Topic: SPAM Attack

[haqaro]

Hi!

I'm struggling with an issue for quite sometime already, and I don't see to find a solution.

Actual Scenario:
- SME Mail Server is running on a public IP
- Some clients have their port 25 outgoing blocked. The workaround was:
 a) Redirect them to our firewall on port 587
 b) In our firewall we redirect all the requests of port 587 to the SME Mail Server on port 25.
- We keep getting our Qmail hanged because the big amount of bounces

So what seems to happen is that someone, or somehow, can use our SME Mail Server without authentication, eventually because the source is our firewall and the SME interprets as local. I already set to enable the authentication for users on the internal network as explained here https://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network

Code: [Select]

2018-03-26 15:50:09.171696500 2791 250-fbm.com.ph Hi pc-00008.fbm.com.ph [122.55.100.136]
2018-03-26 15:50:09.171697500 2791 250-PIPELINING
2018-03-26 15:50:09.171706500 2791 250-8BITMIME
2018-03-26 15:50:09.171715500 2791 250-SIZE 15000000
2018-03-26 15:50:09.171726500 2791 250-STARTTLS
2018-03-26 15:50:09.171734500 2791 250 AUTH PLAIN LOGIN
2018-03-26 15:50:09.218748500 2646 dispatching RCPT TO:<claude.gagneur@wanadoo.fr>
2018-03-26 15:50:09.218996500 2646 (rcpt) badrcptto: skip, relay client
2018-03-26 15:50:09.219081500 2646 (rcpt) rcpt_ok: skip, relay client
2018-03-26 15:50:09.219155500 2646 250 <claude.gagneur@wanadoo.fr>, recipient ok
But as this log shows, no luck. They keep going in and spreading their word! What else can I try here ? What am I missing ? There is anyway I can have open in the SME Server the port 25 and the 587 to the SMTP at the same time ?

Thanks. Cheers,

[mmccarn]

You should be able to block unauthenticated relay from your firewall like this:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/
echo '# custom entries for norelayclients
122.55.100.136' >> 30CustomNoRelayClients
signal-event email-update

Undo using:

Code: [Select]

rm -f  /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/30CustomNoRelayClients
signal-event email-update

Explanation:
- This code will add "122.55.100.136" to the end of /var/service/qpsmtpd/config/norelayclients.  Learn more using perldoc /usr/share/qpsmtpd/plugins/relay (or at https://wiki.contribs.org/Qpsmtpd:relay )

- Replace "122.55.100.136" with the IP address of your router (if that's not it).  You can prevent relay from blocks of IPs by using part of the IP - eg "122.55.100." - which would block unauthenticated relay from any IP that starts with "122.55.100.".

- 30CustomNoRelayClients can contain multiple entries

[Jean-Philippe Pialasse]

Well as you pointed this is a workaround, that is not a solution. Your workaround basically created more issues than it solves.

The solution is to remove this por tforward, and enable secure smtp, then open your firewall for port 465 and configure your client to use this port correctly see https://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0 ( still valid for sme9)

[haqaro]

You should be able to block unauthenticated relay from your firewall like this:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/
echo '# custom entries for norelayclients
122.55.100.136' >> 30CustomNoRelayClients
signal-event email-update

Undo using:

Code: [Select]

rm -f  /etc/e-smith/templates-custom/var/service/qpsmtpd/config/norelayclients/30CustomNoRelayClients
signal-event email-update

Explanation:
- This code will add "122.55.100.136" to the end of /var/service/qpsmtpd/config/norelayclients.  Learn more using perldoc /usr/share/qpsmtpd/plugins/relay (or at https://wiki.contribs.org/Qpsmtpd:relay )

- Replace "122.55.100.136" with the IP address of your router (if that's not it).  You can prevent relay from blocks of IPs by using part of the IP - eg "122.55.100." - which would block unauthenticated relay from any IP that starts with "122.55.100.".

- 30CustomNoRelayClients can contain multiple entries

This seems to work so far. I tried it before but I had a wrong setting in that time on my SMTP client. Thank you!

Well as you pointed this is a workaround, that is not a solution. Your workaround basically created more issues than it solves.

The solution is to remove this por tforward, and enable secure smtp, then open your firewall for port 465 and configure your client to use this port correctly see https://wiki.contribs.org/Email_-_Setting_up_E-mail_clients_for_SME_8.0 ( still valid for sme9)

You right, it worked fine for quite few months, but when started the headache, it was messy! The solution by mmccarn seems to fix my issue. In the clients port 465 is also closed by the ISP, 587 made the trick.

[Jean-Philippe Pialasse]

This seems to work so far. I tried it before but I had a wrong setting in that time on my SMTP client. Thank you!
You right, it worked fine for quite few months, but when started the headache, it was messy! The solution by mmccarn seems to fix my issue. In the clients port 465 is also closed by the ISP, 587 made the trick.

good news. Just thinking that this template custom could conflict also at some point due to an upgrade. We saw some issue in the last year with the qpsmtpd upgrade and existing template custom that we can not predict.


or may I suggest to change ISP

also  you could have transferred 587 or a higher port (eg 50465) to 465. As long as your mail client is flexible and allow to set the right

alternatively OpenVPN or libreswan or softethernet could make miracles ... See the wiki to seek for the contribs.

[mmccarn]

Code: [Select]

2018-03-26 15:50:09.171696500 2791 250-fbm.com.ph Hi pc-00008.fbm.com.ph [122.55.100.136]
2018-03-26 15:50:09.171697500 2791 250-PIPELINING...

The name that the SME server is giving  your gateway - "pc-00008.fbm.com.ph", combined with the reported email relay problem - makes me think that the gateway is on the LAN interface of the SME.  When looking for the template fragment related to "norelayclients" I discovered that the default content already includes the default gateway in the case where the SME is in server-only mode.

