Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: livinginx on January 31, 2007, 07:43:09 AM
-
I am relatively new here, and to qmail as well. Basically, just wondering as to how the qmail is setup within SME 7.1.
A friend was helping me with vulnerability assessment and was able to send an email to my webmaster account. He used telnet and the reply to email shows up as owned@domain.com
He doesn't know any of the system passwords or anything and owned is not a user setup on my server.
Any help/ides on stopping non-assigned users from utilizing the email server?
Thanks in advance.
title edited (moderator)
-
See the
Do not post security issues here - contact security@contribs.org
Please post bugs and potential bugs in the bug tracker and please search the forums, your question may have been asked before - Thank You.
Quote written plainly above the posting box.
Was this a local account ? I`m guessing he telneted port 25.
-
Wow, that is written in some big letters. My apologies.
The downside to communicating security issues similar to this is that it isn't that big of a threat to expose. It is more to keep people from abusing your system.
Information like this can be used to keep the peace.
-=-
"Was this a local account ? I`m guessing he telneted port 25."
Yes, he telneted port 25. However, I am in Kansas and he is in Georgia. So not really local. I thought I had most of the telnet and access (ssh I know) allowed only on the internal LAN.
-
Telnet works to the smtp port - or rather - smtp servers will answer. It`s useful for testing.
There is no telnet access to the underlying operating system however.
-
Please adjust the subject line of your thread.
Your question is not a security threat. Port 25 needs to be open to accept incoming email and telneting an email to an allowed recipient (your webmaster account) is normal.
There is also no indication that your server is allowing realying. A stock SME server does not allow relaying.
He used telnet and the reply to email shows up as owned@domain.com
The sender can claim to be anybody they want, even from your own domain. There is no way to stop this.
-
I thought I had most of the telnet and access (ssh I know) allowed only on the internal LAN.
Your confusing using a telnet client to connect to a telnet daemon(server) and using a telnet client to connect to a mail(smtp) server.
Ask you security friend to..
a) Telnet (port 23) into your SME.
b) Connect to your mailserver and send mail to an external email address eg. his isp email address.
-
I thought I had most of the telnet and access (ssh I know) allowed only on the internal LAN.
Your confusing using a telnet client to connect to a telnet daemon(server) and using a telnet client to connect to a mail(smtp) server.
Not really, I was just saying that I have SSH allowed via LAN only. But was wondering about making telnet internal only, as I really don't know a whole lot about telnet.
I will be getting a hold of my friend to find out. Since I am using a Dynamic IP, I know a lot of mail servers reject my email (AOL, His webhost, etc.) where as yahoo will accept my email. Unless somebody can help me (send me a link?) on how to telnet and test it myself.
Through thunderbird, my Yahoo! mail will receive mail sent via my SMTP server.
-
Not really, I was just saying that I have SSH allowed via LAN only. But was wondering about making telnet internal only, as I really don't know a whole lot about telnet.
Obviously not.
SME server does not include a telnet server. You cannot create telnet connections to sn SME server either internally or externally.
However, a telnet client can be used from anywhere to connect to open ports, including the SMTP port. There's nothing you, or SME server, can do to prevent someone from using a telnet client.
Please edit the subject of this thread. SME server cannot be used by spammers to relay.
All your friend has demonstrated is:
- mail can be sent to the webmaster account.
- sender addresses in email can be forged
Neither is surprising.