrote:
> > Magnus,
> >
> > I agree the ORBS test are dumb and don't really pertain to 95% of
the
> > mail servers out there. But if you are in the ORBS database then some
mail
> > is going to be rejected. This test is just a overall test so that all
system
> > administrators can test. Not just the 95% of us out there.  And as far
as
> > decision making.. no one is making any decisions. If you know certain
test
> > don't apply to you. Ignore them! As a mail administrator you should know
> > which test do and don't apply to your server.. The test does not report
it's
> > results to anywhere except your browser.
>
> I agree partly.
>
> But my point is that the test is misleading and will cause confusion for
> those who don't understand. Especially if it states with big letters that
> "You are running an Open Relay" without any explanations.
>
> /magnus
>
> --
> http://x42.com/

Re: Open relay test.

[wolfgang zeikat]

*duh* - telnetting into the world from our mail server is prohibited by
the firewall hehe.
mail-abuse.org accepts mail from me via that server tho (relay reports).

wolfgang



  Also sprach Sean C Truman <[EMAIL PROTECTED]> on
  03.09.2000:
  From your mail server just telnet to mail-abuse.org and you
  will see what I am explaining.
  
  

Re: Open relay test.

[Magnus Bodin]

On Sun, Sep 03, 2000 at 11:42:22AM -0400, Sean C Truman wrote:
> Magnus,
> 
> I agree the ORBS test are dumb and don't really pertain to 95% of the
> mail servers out there. But if you are in the ORBS database then some mail
> is going to be rejected. This test is just a overall test so that all system
> administrators can test. Not just the 95% of us out there.  And as far as
> decision making.. no one is making any decisions. If you know certain test
> don't apply to you. Ignore them! As a mail administrator you should know
> which test do and don't apply to your server.. The test does not report it's
> results to anywhere except your browser.

I agree partly. 

But my point is that the test is misleading and will cause confusion for
those who don't understand. Especially if it states with big letters that
"You are running an Open Relay" without any explanations. 

/magnus

--
http://x42.com/

Re: Open relay test.

[Sean C Truman]

Wolfgang,

This test doesn't do the ORBS test.. It does the test at mail-abuse.org.
If you can send me a copy of the test that ORBS preforms. I would be happy
to add them.. If you would like to see what I am talking about with
mail-abuse.org, From your mail server just telnet to mail-abuse.org and you
will see what I am explaining.

Sean
- Original Message -
From: wolfgang zeikat <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 03, 2000 11:16 AM
Subject: Re: Open relay test.


>   Also sprach Sean C Truman <[EMAIL PROTECTED]> on
>   03.09.2000:
>   But if ORBS runs the test
>   and it fails then you are added to the ORBS database..
>
> i doubt that.
> my server has repeatedly been tested by ORBS and is considered clean.
>
> wolfgang
>
>
>
>
>

Re: Open relay test.

[Sean C Truman]

Magnus,

I agree the ORBS test are dumb and don't really pertain to 95% of the
mail servers out there. But if you are in the ORBS database then some mail
is going to be rejected. This test is just a overall test so that all system
administrators can test. Not just the 95% of us out there.  And as far as
decision making.. no one is making any decisions. If you know certain test
don't apply to you. Ignore them! As a mail administrator you should know
which test do and don't apply to your server.. The test does not report it's
results to anywhere except your browser.


Sean
- Original Message -
From: Magnus Bodin <[EMAIL PROTECTED]>
To: qmail list <[EMAIL PROTECTED]>
Sent: Sunday, September 03, 2000 11:07 AM
Subject: Re: Open relay test.


> On Sun, Sep 03, 2000 at 11:00:14AM -0400, Sean C Truman wrote:
> > I am adding the non-colors, table feature.. I do not like the colors or
> > tags. GUI people like it.. I will add a Bool for the Graphics and table
> > format.. so that you can switch from either mode.. however as you
reported
> > at the bottom it is not considered a open relay.. But if ORBS runs the
test
> > and it fails then you are added to the ORBS database..
>
> But ORBS tests are dumb.
>
> [EMAIL PROTECTED] could actually be a
> mail address at my system.
>
> Why should anybody make a false decision about me running an open relay
due
> to the fact that there are lots of MTA:s out there with buggy percenthack
> implementations/configurations?
>
> This holds for the other "strange" e-mail addresses in the test as well.
>
> /magnus
>
> --
> http://x42.com/

Re: Open relay test.

[wolfgang zeikat]

  Also sprach Sean C Truman <[EMAIL PROTECTED]> on
  03.09.2000:
  But if ORBS runs the test
  and it fails then you are added to the ORBS database..

i doubt that.
my server has repeatedly been tested by ORBS and is considered clean.

wolfgang



  
  

Re: Open relay test.

[Magnus Bodin]

On Sun, Sep 03, 2000 at 11:00:14AM -0400, Sean C Truman wrote:
> I am adding the non-colors, table feature.. I do not like the colors or
> tags. GUI people like it.. I will add a Bool for the Graphics and table
> format.. so that you can switch from either mode.. however as you reported
> at the bottom it is not considered a open relay.. But if ORBS runs the test
> and it fails then you are added to the ORBS database..

But ORBS tests are dumb. 

[EMAIL PROTECTED] could actually be a
mail address at my system. 

Why should anybody make a false decision about me running an open relay due
to the fact that there are lots of MTA:s out there with buggy percenthack
implementations/configurations? 

This holds for the other "strange" e-mail addresses in the test as well.

/magnus

--
http://x42.com/

Re: Open relay test.

[Sean C Truman]

Magnus,

Thanks for the input.. I will go ahead and have it send a message then
check to see if it actually relayed it. I just pretty much copied the telnet
mail-abuse.org test onto a Web page..

Sean
- Original Message -
From: Magnus Bodin <[EMAIL PROTECTED]>
To: qmail list <[EMAIL PROTECTED]>
Sent: Sunday, September 03, 2000 10:54 AM
Subject: Re: Open relay test.


