Request for help closing open relay

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Request for help closing open relay

bdmeyer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My Postfix server seems to be an open relay after making what were very
minimal changes to the default config.

Before I tie up people time and effort by posting a config, I would like
to describe the setup to see if perhaps I am trying to do this incorrectly.

I have two email servers.
External = (PGP Universal running Postfix)
Internal = Postfix
The external acts in what I believe would be called a 'smart host' fashion.

The Internal server that receives all email from users in the domain
presents the outbound email to the external which in turn, sends the
email to the world.

Email coming from the world, destined for the domain, comes in to the
External, and is passed on to the Internal Postfix server.

I don't seem to have any problem getting all the various anti spam
measures working, but nothing I have done stop relaying except putting a
REJECT in the Internal access table, which then blocks ALL email.



Why I say it is open relay:

I can telnet to the external from a public IP, hwich is not in the
'mynetworks' range, and use a hotmail account as the mail from, and a
gmail account as the rcpt to, and get a 250 along with the accompanying
email every time.



If their is a simple parameter I need to look at, please let me know. I
have bought a book, googled, gotten a coworker who uses postfix on his
personal business domain to work with me half a day on this...

I just haven't found what I need to do to restrict people from sending
email to other peoples domains, through my postfix server.

i.e., if I am domain a, I don't want domain b sending domain c email
using my mail server.

Below is the output from postfinger.

- --Bruce D. Meyer

version: 1.30

- --System Parameters--
mail_version = 2.3.3
hostname = aaaaaaaaa.isac.state.sc.us
uname = Linux aaaaaaaaa.isac.state.sc.us 2.6.18-53.1.14.el5 #1 SMP Wed
Mar 5 11:36:49 EST 2008 i686 i686 i386 GNU/Linux

- --Packaging information--
looks like this postfix comes from RPM package: postfix-2.3.3-2

- --main.cf non-default parameters--
mydestination = $myhostname, $mydomain
mynetworks = ddd.d.ddd.dd/27
mynetworks_style = host
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_restrictions = reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_reject_unlisted_sender = yes
strict_rfc821_envelopes = yes

- --master.cf--
smtp      inet  n       -       n       -       -       smtpd -v
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp -v
~        -o fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
~  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
~  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
~  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
~  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
~  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
~  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient

- -- end of postfinger output --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIPHVmOnwQTzUNxRoRAvg4AJwK9nKDoE0wHfPw8s39xv4ZNSWf/gCbB+1I
2QQynoSbEjFRuzogjW1OgzU=
=EbAj
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Magnus Bäck
On Tuesday, May 27, 2008 at 22:56 CEST,
     "Bruce D. Meyer" <[hidden email]> wrote:

> My Postfix server seems to be an open relay after making what were very
> minimal changes to the default config.
>
> Before I tie up people time and effort by posting a config, I would like
> to describe the setup to see if perhaps I am trying to do this incorrectly.
>
> I have two email servers.
> External = (PGP Universal running Postfix)
> Internal = Postfix
> The external acts in what I believe would be called a 'smart host' fashion.
>
> The Internal server that receives all email from users in the domain
> presents the outbound email to the external which in turn, sends the
> email to the world.
>
> Email coming from the world, destined for the domain, comes in to the
> External, and is passed on to the Internal Postfix server.
>
> I don't seem to have any problem getting all the various anti spam
> measures working, but nothing I have done stop relaying except putting a
> REJECT in the Internal access table, which then blocks ALL email.
>
> Why I say it is open relay:
>
> I can telnet to the external from a public IP, hwich is not in the
> 'mynetworks' range, and use a hotmail account as the mail from, and a
> gmail account as the rcpt to, and get a 250 along with the accompanying
> email every time.

You need to show logs and configuration, both from the external and
internal server. The configuration snippet you've showed so far looks
incomplete since. It doesn't match the description of either of your two
servers.

Key questions:

   * Why does the external server pass mail from gmail.com to the
     internal server?
   * Why does the internal server relay mail from the external server?
     A safe configuration excludes gateways from mynetworks.

[...]

--
Magnus Bäck
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Charles Marcus
In reply to this post by bdmeyer
On 5/27/2008, Bruce D. Meyer ([hidden email]) wrote:
>
> - --System Parameters--
> mail_version = 2.3.3

Need postconf -n output, not main.cf snips...

You said 'minimal changes'... *what* changes?
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Charles Marcus
On 5/27/2008, Charles Marcus ([hidden email]) wrote:
> Need postconf -n output, not main.cf snips...

Of *both* systems...

Also - are you sure you weren't an open relay *before* making the
'minimal changes'?

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

bdmeyer
In reply to this post by bdmeyer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hopefully, I have answered each question asked by the various responders
below:


Key questions:

Why does the external server pass mail from gmail.com to the internal
mail server?

I am not sure this question is asked correctly. To answer what is asked,
that would be normal for the external mail server. it must send all mail
destined for the internal domain on it's way to the internal mail server
where it is stored until pickup by the clients.

I 'think' perhaps what is meant to be asked is:

Why does the external server pass mail from from the msn.com domain to
the gmail.com domain (relay.) That is the question I have been
struggling with for about a solid week now.

"You said minimal changes'... *what* changes.
Their were so many, I started with a clean main.cf file, and made no
changes. It delivers mail perfectly, but also appears to still be an
open relay.