I concluded that there is something a bit odd about how this network is setup -- but if this (bad spam detection on inbound SMTP traffic) is the only problem, then the change I proposed would fix it.

If I'm right that the SME LAN interface has a valid public IP address, you should review the SME server access as it relates to any other hosts on the same 122.55.100.x subnet.  Running egrep -ril "localnet|localip" /etc/e-smith/templates/* shows a number of template fragments that include content related to "local networks"; you may want to make sure that the access to these services is set appropriately for any system on the 122.55.100.x subnet:

Code: [Select]

# egrep -ril "localnet|localip" /etc/e-smith/templates/*
/etc/e-smith/templates/etc/mail/spamassassin/local.cf/10trusted_networks
/etc/e-smith/templates/etc/mail/spamassassin/local.cf/10internal_networks
/etc/e-smith/templates/etc/my.cnf/009socket
/etc/e-smith/templates/etc/rc.d/init.d/masq/35transproxy
/etc/e-smith/templates/etc/rc.d/init.d/masq/00Definitions
/etc/e-smith/templates/etc/rc.d/init.d/masq/35SMTPProxy
/etc/e-smith/templates/etc/rc.d/init.d/masq/91adjustPortForward
/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSMTPProxy
/etc/e-smith/templates/etc/rc.d/init.d/masq/01localNetworks
/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustTransProxy
/etc/e-smith/templates/etc/tcprules/tcp.proftpd/10localhost
/etc/e-smith/templates/etc/tcprules/tcp.proftpd/80localNetworks
/etc/e-smith/templates/etc/ups/upsd.conf/10Listen_Local_Network
/etc/e-smith/templates/etc/ssh/sshd_config/15ListenAddress
/etc/e-smith/templates/etc/hosts/20hostname
/etc/e-smith/templates/etc/oidentd_masq.conf/50localaddresses
/etc/e-smith/templates/etc/diald.conf/local
/etc/e-smith/templates/etc/sysconfig/network-scripts/route-ethX/10localroutes
/etc/e-smith/templates/etc/sysconfig/network-scripts/ifcfg-ethX/90otherparams
/etc/e-smith/templates/etc/squid/squid.conf/10HTTPPort
/etc/e-smith/templates/etc/squid/squid.conf/10ICPAddresses
/etc/e-smith/templates/etc/squid/squid.conf/20ACL10localhost
/etc/e-smith/templates/etc/ppp/ip-up.local/10setup
/etc/e-smith/templates/etc/ppp/options.pptpd/ms-dns
/etc/e-smith/templates/etc/ppp/options.pptpd/netmask
/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalNetwork
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35Listen80
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95ProxyService
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL00Listen443
/etc/e-smith/templates/etc/smb.conf/11remoteBrowseSync
/etc/e-smith/templates/etc/smb.conf/11winsServer
/etc/e-smith/templates/etc/smb.conf/11interfaces
/etc/e-smith/templates/etc/smb.conf/11remoteAnnounce
/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
/etc/e-smith/templates/etc/resolv.conf/25nameserver
/etc/e-smith/templates/etc/dhcpd.conf/20BeginLocalSubnet
/etc/e-smith/templates/etc/dhcpd.conf/25Netmask
/etc/e-smith/templates/etc/dhcpd.conf/25DomainNameServers
/etc/e-smith/templates/etc/dhcpd.conf/25Routers
/etc/e-smith/templates/etc/dhcpd.conf/25Broadcast
/etc/e-smith/templates/etc/pptpd.conf/localip
/etc/e-smith/templates/etc/pptpd.conf/remoteip
/etc/e-smith/templates/etc/lpd.perms/60access
/etc/e-smith/templates/opt/rh/mysql55/root/etc/my.cnf/009socket
/etc/e-smith/templates/var/service/qpsmtpd/config/dnsbl_allow/80LocalNetworks
/etc/e-smith/templates/var/service/qpsmtpd/config/relayclients/10localhost
/etc/e-smith/templates/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
/etc/e-smith/templates/var/service/tinydns/root/data/00functions
/etc/e-smith/templates/var/service/tinydns/root/data/50domainARecords
/etc/e-smith/templates/var/service/tinydns/root/data/30nameServers
/etc/e-smith/templates/var/service/ippp/config/LocalIP

Services to think about based on the above:
* web proxy & transparent proxy (some systems might bypass expected traffic routes by setting the SME as their default gateway or specifically using SME as a web proxy)
* FTP (if enabled)
* ssh
* server-manager
* SMB
* DNS
* LPD (network printing?)

[Jean-Philippe Pialasse]

Actual Scenario:
- SME Mail Server is running on a public IP

McCarn pointed an important point, we assumed you used SME as a gateway, but logs seems to show that you set it up as a server only with an actual public IP. If this is the reality, you should switch your server to gateway and server, using the dummy adapter for lan if you have only one ethernet adapter.

Having a SME as server only connected to a public IP is insecure, as the firewall rules are set to face a private trusted network, not the full untrusted and insecure internet with potential of hacking and abuse of services. This would be the fix to start with.

[haqaro]

McCarn pointed an important point, we assumed you used SME as a gateway, but logs seems to show that you set it up as a server only with an actual public IP. If this is the reality, you should switch your server to gateway and server, using the dummy adapter for lan if you have only one ethernet adapter.

Having a SME as server only connected to a public IP is insecure, as the firewall rules are set to face a private trusted network, not the full untrusted and insecure internet with potential of hacking and abuse of services. This would be the fix to start with.

Yes, indeed. I will study that and take the necessary actions to make it more secure, even if the solution that you guys gave me it was implemented and a complete success.

Thanks!
Cheers,