>
> On Sun, Sep 03, 2000 at 09:49:19AM -0400, Sean C Truman wrote:
> > Hey all,
> >
> >     I have put together a small OPEN relay tester. It runs the same test
ORBS runs.
> >
> > http://www.prodigysolutions.com/relay_test.html
>
> It also states falsely that if a host that handles mail for the
> "example.com" domain e.g. accepts
>
>   [EMAIL PROTECTED]
>   [EMAIL PROTECTED]@example.com
>   [EMAIL PROTECTED]
>
> then it is an open relay although it isn't.
>
> A TRUE relay tester must wait and see if the mail get's relayed due to
> implementation/configuration.
>
> /magnus
>
> --
> http://x42.com/

Re: Open relay test.

[Sean C Truman]

I am adding the non-colors, table feature.. I do not like the colors or
tags. GUI people like it.. I will add a Bool for the Graphics and table
format.. so that you can switch from either mode.. however as you reported
at the bottom it is not considered a open relay.. But if ORBS runs the test
and it fails then you are added to the ORBS database..

If you would like to pass all test. get the badmailfrom patch from
www.qmail.org and use it.. and filter out the *%* unless you are using the
percent for anything.

Sean
- Original Message -
From: wolfgang zeikat <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, September 03, 2000 10:52 AM
Subject: Re: Open relay test.


> i tested your tester, thanks :)
>
> (*erm*, wouldnt it be easier if you could copy/paste from the results page
> without having to open the page source and seeing those *tons* of
> color/font tags? :)
>
> however, your test claims i am running an open relay due to these results:
>MAIL FROM:([EMAIL PROTECTED]@62.96.181.213)
>250 ok
>RCPT TO:("nobody%prodigysolutions.com")
>250 ok
>250 flushed
> and
>MAIL FROM:([EMAIL PROTECTED]@62.96.181.213)
>250 ok
>RCPT TO:("prodigysolutions.com!nobody")
>250 ok
>250 flushed
>
>
> i tried both procedures from a shell that is not in my relayclients,
> and qmail accepted the mails but then tried to deliver them to
> [EMAIL PROTECTED] and domain.ext!user
> which are non-existing users, so the mails ended up in the
> ~/alias/.qmail-default handling. so they were not forwarded to any
> external address (at least). so i wonder if your tester's final judgement:
> "You are running a Open Relay" is fully correct.
>
> so i wonder:
> 1. are those two "leaks" in the antirelay settings really a problem? and
> 2. how could i fix them.
>
> cheers
> wolfgang
>
>
>   Also sprach Sean C Truman <[EMAIL PROTECTED]> on
>   03.09.2000:
>
>   Hey all,
>
>   I have put together a small OPEN relay tester. It runs the same
>   test
>   ORBS runs.
>
>   http://www.prodigysolutions.com/relay_test.html
>
>

Re: Open relay test.

[wolfgang zeikat]

oops sorry,
that was rather a temporary netscape problem that didnt let me copy/paste.

  Also sprach wolfgang zeikat <[EMAIL PROTECTED]> on 03.09.2000:
  
  (*erm*, wouldnt it be easier if you could copy/paste from the
  results page
  without having to open the page source and seeing those *tons* of
  color/font tags? :)
  

Re: Open relay test.

[Magnus Bodin]

On Sun, Sep 03, 2000 at 09:49:19AM -0400, Sean C Truman wrote:
> Hey all,
> 
> I have put together a small OPEN relay tester. It runs the same test ORBS runs.
> 
> http://www.prodigysolutions.com/relay_test.html

It also states falsely that if a host that handles mail for the
"example.com" domain e.g. accepts 

  [EMAIL PROTECTED]
  [EMAIL PROTECTED]@example.com
  [EMAIL PROTECTED]

then it is an open relay although it isn't.

A TRUE relay tester must wait and see if the mail get's relayed due to
implementation/configuration.

/magnus

--
http://x42.com/

Re: Open relay test.

[wolfgang zeikat]

i tested your tester, thanks :)

(*erm*, wouldnt it be easier if you could copy/paste from the results page
without having to open the page source and seeing those *tons* of
color/font tags? :)

however, your test claims i am running an open relay due to these results:
   MAIL FROM:([EMAIL PROTECTED]@62.96.181.213)
   250 ok
   RCPT TO:("nobody%prodigysolutions.com")
   250 ok
   250 flushed
and
   MAIL FROM:([EMAIL PROTECTED]@62.96.181.213)
   250 ok
   RCPT TO:("prodigysolutions.com!nobody")
   250 ok
   250 flushed


i tried both procedures from a shell that is not in my relayclients,
and qmail accepted the mails but then tried to deliver them to
[EMAIL PROTECTED] and domain.ext!user
which are non-existing users, so the mails ended up in the
~/alias/.qmail-default handling. so they were not forwarded to any
external address (at least). so i wonder if your tester's final judgement:
"You are running a Open Relay" is fully correct.

so i wonder:
1. are those two "leaks" in the antirelay settings really a problem? and
2. how could i fix them.

cheers
wolfgang


  Also sprach Sean C Truman <[EMAIL PROTECTED]> on
  03.09.2000:
  
  Hey all,
  
  I have put together a small OPEN relay tester. It runs the same
  test
  ORBS runs.
  
  http://www.prodigysolutions.com/relay_test.html
  
  

Open relay test.

[Sean C Truman]

Hey all,
 
    I have put together a small OPEN 
relay tester. It runs the same test ORBS runs.
 
    http://www.prodigysolutions.com/relay_test.html
 
 
Sean Truman[EMAIL PROTECTED]http://www.prodigysolutions.com/

Re: Fixing open relay

[Dewald Strauss]

Hi again,

In /var/qmail/control I have symlinks pointing to 
/etc/qmail.

This seems to work fine.

Anything else that could be wrong ?

