Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: srushik on June 14, 2005, 04:27:04 PM
-
I know documentation indicates mail cannot be sent through the SME smtp server from outside the local network, but it appears that this is happening on my server.
Is there something I need to do to be sure SPAM cannot be sent through my server from outside my local network?
What I'm seeing in smtp-front log is the following:
2005-06-14 07:59:22.394608500 tcpserver: pid 14909 from 69.89.146.1
2005-06-14 08:00:21.477779500 tcpserver: ok 14909 0:70.246.241.45:25 :69.89.146.1::3444
2005-06-14 08:00:21.825698500 smtpfront-qmail[14909]: MAIL FROM:<rose.agema@firstcitizensonline.com>
2005-06-14 08:00:21.879409500 smtpfront-qmail[14909]: RCPT TO:<msmith@pcconline.net>
2005-06-14 08:00:22.228895500 smtpfront-qmail[14909]: Accepted message qp 14910 bytes 46513
2005-06-14 08:01:10.833813500 smtpfront-qmail[14909]: bytes in: 47128 bytes out: 205
2005-06-14 08:01:10.833976500 tcpserver: end 14909 status 0
It appears that mail is being accepted from an outside IP 69.89.146.1
This is not an isolated incident, rather continues almost daily. Any advice?
-
I know documentation indicates mail cannot be sent through the SME smtp server from outside the local network, but it appears that this is happening on my server.
...
What I'm seeing in smtp-front log is the following:
2005-06-14 07:59:22.394608500 tcpserver: pid 14909 from 69.89.146.1
2005-06-14 08:00:21.477779500 tcpserver: ok 14909 0:70.246.241.45:25 :69.89.146.1::3444
2005-06-14 08:00:21.825698500 smtpfront-qmail[14909]: MAIL FROM:<rose.agema@firstcitizensonline.com>
2005-06-14 08:00:21.879409500 smtpfront-qmail[14909]: RCPT TO:<msmith@pcconline.net>
2005-06-14 08:00:22.228895500 smtpfront-qmail[14909]: Accepted message qp 14910 bytes 46513
2005-06-14 08:01:10.833813500 smtpfront-qmail[14909]: bytes in: 47128 bytes out: 205
2005-06-14 08:01:10.833976500 tcpserver: end 14909 status 0
It appears that mail is being accepted from an outside IP 69.89.146.1
Yes, what you are seeing is mail being accepted from an outside IP address. The mail was addressed to a recipient which is local to your server. This is what mail servers do.
I see no evidence that mail is being sent *through* your server. I've tested - your server correctly rejects mail addressed to addresses other than those within your domain. IOW, it is not an open mail relay.
-
I'm having a similar problem, except it is happening thousands of times. Starting at the end of last week, the Spamassassin report showed 4K - 5K of spam messages per day. I was out of town for four days and when I returned, the quantity had gone up to 20K per day. Virtually none of the spam has a local recipient and still seems to be relayed through.
From my smtpfront-qmail log:
2005-06-14 17:32:16.348154500 smtpfront-qmail[30554]: RCPT TO: <yzm@sohu.com>
2005-06-14 17:32:16.361224500 smtpfront-qmail[30548]: RCPT TO: <rayjing@sina.com>
2005-06-14 17:32:16.376663500 smtpfront-qmail[30547]: bytes in: 296 bytes out: 322
2005-06-14 17:32:16.376774500 tcpserver: end 30547 status 0
2005-06-14 17:32:16.376775500 tcpserver: status: 9/40
2005-06-14 17:32:16.503205500 smtpfront-qmail[30577]: MAIL FROM:<dz806bmi@sina.com>
2005-06-14 17:32:16.543063500 smtpfront-qmail[30577]: RCPT TO:<zaskia@indosat.net.id>
2005-06-14 17:32:16.555042500 smtpfront-qmail[30555]: RCPT TO: <dhyqy@163.com>
2005-06-14 17:32:16.583188500 smtpfront-qmail[30577]: RCPT TO:<js70@qu-zhou.com>
2005-06-14 17:32:16.623070500 smtpfront-qmail[30577]: RCPT TO:<mau@unixg.ubc.ca>
2005-06-14 17:32:16.663203500 smtpfront-qmail[30577]: RCPT TO:<foolsgarden@sina.com>
2005-06-14 17:32:16.703075500 smtpfront-qmail[30577]: RCPT TO:<gwz@taikang.com>
2005-06-14 17:32:16.743218500 smtpfront-qmail[30577]: RCPT TO:<cczm@btamail.net.cn>
2005-06-14 17:32:16.783091500 smtpfront-qmail[30577]: RCPT TO:<tianhj@telekbird.com.cn>
2005-06-14 17:32:16.850119500 smtpfront-qmail[30568]: RCPT TO: <ww2829@yahoo.com>
2005-06-14 17:32:17.259449500 smtpfront-qmail[30570]: RCPT TO: <100140.127@compuserve.com>
2005-06-14 17:32:17.340089500 smtpfront-qmail[30548]: RCPT TO: <kdz045@163.com>
2005-06-14 17:32:17.574116500 smtpfront-qmail[30575]: MAIL FROM: <e357tlkb@qq.com>
2005-06-14 17:32:17.644499500 smtpfront-qmail[30571]: Accepted message qp 30572 bytes 1834
2005-06-14 17:32:17.644994500 smtpfront-qmail[30571]: bytes in: 1887 bytes out: 279
2005-06-14 17:32:17.644995500 tcpserver: end 30571 status 0
I am running 6.01 in "Server-Only" mode with spamassassin and clamav installed using the scripts from Swerts-Knudsen.com. I have email set to local network access only and recently set "E-mail to unknown users" to be forwarded to the administrator. My messages log looks normal, with the exception of the following error message:
kernel: hw tcp v4 csum failed
I am very new to Linux, so please let me know if I need to provide any further information.
