please help me with my e-mail server?

Dan Brown

Re: please help me with my e-mail server?

« Reply #15 on: May 13, 2002, 07:00:15 AM »

Um, never mind that last bit--it's not the qmail files, it's the obtuse SMTPd that's your problem. Take a look in /var/spool/smtpd/etc/smtpd_check_rules and see what it has listed for domains.

Logged

Tom

Re: please help me with my e-mail server?

« Reply #16 on: May 13, 2002, 07:06:01 AM »

That returns the members of the null set. I mean it returned nothing. Is there something Dan you know that I don't know that you could share?

T

Logged

Tom

Re: please help me with my e-mail server?

« Reply #17 on: May 13, 2002, 07:11:30 AM »

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# e-smith server and gateway software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org.
#
# copyright (C) 1999, 2000 e-smith, inc.
#------------------------------------------------------------

# Don't allow bang paths via us
noto:ALL:ALL:*!*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Don't allow two @s (equivalent to %hack) via us
noto:ALL:ALL:*@*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Don't allow %hack relay via us
noto:ALL:ALL:*%*@*:551 Sorry %H (%I), I don't allow unauthorized relaying. You can't use me to send mail from %F to %T.

# Allow relaying from the local network
allow:127.0.0.1:ALL:ALL
allow:10.0.0.0/8:ALL:ALL

# Prohibit access to these addresses from the outside world
noto:ALL:ALL:everyone@*.van-buskirk.com everyone@van-buskirk.com:551 Sorry %H (%I), you cannot send mail to %T from outside our loca
l network.
noto:ALL:ALL:shared@*.van-buskirk.com shared@van-buskirk.com:551 Sorry %H (%I), you cannot send mail to %T from outside our local ne
twork.

# Allow any of our valid e-mail accounts to any of our domains
allow:ALL:ALL:admin@*.van-buskirk.com admin@van-buskirk.com:
allow:ALL:ALL:mailer-daemon@*.van-buskirk.com mailer-daemon@van-buskirk.com:
allow:ALL:ALL:postmaster@*.van-buskirk.com postmaster@van-buskirk.com:

# Just say no to anything else, we won't relay for people we don't know.
noto:ALL:ALL:ALL:551 Sorry %H(%I), I don't allow unauthorized relaying. Please use another SMTP host to mail from %F to %T

#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------
~
~
~

Logged

Dan Brown

Re: please help me with my e-mail server?

« Reply #18 on: May 13, 2002, 07:28:20 AM »

I really don't know the syntax of that file, but as I read it, it's set to only allow e-mail to the admin (or postmaster) users. The only guess I have as to the reason for that is the smtpdcheckrules RPM you installed from myezserver.com (I don't know why it would do this, but it's the only reason I can think of that you'd be seeing any usernames at all in that file). Try removing that RPM and see if that fixes things.

Logged

Tom

Re: please help me with my e-mail server?

« Reply #19 on: May 13, 2002, 07:43:59 AM »

"rpm -q --all | grep smtp*" shows "obtuse-smtpd-qmail-2.0.33, dmc-mitel-smtpdcheckrules-0.0.1-5, e-smith-obtuse smtpd-16.0-01,

But "rpm -e dmc-mitel-s*" says its not installed.

So I "rpm -Uvh --force ./dmc-mitel-s*" and it installed. Then I tried to erase it and it says it's not installed.

Logged

Dan Brown

Re: please help me with my e-mail server?

« Reply #20 on: May 13, 2002, 07:51:12 AM »

Don't use the asterisk; do rpm -e dmc-mitel-smtpdcheckrules, and it should remove it. Then be sure to do /sbin/e-smith/expand-template /var/spool/smtpd/etc/smtpd_check_rules.

Logged

Tom

Re: please help me with my e-mail server?

« Reply #21 on: May 13, 2002, 08:56:28 AM »

That is so awesome! all accounts worked. I guess I had a misconfigurted smtpd-check-rules? Because how it is uninstalled, I did that command, and it works!

After I rpm'd it in originally, I did not perform any further configuration. Maybe I should have. Maybe I should have followed the how-to at

http://myezserver.com/downloads/mitel/howto/smtp-restrict-howto.html

Maybe I should have rpm'd it and followed the whole how-to, instead of simply rpm'ing it alone.

SO I guess at this point, with dmc-smtpd-check-rules uninstalled, anyone can use my server to spam. Is that right?

Thank you Dan and Terry for all your help!!!

TomTom

Logged

Dan Brown

Re: please help me with my e-mail server?

« Reply #22 on: May 13, 2002, 06:21:02 PM »

Well, if there's documentation out there, it's always a good idea to follow it, but in this case, that HOWTO doesn't seem to say anything about using the RPM.

Your server is not now an open relay by virtue of having removed this RPM. To explain why requires a bit of discussion of how the SME mail system works, and what this RPM tries to do:

When incoming mail arrives via SMTP, it's first processed by Obtuse SMTPd. Once obtuse is finished with it, it hands it off to qmail, which delivers it to the appropriate mailbox. Obtuse handles things like obvious spam checks and anti-relaying, but doesn't (by default) verify that the message is addressed to a valid user--qmail does that. This is acceptable for normal e-mail--qmail will generate a bounce message and send it back to the person who sent the message. It uses a little more bandwidth than if obtuse just stopped it at the gate, but it works.

The problem with this approach comes when the return address is bogus, as is almost invariably the case with spam. In that case, the administrator gets a message saying, "the bounce bounced!" A common spamming technique is to send messages to lots of random addresses at a domain. With the default configuration, this will result in _lots_ of double-bounce messages to the postmaster.

IMO, this is a serious deficiency in the SME mail setup. It's not really insecure, but it can be very inconvenient, and it seems that obtuse _should_ be able to verify the addresses before handing the message off to qmail (note that I know almost nothing about obtuse smtpd; it just seems that this is a capability that it should have).

Darrell seems to agree that this is a problem, and the RPM you installed is one way of addressing it. I don't know why your system was just listing the admin and postmaster accounts, but I'll assume that it's supposed to have all valid accounts listed. What it does is cause obtuse to bounce any message addressed to an address that isn't in the "OK" list. Doesn't look like an exceptionally elegant way of solving the problem, but it also seems that it should work (again, if all valid accounts were actually listed--maybe Darrell can chime in with suggestions as to why that wasn't the case).

I also see a fairly serious problem with this approach, though (or at least this implementation): mail to an invalid user bounces with an anti-relaying message, which is inappropriate. It should bounce with a user unknown message. I'd think a line like this should solve that problem:

noto:ALL:ALL:*@*.van-buskirk.com:500 User Unknown. Sorry %H (%I), the mailbox %T doesn't exist here.

The syntax here is only a wild guess, and I'm not 100% sure of the error number either. The idea, though, is to generate a more useful bounce message. This would be added after all the specific users are listed.

Logged

Darrell May

Re: please help me with my e-mail server?

« Reply #23 on: May 14, 2002, 05:55:58 AM »

Dan Brown wrote:
> (again, if all valid accounts were actually listed--maybe
> Darrell can chime in with suggestions as to why that wasn't
> the case).

Sounds like this fellow might have installed the rpm incorrectly. In any event to rebuild smtpd_check_rules at any time you simply need to execute:

/sbin/e-smith/signal-event email-update

Regards,

Darrell

Logged