- Original Message - 
From: Eric Cox <[EMAIL PROTECTED]>
To: Dewald Strauss <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, June 15, 2000 3:19 AM
Subject: Re: Fixing open relay


> Dewald Strauss wrote:
> > 
> > In /etc/qmail/locals I have just the domainname of the server.
> > In /etc/qmail/control/rcpthosts I have the names of the 7 domains
> > In /etc/tcpcontrol there are 2 files: pop-3.rules and smtp.rules
> > both these files have all 7 domainnames with
> > :allow,RELAYCLIENT=""   after each domainname
> > (this was installed with qmail?)
> 
> > But with this the server still relays mail for anyone.
> > What did I miss here ?
> 
> 
> The default control directory for qmail is /var/qmail/control, but 
> your control files are in /etc/qmail.  I figured it was probably 
> possible to change the control dir location, but I've never read 
> any docs on the subject.  If you didn't purposefully change the 
> default location, perhaps your qmail is still looking in 
> /var/qmail/control?
> 
> Also, you might do a /var/qmail/bin/qmail-showctl and verify 
> its output.
> 
> Eric
>  
> 
> 
> --
> NEEDHAM'S ELECTRONICS
> Device Programmers
> (916) 924-8037 (Voice)
> http://www.needhams.com
> 

Re: Fixing open relay

[Peter van Dijk]

On Tue, Jan 22, 1980 at 02:38:51AM +0200, Dewald Strauss wrote:
[snip]
> In /etc/qmail/locals I have just the domainname of the server.
> In /etc/qmail/control/rcpthosts I have the names of the 7 domains

This combination doesn't make sense. If locals is in /etc/qmail, so is
rcpthosts. Either one of 'm or both (as already suggested) are wrong.

Greetz, Peter.
-- 
[EMAIL PROTECTED] - Peter van Dijk [student:developer:madly in love]

Re: Fixing open relay

[Eric Cox]

Dewald Strauss wrote:
> 
> In /etc/qmail/locals I have just the domainname of the server.
> In /etc/qmail/control/rcpthosts I have the names of the 7 domains
> In /etc/tcpcontrol there are 2 files: pop-3.rules and smtp.rules
> both these files have all 7 domainnames with
> :allow,RELAYCLIENT=""   after each domainname
> (this was installed with qmail?)

> But with this the server still relays mail for anyone.
> What did I miss here ?


The default control directory for qmail is /var/qmail/control, but 
your control files are in /etc/qmail.  I figured it was probably 
possible to change the control dir location, but I've never read 
any docs on the subject.  If you didn't purposefully change the 
default location, perhaps your qmail is still looking in 
/var/qmail/control?

Also, you might do a /var/qmail/bin/qmail-showctl and verify 
its output.

Eric
 


--
NEEDHAM'S ELECTRONICS
Device Programmers
(916) 924-8037 (Voice)
http://www.needhams.com

Fixing open relay

[Dewald Strauss]

Hi everybody,

Some @#%^%& spammer decided to abuse my mailserver today,
and it ended up in orbs.

I really want to fix this, but need some help.

I have the following setup:
qmail 1.03 with ucspi and daemontools
vpopmail
sqwebmail

I am hosting mail for 7 domains, all connecting to the server via a
10.40 address range.
I created /etc/tcp.smtp as follows:
10.40.:allow,RELAYCLIENT=""
:allow
and created the tcp.smtp.cdb file from that.

In /etc/qmail/locals I have just the domainname of the server.
In /etc/qmail/control/rcpthosts I have the names of the 7 domains
In /etc/tcpcontrol there are 2 files: pop-3.rules and smtp.rules
both these files have all 7 domainnames with
:allow,RELAYCLIENT=""   after each domainname
(this was installed with qmail?)

/etc/rc.d/init.d/smtpd looks like this:
>
#!/bin/sh
#
# chkconfig: 345 81 30
# description: The SMTP daemon for qmail with optional RBL blocking.
#

#
# Set standard values
#
SERVICE=smtpd
PROGRAM=/var/qmail/bin/qmail-smtpd
PORT=smtp
#THISUID=0
#THISGID=0
#CONCURRENT=15
LOGFACILITY=2

# Source function library.
. /etc/rc.d/init.d/qmail-functions

readdefault CONCURRENT concurrencysmtpd 20
THISUID=`id -u qmaild`
THISGID=`id -g qmaild`

#
# Uncomment these lines when testing or set a HOSTNAME is you want something
# else than the cananonical name for this host
#
#HOSTNAME=`/bin/hostname`
#HOST="-l $HOSTNAME"

#
# Security Options. Set SECURITY level to one of the following
#
RELAXED="-RHPo"
BASIC="-rhPO"
NORMAL="-rhPO"
PARANOID="-rhpO"
SECURITY="$RELAXED"

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0



#
# Setup TCPSERVER execution
#

# If antirbl is installed, process antirbldomains
if [ -x /usr/bin/antirbl ]; then
 readdefault DOMAINS antirbldomains ""
 for DOMAIN in $DOMAINS; do
  RBL="$RBL /usr/bin/antirbl $DOMAIN"
 done
fi

# If rblsmtpd is installed, process rbltimeout and rbldomains
if [ -x /usr/bin/rblsmtpd ]; then
 readdefault TIMEOUT rbltimeout 60
 readdefault DOMAINS rbldomains rbl.maps.vix.com
 for DOMAIN in $DOMAINS; do
  RBL="$RBL /usr/bin/rblsmtpd -t $TIMEOUT -r $DOMAIN"
 done
fi

if [ -n "$RBL" ]; then
  PROGRAM="$RBL qmail-pipe fixcr -- $PROGRAM"
fi

DAEMON="tcpserver -u $THISUID -g $THISGID -c $CONCURRENT -v \
$SECURITY -x /etc/tcpcontrol/$SERVICE.cdb $HOST 0 $PORT $PROGRAM | $LOGGER"


#
# Now execute the start-stop checking

#
. /etc/rc.d/init.d/tcpserver-functions
>

But with this the server still relays mail for anyone.
What did I miss here ?

I really hope someone can help me out here, I am hopelessly stuck

Thanks
Dewald

Re: Open Relay

[clemensF]

> Bolivar Diaz Galarza:

> Please help because I am even having a hard time sending e-mail to this list
> and I do not understand what is going on, as soon as I place the rcpthosts
> file in /var/qmail/control with the name of my servers

i just tried to check the conditions given and found that my system does
not even recognize rules properly.  i didn't notice because i had an
experimental setup without involving tcpserver, it was only when i tried to
connect to my internal nntp-service that the truth came to be known!

from reading the source, which is still the only valid documentation, i
could trace the error thru tcpserver, tcprules and tcprulescheck, which
seem to be written to do what one intuitively thinks they should do.

remains cdb.

clemens

Re: Open Relay

[Bolivar Diaz Galarza]

What I am trying to say is that I checked the tcprules on tcp.smtp.cdb using
tcprulescheck and the results were:

tcprulescheck /etc/tcp.smtp.cdb 200.38.239.65

rule 200.38.239.:
set environment variable RELAYCLIENT=
allow connection

and by doing the ps auxww | grep qmail is shows that qmail-smtp is using the
same rules I checked, the rules located in /etc/tcp.smtp.cdb

tcpserver -v -x/etc/tcp.smtp.cdb -u71 -g65534 0 25
 rblsmtpd -rrelays.orbs.org /var/qmail/qmail-smtpd

Please help because I am even having a hard time sending e-mail to this list
and I do not understand what is going on, as soon as I place the rcpthosts
file in /var/qmail/control with the name of my servers

ml.com.mx
corellinux.ml.com.mx
cscc.edu.mx

it won't send e-mail anyplace besides this domains hosted in the same
server.

