Re: [vchkpw] possible smtp-auth bug (qmail)
Hi Bård, On Tue, 15 Jul 2003 20:51:24 +0200 Bård Tommy Nilsen wrote: Ok, cause when i checked it through www.abuse.net it said that my server was open for relay. Well, if I tell you you've to jump out the windows in 10th floor you're gonna jump? 250 martine.fjord-data.no To: [EMAIL PROTECTED] Is the domain 'test.sonen.no' handled by 'martine.fjord-data.no'? Is this server authorative for handling mails to this domain? 1.) No? Than you _have_ a problem. You're accepting mail for a domain you maybe don't want to handle. You're a relay. See 2.b.). If the described scenario is your case you're not an open relay. If 2.b.) does not appliy you are an open relay. 2.) Yes? Are they handled locally (e.g. by vpopmail)? a.) Yes too? THAT'S NOT RELAYING! No matter what anybody else sais, RELAYING it is *ONLY* if you accept mail for hosts and/or domains that is /NOT/ handled locally. b.) No? This can be intentionally, e.g. if you have a mail gateway that forwards messages to a different host in your network which handles the messages finally. But it's /INTENDED/ relaying. Not an open relay. Open relay you only are if you accept mail for arbitrary domains. If you dont recieve it then its not a relay (Its still a Bad Thing (TM) that it accepted) Stupid nonsense! So this is normal, or have I done something wrong ?? Your qmail accepted a message for an address it is configured for per 'rcpthosts', what should be wrong with this? P.S.: Your quoting style is horrible. Please reconsider changing it to the so called inline quoting as you see it in this mail. This makes reading a whole thread more easy, it allows following the topic _a lot_ easier and reduced the size of messages as you automatically trim down the quotes instead of full quoting the original message every time (which is unnecessary in 99% of the times it's used). -- Ciao, Pit
Re: [vchkpw] possible smtp-auth bug (qmail)
Hi Bård, On Mon, 14 Jul 2003 21:10:09 +0200 Bård Tommy Nilsen wrote: When I tried to relay trough my test server with an to Address that matched one domain in rcpthost it accepts the relay. Well ... what do you think 'rcpthosts' is for? You have no idea? READ THE FU^HINE MANUAL! It would be a bug if qmail did _NOT_ accept the mail adressed to somebody whos domain is in 'rcpthosts', unless the recipients address is blocked otherwise, e.g. by 'badmailto' or 'chkusr' patch. -- Ciao, Pit
RE: [vchkpw] possible smtp-auth bug (qmail)
Sorry for starting the discussion. If I set up an script that generates mail from one adress in the rcpthost to Another adress in rcpthost I can fill every mailbox on the server ... I thought that smtp auth should prevent that anyone could send messages through the Server without being authenticated ... But I you do it this way you can RELAY without Being smtp authenticated Bård Tommy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Palmreuther Sent: 15. juli 2003 13:52 To: [EMAIL PROTECTED] Hi Bård, On Mon, 14 Jul 2003 21:10:09 +0200 Bård Tommy Nilsen wrote: When I tried to relay trough my test server with an to Address that matched one domain in rcpthost it accepts the relay. Well ... what do you think 'rcpthosts' is for? You have no idea? READ THE FU^HINE MANUAL! It would be a bug if qmail did _NOT_ accept the mail adressed to somebody whos domain is in 'rcpthosts', unless the recipients address is blocked otherwise, e.g. by 'badmailto' or 'chkusr' patch. -- Ciao, Pit
Re: [vchkpw] possible smtp-auth bug (qmail)
Hi Bård, On Tue, 15 Jul 2003 13:55:34 +0200 Bård Tommy Nilsen wrote: [Quoting fixed, top posting is bad to read and reply] When I tried to relay trough my test server with an to Address that matched one domain in rcpthost it accepts the relay. Well ... what do you think 'rcpthosts' is for? You have no idea? READ THE FU^HINE MANUAL! It would be a bug if qmail did _NOT_ accept the mail adressed to somebody whos domain is in 'rcpthosts', unless the recipients address is blocked otherwise, e.g. by 'badmailto' or 'chkusr' patch. Sorry for starting the discussion. If I set up an script that generates mail from one adress in the rcpthost to Another adress in rcpthost I can fill every mailbox on the server ... *erm* Sorry. If _YOU_ write a script that tries to fill up mailboxes under _YOUR CONTROL_, why and how should qmail prevent you from doing so? I thought that smtp auth should prevent that anyone could send messages through the Server without being authenticated ... No. SMTP-AUTH *CLEARLY* states it is there for allowing selective *RELAY*, not selective *SENDING*. But I you do it this way you can RELAY without Being smtp authenticated No. You _CAN'T_, unless you defined environment variable 'RELAYCLIENT' in any other way, e.g. by 'tcp.smtp.cdb'. For '127.' this variable usually is set, so a script connecting to port 25 from your server to your server usually _will have_ this variable set and therefore would even be allowed to 'relay', albeit sending mails to a domain in 'rcpthosts' and 'virtualdomains' (or 'locals') ain't relaying. If you don't want anybody being able to send messages to your qmail, unless he/she authenticated him-/herself with SMTP-AUTH clear your 'rcpthosts' file. But this _WILL_ prevent your qmail from acting correctly as 'MX', because external SMTP servers trying to deliver messages to your system will, usually, not SMTP authenticate, simply because they don't know how to authenticate on your system. -- Ciao, Pit