Thanks,
Pete
-
Yes, what you are seeing is mail being accepted from an outside IP address. The mail was addressed to a recipient which is local to your server. This is what mail servers do.
Unless I misunderstand this log, the smtpfront-qmail is a log of SMTP (outgoing) mail, not incoming mail.
Perhaps, someone could clarify why messages like this would show up in this log.
-
CharlieBrady
> I've tested - your server ......it is
> not an open mail relay.
You're a good fellow Charlie !
-
srushik
> Unless I misunderstand this log, the smtpfront-
> qmail is a log of SMTP (outgoing) mail, not
> incoming mail.
smtpfront-qmail/current is a log of both incoming and outgoing messages.
-
widman
> Virtually none of the spam has a local recipient
> and still seems to be relayed through.
> I have email set to local network access only and > recently set "E-mail to unknown users" to be
> forwarded to the administrator.
You answered your own question, you set your system to accept all the wrongly addressed messages. They are not being relayed through, just being accepted.
Better to set it to "Return to sender" and implement double bounce deletion, see
http://mirror.contribs.org/smeserver/contribs/rmitchell/smeserver/howto/Mail%20system%20tweaks%20HOWTO%20for%20sme%20server.htm
-
Yes, what you are seeing is mail being accepted from an outside IP address. The mail was addressed to a recipient which is local to your server. This is what mail servers do.
Unless I misunderstand this log, the smtpfront-qmail is a log of SMTP (outgoing) mail, not incoming mail.
Perhaps, someone could clarify why messages like this would show up in this log.
Simple. smtpfront-qmail is a log of incoming SMTP mail, not ougoing.
-
srushik
> Unless I misunderstand this log, the smtpfront-
> qmail is a log of SMTP (outgoing) mail, not
> incoming mail.
smtpfront-qmail/current is a log of both incoming and outgoing messages.
No, it's a log of only incoming messages, but incoming from both LAN and WAN connections. Only the qmail log shows outgoing SMTP connections.
-
widman
> Virtually none of the spam has a local recipient
> and still seems to be relayed through.
> I have email set to local network access only and > recently set "E-mail to unknown users" to be
> forwarded to the administrator.
You answered your own question, you set your system to accept all the wrongly addressed messages.
No, smtpfront-qmail (mailfront) will only accept incoming messages from the Internet if the domain part of the addressee (rcpt to) is a local domain. The "E-mail to unknown users" setting only controls whether messages to unknown recipients at local domains are returned to sender or forwarded to admin.
-
I'm having a similar problem, except it is happening thousands of times. Starting at the end of last week, the Spamassassin report showed 4K - 5K of spam messages per day. I was out of town for four days and when I returned, the quantity had gone up to 20K per day. Virtually none of the spam has a local recipient and still seems to be relayed through.
...
I am running 6.01 in "Server-Only" mode with spamassassin and clamav installed using the scripts from Swerts-Knudsen.com.
Server-Only mode should not be exposed to the Internet, except via a properly configured firewall.
It sound to me as though your server *is* an open mail relay. You should disable email immediately:
/sbin/e-smith/config setprop qmail status disabled
svc -d /service/qmail
Please send a larger sample of your smtpfront-qmail/current logfile to security@contribs.org and we'll try to work out what has gone wrong with your setup.
-
Widman & RayMitchell,
Thank you for the clarification.
I'm clear now and appreciate your helpful responses.
-
Charlie
>> smtpfront-qmail/current....
> ...it's a log of only incoming messages....from both LAN and WAN connections
Thanks for that distinction and clarification.
> ...smtpfront-qmail (mailfront) will only accept
> incoming messages from the Internet if the domain > part of the addressee (rcpt to) is a local domain.
Thanks also for that correction, I didn't read/interpret the logs carefully enough.
-
Server-Only mode should not be exposed to the Internet, except via a properly configured firewall.
It sound to me as though your server *is* an open mail relay. You should disable email immediately:
/sbin/e-smith/config setprop qmail status disabled
svc -d /service/qmail
Please send a larger sample of your smtpfront-qmail/current logfile to security@contribs.org and we'll try to work out what has gone wrong with your setup.
Thanks Charlie. I have disabled the email service and forwarded a copy of the log. The server does run behind a router/firewall, which forwards incoming mail to a W2K virus scanner before being sent to the e-smith box.
I've saved a bunch of the other logs in case they may be of help.
Thanks again,
Pete
-
The server does run behind a router/firewall, which forwards incoming mail to a W2K virus scanner before being sent to the e-smith box.
The W2K virus scanner is the problem. Once the mail goes through that box, you lose the distinction between what is locally generated email, and what is email arriving from the Internet. Only local boxes are permitted to relay email, and because the W2K is on your LAN, it's considered a local box.
-
So I should take the W2K box out of the loop and forward my smtp port directly to my e-smith server?
I'll give it a shot and see how it works.
Thanks again Charlie,
Pete