Thanks

Bolivar,



- Original Message -
From: "Bolivar Diaz Galarza" <[EMAIL PROTECTED]>
To: "Aaron L. Meehan" <[EMAIL PROTECTED]>; "qmail list" <[EMAIL PROTECTED]>
Sent: Monday, June 12, 2000 2:24 PM
Subject: Re: Open Relay


> Sorry I mispelled it in the e-mail, but in the system is right, the rule
> looks like this:
>
> 200.38.239.:allow,RELAYCLIENT=""
>
> If I do:
>
> ps auxww | grep qmail it shows:
>
> tcpserver -v -x/etc/tcp.smtp.cdb -u71 -g65534 0 25
> rblsmtpd -rrelays.orbs.org /var/qmail/qmail-smtpd
>
> among other processes
>
>
> Bolivar,
>
> - Original Message -
> From: "Aaron L. Meehan" <[EMAIL PROTECTED]>
> To: "qmail list" <[EMAIL PROTECTED]>
> Sent: Monday, June 12, 2000 12:59 PM
> Subject: Re: Open Relay
>
>
> > Quoting Bolivar Diaz Galarza ([EMAIL PROTECTED]):
> > > Thanks for the tip, I read everything in the links you gave me, but
> still
> > > doesn't work.
> > >
> > > I checked the tcprules using tcprulescheck:
> > >
> > > tcprulescheck /etc/tcp.smtp.cdb 200.38.239.65
> > >
> > > and the response is:
> > >
> > > rule 200.38.239.:
> > > set environment variable RELAYCLIENTE=
> > > allow connection
> >
> > Well, it looks like you misspelled "RELAYCLIENT."  Remove the "E"
> > there at the end and you should be fine.
> >
> > Aaron
> >
>
>

Re: Open Relay

[Bolivar Diaz Galarza]

Sorry I mispelled it in the e-mail, but in the system is right, the rule
looks like this:

200.38.239.:allow,RELAYCLIENT=""

If I do:

ps auxww | grep qmail it shows:

tcpserver -v -x/etc/tcp.smtp.cdb -u71 -g65534 0 25
rblsmtpd -rrelays.orbs.org /var/qmail/qmail-smtpd

among other processes


Bolivar,

- Original Message -
From: "Aaron L. Meehan" <[EMAIL PROTECTED]>
To: "qmail list" <[EMAIL PROTECTED]>
Sent: Monday, June 12, 2000 12:59 PM
Subject: Re: Open Relay


> Quoting Bolivar Diaz Galarza ([EMAIL PROTECTED]):
> > Thanks for the tip, I read everything in the links you gave me, but
still
> > doesn't work.
> >
> > I checked the tcprules using tcprulescheck:
> >
> > tcprulescheck /etc/tcp.smtp.cdb 200.38.239.65
> >
> > and the response is:
> >
> > rule 200.38.239.:
> > set environment variable RELAYCLIENTE=
> > allow connection
>
> Well, it looks like you misspelled "RELAYCLIENT."  Remove the "E"
> there at the end and you should be fine.
>
> Aaron
>

Re: Open Relay

[Aaron L. Meehan]

Quoting Bolivar Diaz Galarza ([EMAIL PROTECTED]):
> Thanks for the tip, I read everything in the links you gave me, but still
> doesn't work.
> 
> I checked the tcprules using tcprulescheck:
> 
> tcprulescheck /etc/tcp.smtp.cdb 200.38.239.65
> 
> and the response is:
> 
> rule 200.38.239.:
> set environment variable RELAYCLIENTE=
> allow connection

Well, it looks like you misspelled "RELAYCLIENT."  Remove the "E"
there at the end and you should be fine.

Aaron

Re: Open Relay

[Bolivar Diaz Galarza]

Thanks for the tip, I read everything in the links you gave me, but still
doesn't work.

I checked the tcprules using tcprulescheck:

tcprulescheck /etc/tcp.smtp.cdb 200.38.239.65

and the response is:

rule 200.38.239.:
set environment variable RELAYCLIENTE=
allow connection

And still it won't send any e-mail to the outside word.

Bolivar,



- Original Message -
From: "Chris Johnson" <[EMAIL PROTECTED]>
To: "Bolivar Diaz Galarza" <[EMAIL PROTECTED]>
Cc: "qmail list" <[EMAIL PROTECTED]>
Sent: Saturday, June 10, 2000 2:58 PM
Subject: Re: Open Relay


> On Sat, Jun 10, 2000 at 03:58:20PM -0600, Bolivar Diaz Galarza wrote:
> > I am running an open relay because I took out the file
> > /var/qmail/control/rcpthosts. I took it out because if I copy whatever
is in
> > locals (I don't have any virtual domains) and place it in rcpthosts, I
can
> > not send any messages to the outside world, I get an error that reads
like
> > this:
> >
> > The message could not be sent because one of the recipients was rejected
by
> > the server. The rejected e-mail address was '[EMAIL PROTECTED]'.
Subject
> > 'Testing', Account: 'corellinux.ml.com.mx', Server: 'ml.com.mx',
Protocol:
> > SMTP, Server Response: '553 sorry, that domain isn't in my list of
allowed
> > rcpthosts (#5.7.1)', Port: 25, Secure(SSL): No, Server Error: 553, Error
> > Number: 0x800CCC79
> >
> > I have read over and over the FAQ, LWQ, and I can not find the answer to
> > this, I will appreciate any help.
>
> See http://www.palomine.net/qmail/relaying.html and
> http://www.palomine.net/qmail/selectiverelay.html.
>
> Chris
>