Re: [vchkpw] possible smtp-auth bug (qmail)
On Tuesday, July 15, 2003, at 04:55 AM, Bård Tommy Nilsen wrote: Sorry for starting the discussion. If I set up an script that generates mail from one adress in the rcpthost to Another adress in rcpthost I can fill every mailbox on the server ... I thought that smtp auth should prevent that anyone could send messages through the Server without being authenticated ... But I you do it this way you can RELAY without Being smtp authenticated By definition, mail for domains in your rcpthosts file (and morercpthosts.cdb) isn't relayed. An open relay is a server that will accept mail for any domain, and then forward it on. If your server didn't accept mail for domains in the rcpthosts file, it would be impossible for anyone to send you email. -- Tom Collins [EMAIL PROTECTED] http://sniffter.com/ - info on the Sniffter hand-held Network Tester
SV: [vchkpw] possible smtp-auth bug (qmail)
Ok, cause when i checked it through www.abuse.net it said that my server was open for relay. Open Relay Test Results Default domain is staff.iinet.net.au Connecting to martine.fjord-data.no ... 220 martine.fjord-data.no ESMTP HELO staff.iinet.net.au 250 martine.fjord-data.no To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] MAIL FROM: 250 ok RCPT TO: 250 ok DATA 354 go ahead MESSAGE 250 ok 1058294435 qp 1401 SUCCESS Relay Accepted - final response code 250 If you dont recieve it then its not a relay (Its still a Bad Thing (TM) that it accepted) Check your email So this is normal, or have I done something wrong ?? Regards Bård Tommy Nilsen -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av Tom Collins Sendt: 15. juli 2003 16:05 Til: vpopmail list Emne: Re: [vchkpw] possible smtp-auth bug (qmail) On Tuesday, July 15, 2003, at 04:55 AM, Bård Tommy Nilsen wrote: Sorry for starting the discussion. If I set up an script that generates mail from one adress in the rcpthost to Another adress in rcpthost I can fill every mailbox on the server ... I thought that smtp auth should prevent that anyone could send messages through the Server without being authenticated ... But I you do it this way you can RELAY without Being smtp authenticated By definition, mail for domains in your rcpthosts file (and morercpthosts.cdb) isn't relayed. An open relay is a server that will accept mail for any domain, and then forward it on. If your server didn't accept mail for domains in the rcpthosts file, it would be impossible for anyone to send you email. -- Tom Collins [EMAIL PROTECTED] http://sniffter.com/ - info on the Sniffter hand-held Network Tester
SV: [vchkpw] possible smtp-auth bug (qmail)
I checked this on a test server og it failed, but When I tried to relay trough my test server with an to Address that matched one domain in rcpthost it accepts the relay. Could someone test it one their machine ? I used http://members.iinet.net.au/~remmie/relay/ Is it my config ?? What have I done wrong ?? Regards Bård Tommy Nilsen -Opprinnelig melding- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne av Alejandro Ortega Paez Sendt: 14. juli 2003 20:59 Til: [EMAIL PROTECTED] Emne: Re: [vchkpw] possible smtp-auth bug (qmail) Viktighet: Høy El lun, 14-07-2003 a las 20:19, Charles Sprickman escribió: Howdy, If you are running vpopmail with an smtp-auth patch, you might want to look at this: http://marc.theaimsgroup.com/?l=qmailm=105452174430616w=2 Apparently one of the smtp-auth patches takes any old login/pass and allows relaying, and it's being abused by spammers. I haven't followed the whole thread yet... Charles It will be only from old versions of vpopmail. I'm using 5.3.20 and this test does not work: telnet 192.168.1.2 25 Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. 220 xx..xx ESMTP auth login 334 VXNlcm5hbWU6 VXNlcm5hbWU6 334 UGFzc3dvcmQ6 UGFzc3dvcmQ6 user invalid username: 535 authorization failed (#5.7.0) But it's very interesting to know this issue... Regards, Alejandro Ortega.
Re: SV: [vchkpw] possible smtp-auth bug (qmail)
Bård Tommy Nilsen wrote: I checked this on a test server og it failed, but When I tried to relay trough my test server with an to Address that matched one domain in rcpthost it accepts the relay. It should if its in your rcpthost file no? -- Aj. Systems Administrator / Developer
Re: [vchkpw] possible smtp-auth bug (qmail)
On Mon, 14 Jul 2003, Alejandro Ortega Paez wrote: It will be only from old versions of vpopmail. I'm using 5.3.20 and this test does not work: The reason I posted is that even though it's an old issue, apparently now spammers are discovering it. If you follow the thread, it seems it's a (common?) mistake in the tcpserver setup where the user has omitted the hostname argument. In that case, relaying is wide open for anyone using smtp-auth and any user/pass. If anyone has other details (which smtp-auth patch is at issue, etc.), post away so it gets in the archives. Charles telnet 192.168.1.2 25 Trying 192.168.1.2... Connected to 192.168.1.2. Escape character is '^]'. 220 xx..xx ESMTP auth login 334 VXNlcm5hbWU6 VXNlcm5hbWU6 334 UGFzc3dvcmQ6 UGFzc3dvcmQ6 user invalid username: 535 authorization failed (#5.7.0) But it's very interesting to know this issue... Regards, Alejandro Ortega.