Re: Open Relay

[Chris Johnson]

On Sat, Jun 10, 2000 at 03:58:20PM -0600, Bolivar Diaz Galarza wrote:
> I am running an open relay because I took out the file
> /var/qmail/control/rcpthosts. I took it out because if I copy whatever is in
> locals (I don't have any virtual domains) and place it in rcpthosts, I can
> not send any messages to the outside world, I get an error that reads like
> this:
> 
> The message could not be sent because one of the recipients was rejected by
> the server. The rejected e-mail address was '[EMAIL PROTECTED]'. Subject
> 'Testing', Account: 'corellinux.ml.com.mx', Server: 'ml.com.mx', Protocol:
> SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed
> rcpthosts (#5.7.1)', Port: 25, Secure(SSL): No, Server Error: 553, Error
> Number: 0x800CCC79
> 
> I have read over and over the FAQ, LWQ, and I can not find the answer to
> this, I will appreciate any help.

See http://www.palomine.net/qmail/relaying.html and
http://www.palomine.net/qmail/selectiverelay.html.

Chris

Open Relay

[Bolivar Diaz Galarza]

Hi there,

I am running an open relay because I took out the file
/var/qmail/control/rcpthosts. I took it out because if I copy whatever is in
locals (I don't have any virtual domains) and place it in rcpthosts, I can
not send any messages to the outside world, I get an error that reads like
this:

The message could not be sent because one of the recipients was rejected by
the server. The rejected e-mail address was '[EMAIL PROTECTED]'. Subject
'Testing', Account: 'corellinux.ml.com.mx', Server: 'ml.com.mx', Protocol:
SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed
rcpthosts (#5.7.1)', Port: 25, Secure(SSL): No, Server Error: 553, Error
Number: 0x800CCC79

And the rcpthosts look like this:

corellinux.ml.com.mx
ml.com.mx
mail.ml.com.mx
cscc.edu.mx


I have read over and over the FAQ, LWQ, and I can not find the answer to
this, I will appreciate any help.

Bolivar,

Re: Open Relay - Luis

[Erwin Hoffmann]

>Sender: [EMAIL PROTECTED]
>Sender: [EMAIL PROTECTED]
>Date: Wed, 5 Apr 2000 14:49:32 -0400 (EDT)
>From: Mail Delivery Subsystem <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: Warning: could not send message for past 4 hours
>Auto-Submitted: auto-generated (warning-timeout)
>
> 
>**
>**  THIS IS A WARNING MESSAGE ONLY  **
>**  YOU DO NOT NEED TO RESEND YOUR MESSAGE  **
>**
>
>The original message was received at Wed, 5 Apr 2000 10:44:18 -0400 (EDT)
>from fra-pci-laj-vty252.as.wcom.net [212.211.72.252]
>
>   - The following addresses had transient non-fatal errors -
><[EMAIL PROTECTED]>
>
>   - Transcript of session follows -
>451 <[EMAIL PROTECTED]>... secrel.com.br: Name server timeout
>Warning: message still undelivered after 4 hours
>Will keep trying until message is 1 day, 12 hours old
>Content-Type: message/delivery-status
>
>Reporting-MTA: dns; spdmraab.compuserve.com
>Arrival-Date: Wed, 5 Apr 2000 10:44:18 -0400 (EDT)
>
>Final-Recipient: rfc822; [EMAIL PROTECTED]
>Action: delayed
Hi, 

whats wrong with your MTA ??

cheers.
eh.

 Garbage starts 
>Status: 4.4.3
>Last-Attempt-Date: Wed, 5 Apr 2000 14:49:32 -0400 (EDT)
>Will-Retry-Until: Thu, 6 Apr 2000 22:44:18 -0400 (EDT)
>Return-Path: <[EMAIL PROTECTED]>
>Received: from arkon (fra-pci-laj-vty252.as.wcom.net [212.211.72.252])
>   by spdmraab.compuserve.com (8.9.3/8.9.3/SUN-REL-1.3) with SMTP id KAA26769
>   for <[EMAIL PROTECTED]>; Wed, 5 Apr 2000 10:44:18 -0400 (EDT)
>Message-Id: <[EMAIL PROTECTED]>
>X-Sender: [EMAIL PROTECTED]
>X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32)
>Date: Wed, 05 Apr 2000 16:47:35 +0200

 Garbage ends  

>To: [EMAIL PROTECTED]
>From: Erwin Hoffmann <[EMAIL PROTECTED]>
>Subject: Re: qmail relay opened
>In-Reply-To: <[EMAIL PROTECTED]>
>References: <[EMAIL PROTECTED]>
> <[EMAIL PROTECTED]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>
>
>Hi,
>
>here it is:
>
>
>http://ourworld.compuserve.com/homepages/Erwin_Hoffmann/spam.htm
>
>cheers.
>eh.
>
>At 09:53 5.4.2000 -0300, you wrote:
>> 
>>Peter Pan, I not want your opinion. I want one solution
>>
>>
>>
>>Peter van Dijk wrote:
>>
>>> On Mon, Apr 03, 2000 at 04:10:40PM -0300, Luis Bezerra wrote:
>>> > Hello everyone,
>>> >
>>> >
>>> > my qmail MTA is accepting mails like
>>> >
>>> >
>>> > test%test.com.br
>>> >
>>> > anyone has one patch for resolve this problem?
>>>
>>> Unless you did something wrong, it is not delivering these mails.
>>>
>>> It is therefore not a problem.
>>>
>>> Greetz, Peter.
>>> --
>>> Peter van Dijk - student/sysadmin/ircoper/madly in love/pretending coder
>>> |
>>> | 'C makes it easy to shoot yourself in the foot;
>>> |  C++ makes it harder, but when you do it blows your whole leg off.'
>>> | Bjarne Stroustrup, Inventor of C++
>>
>>--
>>-
>>Luís Bezerra de A. Junior
>>[EMAIL PROTECTED]
>>SecrelNet Informática LTDA
>>Fortaleza - Ceará - Brasil
>>Fone: 021852882090
>>-
>>
>>
>>
>+---+
>|  fffhh Dr. Erwin Hoffmann |
>| ff  hh|
>| ffeee     ccc   ooomm mm  mm   Wiener Weg 8   |
>| fff  ee ee  hh  hh   cc   oo   oo  mmm  mm  mm 50858 Koeln|
>| ff  ee eee  hh  hh  cc   oo oo mm   mm  mm|
>| ff  eee hh  hh   cc   oo   oo  mm   mm  mm Tel 0221 484 4923  |
>| ff      hh  hhccc   ooomm   mm  mm Fax 0221 484 4924  |
>+---+
>
+---+
|  fffhh Dr. Erwin Hoffmann |
| ff  hh|
| ffeee     ccc   ooomm mm  mm   Wiener Weg 8   |
| fff  ee ee  hh  hh   cc   oo   oo  mmm  mm  mm 50858 Koeln|
| ff  ee eee  hh  hh  cc   oo oo mm   mm  mm|
| ff  eee hh  hh   cc   oo   oo  mm   mm  mm Tel 0221 484 4923  |
| ff      hh  hhccc   ooomm   mm  mm Fax 0221 484 4924  |
+---+

RE: PLEASE help me secure my open relay!!

[Stephen Mills]

Its because your already listening on port 25.
You have to remove your smtp reference in your /etc/inetd.conf file then
send a HUP signal to inetd (killall -HUP inetd) then execute your tcpserver
--Stephen


-Original Message-
From: Reuben King [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 15, 2000 11:54 AM
To: [EMAIL PROTECTED]
Subject: PLEASE help me secure my open relay!!


Okay, I'm trying hard to close my open server..  Am having some probs, 
and I hope I can get some help..

I've been following the instructions at 
http://www.palomine.net/qmail/relaying.html (and some other sites I could 
find) as well as I possibly can, but I'm having some probs.  The popular 
advice is to use ucspi-tcp-0.84 and so I went and downloaded it, followed 
the instructions to install, and am consistently getting an error..

I try to execute:
tcpserver -R -x/etc/tcprules.smtp.cdb -u -g502 -u502 0 smtp

and I get back:
tcpserver: fatal: unable to bind: address already used

Do you have any ideas?  I'm stumped.  Argh.. nothing's ever easy.  And 
ORBS just emailed me saying I've been added to their list.  Great. :-(

Thanks a lot for any assistance..  

Regards,
-Reuben

PLEASE help me secure my open relay!!

[Reuben King]

Okay, I'm trying hard to close my open server..  Am having some probs, 
and I hope I can get some help..

I've been following the instructions at 
http://www.palomine.net/qmail/relaying.html (and some other sites I could 
find) as well as I possibly can, but I'm having some probs.  The popular 
advice is to use ucspi-tcp-0.84 and so I went and downloaded it, followed 
the instructions to install, and am consistently getting an error..

I try to execute:
tcpserver -R -x/etc/tcprules.smtp.cdb -u -g502 -u502 0 smtp

and I get back:
tcpserver: fatal: unable to bind: address already used

Do you have any ideas?  I'm stumped.  Argh.. nothing's ever easy.  And 
ORBS just emailed me saying I've been added to their list.  Great. :-(

Thanks a lot for any assistance..  

Regards,
-Reuben

Re: SPAMCONTROL patch ??? OPEN RELAY ???

[Erwin Hoffmann]

Hi,

thanks to all who commented my statements and perhaps my SPAMCONTROL patch.
(well, I live in Cologne and today is ... Rosenmontag).

Okay, back to the facts:

A) In the README I am referring a special situation, when QMAIL is used as
   a RELAY Internet <==> INTRANET. My comments about Load and SPAM activity
   were guided by SMTP implementations of Lotus Notes and Novell's Groupwise
   (which are certainly bad, wrt. QMAIIL or even sendmail).

B) Certainly, I was talking about PLAIN QMAIL - without TCPSERVER and without
   RBLSMTPD patch. 

C) Now the basic question: Is QMAIL an OPEN RELAY by CONSTRUCTION (as I 
   stated)?? 
   1. Minimal QMAIL installaton (just ./me): QMAIL-SMTPD will accept all
incoming
  E-Mail, put em in the input QUEUE. 
  - Local Mail will be checked for the existence of a valid UNIX
account, 
accepted and delivered or otherwise returned.
  - Non-local Mail are process thru the output QUEUE.
  a) IF you use ./rcpthosts THEN QMAIL will act as a restricting RELAY
  b) IF you use ./badmaifrom THEN QMAIL will be turned into a
pseudo-static
 partial blocking (Senders/Sites) blocking RELAY.
  c) IF you use the RBLSMTPD patch and TCPSERVER (outside the scope of my
 discussion) THEN  QMAIL will behave as a dynamic, on-demand
blocking RELAY.
   ==> Disregarding the IFSs and THENs and even if a) to c) are a very,
very rough
   description I called this for simplicity: "an OPEN RELAY by
contruction".
   2. Thus, it is the responsibilty of the system's owner to care about the
  right set up, as written in the man-page of QMAIL.
  (Comment by Chris Johnson and Russell Nelson: "If you install qmail as 
   per the included documentation, you won't be running an open relay".) 
   ==> Sure. NO doubts about that. But this was not my point.

D) About SPAM E-Mail:
   1. SPAMMERs may use a MTA with valid SENDER/RECIPIENT addresses outside
the
  domains listed in ./rcthosts et al. 
==> Configuring QMAIL as stated (restricted relay) will certainly stop
this. 
The SPAMCONTROL patch gives in the environment as stated in A) the 
ability to define multiple "internal" domains.
   2. SPAMMERS may send E-Mails to address within your domain.
==> You may control it (on your personal demand) my means of
./badmailfrom or 
   - more effective - by the SPAMCONTROL's ./badrcptpatterns. 
   3. SPAMMERS may use a "trick" to convince your MTA the E-Mail is target
to it.
==> The SPAMCONTROL's canonical filters do most of the job. Actually, they
apply the same patterns as eg. ORBS.

  Russel wrote: "It's simply not possible to eliminate spam in the long
term by
  filtering on any characteristic of the mail itself The more you
filter on
  content, the faster that time will come". 
==> Well, I am not sure about that. Fingerprints are a solution. E-Mail
authentication is another. SMTP-Relay authentication a third one.

  There was some confusion on my statement "to include the canonical SPAM
filters
  natively into QMAIL-SMTPD. The information can be grepped via the TCPSERVER
  environment...". I was mistaken. What it should tell is, that - as today - 
  QMAIL-SMTPD receives information (eg. REMOTEIP) from TCPENV, the canonical
  filters (LOCALIP, REVDNSNAME) could be included here and the validity of   
  addresses checked by QMAIL-SMTPD. This is something I would call an
"internal 
  filter" (which could be activated, e.g. thru a compile-flag).
 
  What are we missing??
  The filters in SPAMCONTROL always work as a logical "OR". There is not an
"AND"
  logic. "AND" logic means, that filtering is done by means of SENDER and
  RECIPIENT. Thus, E-Mails FOR *HOFFMAN* FROM *spam.com* can be rejected. 

E) About Return-Codes:
   1) Thanks to Vincent Schonau for the hint (RFC 1893) I will incorporate
that
  in the next fix of SPAMCONTORL (1.0.5).
   2) 5xx vs. 4xx as stated by RFC 2505 is a matter of practicality of the
  local site. I will give a more complete description in the next README.

F) Misc:
   BTW: We are running a QMAIL site since 3/1997. We are not Blacklisted.
   (I almost missed the carneval parade yesterday).

Thanks again to everybody about that discussion. 

eh.

+---+
|  fffhh Dr. Erwin Hoffmann |
| ff  hh|
| ffeee     ccc   ooomm mm  mm   Wiener Weg 8   |
| fff  ee ee  hh  hh   cc   oo   oo  mmm  mm  mm 50858 Koeln|
| ff  ee eee  hh  hh  cc   oo oo mm   mm  mm|
| ff  eee hh  hh   cc   oo   oo  mm   mm  mm Tel 0221 484 4923  |
| ff      hh  hhccc   ooomm   mm  mm Fax 0221 484 4924  |
+---+

Re: Open Relay

[Martin Lesser]

Charles Cazabon <[EMAIL PROTECTED]> writes:

> This is just a guess, because you haven't given us enough information to
> go on, but perhaps just because qmail-smtpd is not immediately aborting 
> with an error after the RCPT TO: portion of the smtp transaction, you think
> that's relaying.  It's not a relay unless the message makes it to its
> final destination.

Yes - but I think that's a misunderstanding for many people (and some
security-scanners). Additionaly you could try to to send mails RCPT TO:
|testing@localhost or RCPT: /tmp/testfile@localhost. Some
security-scanners then assume your MTA has a problem but in reality
qmail-smtpd (or better qmail-local?) delivers these wrong adressed mails
to postmaster. And because not being able to trace the wrong adressed
mail you get a security-hole reported where no hole exists.

Martin

Re: Open Relay

[Charles Cazabon]

Juan E Suris <[EMAIL PROTECTED]> wrote:
> 
> I followed the installation as per LWQ, but I my SMTP is allowing relaying,
> with only localhost on rcpthosts file.  Here's my tcp.smtp content:
> 
> 127.0.0.:allow,RELAYCLIENT=""
> 216.42.24.88:allow,RELAYCLIENT=""
> 
> What could be wrong?

Why do you think your qmail-smtpd is allowing relaying?  You haven't provided
any evidence to back up that claim.

This is just a guess, because you haven't given us enough information to
go on, but perhaps just because qmail-smtpd is not immediately aborting 
with an error after the RCPT TO: portion of the smtp transaction, you think
that's relaying.  It's not a relay unless the message makes it to its
final destination.

Charles
-- 

Charles Cazabon <[EMAIL PROTECTED]>
Any opinions expressed are just that -- my opinions.

Open Relay

[Juan E Suris]

Hi All!

I followed the installation as per LWQ, but I my SMTP is allowing relaying,
with only localhost on rcpthosts file.  Here's my tcp.smtp content:

127.0.0.:allow,RELAYCLIENT=""
216.42.24.88:allow,RELAYCLIENT=""

What could be wrong?

JES

Re: Open Relay

[Lorens Kockum]

On the qmail list [EMAIL PROTECTED] wrote:
>
>I am using Qmail and I want to receive mail for "mynet.com.pk" and want =
>to forward it to our another mailserver=20
>"welcome.mynet.com.pk" for relaying.

OK.

>But I want to make the Qmail an =
>open relay too.

Umm, no.  Trust me, you do not want to do that.  What makes you
think you want to do that?  What agreeable things do you think
will happen to your server if you run an open relay on it?  I
can think of several extremely *dis*agreeable things, that's not
difficult.

>So i deleted recpthosts to make open relay. I=20

Bad idea.

>put "mynet.com.pk" in locals but not in rcpthosts. I put =

You want to relay mail addressed to mynet.com.pk to
welcome.mynet.com.pk, right?  Then mynet.com.pk should be in
rcpthosts, but not in locals.

>":welcome.mynet.com.pk" in smtproutes. Now what i get problem is that,=20

You want

mynet.com.pk:welcome.mynet.com.pk

in smtproutes.

The rest depends on whether you are using the qmail machine as
an Internet gateway or not.

>whenever I receive mail for "mynet.com.pk" Qmail tries to deliver it =
>locally and doeasn't forward it to "welcome.mynet.com.pk".

With ":welcome.mynet.com.pk" in smtproutes, *all* mail will be
transmitted to welcome.mynet.com.pk. *Except* that addressed to
mynet.com.pk, since you had mynet.com.pk in locals.

Exactly the opposite of what you want, if I understand you
correctly.

Open Relay

[Muhammad Ali]

Sir,
 
I am using Qmail and I want 
to receive mail for "mynet.com.pk" and want to forward it to our another 
mailserver 
 
"welcome.mynet.com.pk" for 
relaying.  But I want to make the Qmail an open relay too. So i deleted 
recpthosts to make open relay. I 
 
put "mynet.com.pk" in locals 
but not in rcpthosts. I put ":welcome.mynet.com.pk" in smtproutes. Now what i 
get problem is that, 
 
whenever I receive mail for 
"mynet.com.pk" Qmail tries to deliver it locally and doeasn't forward it to 
"welcome.mynet.com.pk".
 
 
 
Would you plz. tell me that 
how to do this ?

Loopback? Was: open relay problem

[Peter Green]

On Thu, Jan 27, 2000 at 10:02:45AM +0100, Dr. Erwin Hoffmann wrote:
> Hi,
> 
> try my SPAMCONTROL Patch I posted into this group recently.
> However, I really advise everybody NOT to use the LOOPBACK address to be
> included in the relaying control mechanism. Its easy enough to fake that.

It's easy enough to fake a loopback address for packets coming in on a
non-loopback device? This is not a qmail issue; this should be dealt with
somewhere along the way by network filtering. Something like:

  ipchains -I accept 1 -S 127.0.0.1 -i !lo -j DENY

theoretically should do the trick (untested).

/pg
-- 
Peter Green
Gospel Communications Network, SysAdmin
[EMAIL PROTECTED]

Re: open relay problem

[Dr. Erwin Hoffmann]

At 01:16 27.1.2000 -0500, you wrote:
> 
>| Hi
>| I'm a new qmail user having a problem with relays.  I'm using tcpserver
>| with 3 domains in rcpthosts and the following in etc/tcp.smtp
>|
>| 192.168.1.:allow,RELAYCLIENT=""
>| 127.:allow,RELAYCLIENT=""
>|
>| According to what I've read, this should allow only users with 192.168.1.*
>| to use my server as a relay.  But when I test remotely, the test messages
>| are allowed through.
>|
>| Any input would be much appriciated.
>| Thanks
>| Jeff
>
>
>Yayayaya.. but hmmm.. maybe you need a default allow rule in there eh?
>
>192.168.1.:allow,RELAYCLIENT=""
>127.:allow,RELAYCLIENT=""
>:allow
>
>
>
Hi,

try my SPAMCONTROL Patch I posted into this group recently.
However, I really advise everybody NOT to use the LOOPBACK address to be
included in the relaying control mechanism. Its easy enough to fake that.

regards,
erwin.

+---+
|  fffhh Dr. Erwin Hoffmann |
| ff  hh|
| ffeee     ccc   ooomm mm  mm   Wiener Weg 8   |
| fff  ee ee  hh  hh   cc   oo   oo  mmm  mm  mm 50858 Koeln|
| ff  ee eee  hh  hh  cc   oo oo mm   mm  mm|
| ff  eee hh  hh   cc   oo   oo  mm   mm  mm Tel 0221 484 4923  |
| ff      hh  hhccc   ooomm   mm  mm Fax 0221 484 4924  |
+---+

Re: open relay problem

[Adam McKenna]

You don't need that.  allow is the default.

As someone else pointed out, his problem is that he has no rcpthosts file.

--Adam

On Thu, Jan 27, 2000 at 01:16:40AM -0500, Keith Warno wrote:
> | Hi
> | I'm a new qmail user having a problem with relays.  I'm using tcpserver
> | with 3 domains in rcpthosts and the following in etc/tcp.smtp
> |
> | 192.168.1.:allow,RELAYCLIENT=""
> | 127.:allow,RELAYCLIENT=""
> |
> | According to what I've read, this should allow only users with 192.168.1.*
> | to use my server as a relay.  But when I test remotely, the test messages
> | are allowed through.
> |
> | Any input would be much appriciated.
> | Thanks
> | Jeff
> 
> 
> Yayayaya.. but hmmm.. maybe you need a default allow rule in there eh?
> 
> 192.168.1.:allow,RELAYCLIENT=""
> 127.:allow,RELAYCLIENT=""
> :allow
> 
> 
> 

Re: open relay problem

[Keith Warno]

| Hi
| I'm a new qmail user having a problem with relays.  I'm using tcpserver
| with 3 domains in rcpthosts and the following in etc/tcp.smtp
|
| 192.168.1.:allow,RELAYCLIENT=""
| 127.:allow,RELAYCLIENT=""
|
| According to what I've read, this should allow only users with 192.168.1.*
| to use my server as a relay.  But when I test remotely, the test messages
| are allowed through.
|
| Any input would be much appriciated.
| Thanks
| Jeff


Yayayaya.. but hmmm.. maybe you need a default allow rule in there eh?

192.168.1.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
:allow

Re: open relay problem

[Len Budney]

Jeff Mayes <[EMAIL PROTECTED]> wrote:
> 
> 192.168.1.:allow,RELAYCLIENT=""
> 127.:allow,RELAYCLIENT=""
> 
> According to what I've read, this should allow only users with 192.168.1.*
> to use my server as a relay.

That's correct.

> But when I test remotely, the test messages are allowed through.
> Any input would be much appriciated.

Were the test messages addressed to local users on your qmail server?
If so, qmail wasn't _relaying_ mail; it was just accepting _incoming_
mail.

With the above tcprules, connecting from a remote host, mail addressed
to _other remote_ servers should be refused.

(You did tell qmail-smtpd to use those rules, right? You need to invoke
it with the options "-x /etc/tcp.smtp".)

Len.


--
``It's the delivery speed, stupid.''
-- Dan Bernstein, author of qmail

open relay problem

[Jeff Mayes]

Hi
I'm a new qmail user having a problem with relays.  I'm using tcpserver
with 3 domains in rcpthosts and the following in etc/tcp.smtp 

192.168.1.:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""

According to what I've read, this should allow only users with 192.168.1.*
to use my server as a relay.  But when I test remotely, the test messages
are allowed through.

Any input would be much appriciated.
Thanks
Jeff

AW: Open relay??

[Häffelin Holger]

Look for tcpserver on qmail.org

> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]Im Auftrag von Tonino Greco
> Gesendet am: Mittwoch, 12. Januar 2000 14:38
> An: [EMAIL PROTECTED]
> Betreff: Open relay??
> 
> Hi,
> 
> I have read somewhere that you can sen your SMTP server to only allow
> mail from specific addresses???
> 
> If this is so - how do you allow from only part of an IP??? - is that
> possible and if so HOW???
> 
> 
> Many thanks in advance
> --Tonino
> 

Re: Open relay??

[Dave Sill]

[EMAIL PROTECTED] wrote:

>I have read somewhere that you can sen your SMTP server to only allow
>mail from specific addresses???

I don't know if you read that somewhere or not. How should I know?
It's certainly possible to restrcit access to your SMTP server.

>If this is so - how do you allow from only part of an IP??? - is that
>possible and if so HOW???

What do you mean by "part of an IP"? A subnet (range of IP's)? Worst
case, you can list them all.

-Dave