First, a demo of the relaying occurring with a default, unmodified
main.cf file:


relay session
- -------------

[nf@thor ~]$ telnet test.test.tests.te.st 25
Trying 333.3.333.333...
Connected to test.test.tests.te.st.
Escape character is '^]'.
220
***********************************************************************************220
********2********************************
helo jerigjioe.com
250 test.test.tests.te.st
mail from:<[hidden email]>
250 2.1.0 Ok
rcpt to:<[hidden email]>
250 2.1.5 Ok
data
354 Start mail input; end with <CRLF>.<CRLF>
hi
bye
.
250 Requested mail action OK
rset
250 2.0.0 Ok
quit
221 test.test.tests.te.st PGP Universal service closing transmission channel
Connection closed by foreign host.
[nf@thor ~]$


- ---end of relay-----

Next the [postconf -n] results for the PGP Universal Server
(External/smarthost)

~ postconf- n: (PGP Machine - External)


~ [root@keys ovid]# postconf -n
~ alias_database = hash:/etc/postfix/aliases
~ alias_maps = hash:/etc/postfix/aliases
~ best_mx_transport = local
~ command_directory = /usr/sbin
~ config_directory = /etc/postfix
~ daemon_directory = /usr/libexec/postfix
~ inet_interfaces = 127.0.0.1
~ mail_name = PGP Universal (good luck nmap)
~ mail_owner = postfix
~ mailbox_size_limit = 104857600
~ mailq_path = /usr/bin/mailq.postfix
~ manpage_directory = /usr/share/man
~ message_size_limit = 104857600
~ mydestination = $myhostname, localhost.$mydomain
~ myhostname = test.test.tests.te.st
~ mynetworks_style = host
~ newaliases_path = /usr/bin/newaliases.postfix
~ queue_directory = /var/spool/postfix
~ readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
~ sample_directory = /usr/share/doc/postfix-2.0.18/samples
~ sendmail_path = /usr/sbin/sendmail.postfix
~ setgid_group = postdrop
~ smtpd_banner = $myhostname ESMTP PGP Universal
~ transport_maps = hash:/etc/postfix/transport
~ [root@keys ovid]#



- ------- end of pgp external postconf -n ---------


Next the postconf -n of the internal postfix machine:

- -------------postconf -n internal postfix machine --------------

[root@ciobrrnf2 postfix]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
unknown_local_recipient_reject_code = 550


- ------------ end of internal postfix machine postconf -n -----------


Path for mail in and out of my domain is:
world <----> external<---->internal

If you made it this far, here is a non-obfuscated telnet session

[nf@thor ~]$ telnet mail1.isac.state.sc.us 25
Trying 167.7.163.110...
Connected to mail1.isac.state.sc.us.
Escape character is '^]'.
220
***********************************************************************************220
********2********************************
helo iamfake.biz
250 keys.isac.state.sc.us
mail from:<[hidden email]>
250 2.1.0 Ok
rcpt to:<[hidden email]>
250 2.1.5 Ok
data
354 Start mail input; end with <CRLF>.<CRLF>
Subject: Oh Boy! More Spam!
Test
I am spam
Bye
.
250 Requested mail action OK
rset
250 2.0.0 Ok
quit
221 keys.isac.state.sc.us PGP Universal service closing transmission channel
Connection closed by foreign host.

'keys' is an a record name for mail1. Both records exist.

For obvious reaons, until i close this relay, I will shut it down each
night, or when I see that a spammer is hitting it. Feel free to test, as
I can see the difference between a test and a spammer losing his mind.  :-)

Thanks!


Bruce D. Meyer wrote:
| My Postfix server seems to be an open relay after making what were very
| minimal changes to the default config.
|
| Before I tie up people time and effort by posting a config, I would like
| to describe the setup to see if perhaps I am trying to do this
incorrectly.
|
| I have two email servers.
| External = (PGP Universal running Postfix)
| Internal = Postfix
| The external acts in what I believe would be called a 'smart host'
fashion.
|
| The Internal server that receives all email from users in the domain
| presents the outbound email to the external which in turn, sends the
| email to the world.
|
| Email coming from the world, destined for the domain, comes in to the
| External, and is passed on to the Internal Postfix server.
|
| I don't seem to have any problem getting all the various anti spam
| measures working, but nothing I have done stop relaying except putting a
| REJECT in the Internal access table, which then blocks ALL email.
|
|
|
| Why I say it is open relay:
|
| I can telnet to the external from a public IP, hwich is not in the
| 'mynetworks' range, and use a hotmail account as the mail from, and a
| gmail account as the rcpt to, and get a 250 along with the accompanying
| email every time.
|
|
|
| If their is a simple parameter I need to look at, please let me know. I
| have bought a book, googled, gotten a coworker who uses postfix on his
| personal business domain to work with me half a day on this...
|
| I just haven't found what I need to do to restrict people from sending
| email to other peoples domains, through my postfix server.
|
| i.e., if I am domain a, I don't want domain b sending domain c email
| using my mail server.
|
| Below is the output from postfinger.
|
| --Bruce D. Meyer
|
| version: 1.30
|
| --System Parameters--
| mail_version = 2.3.3
| hostname = aaaaaaaaa.isac.state.sc.us
| uname = Linux aaaaaaaaa.isac.state.sc.us 2.6.18-53.1.14.el5 #1 SMP Wed
| Mar 5 11:36:49 EST 2008 i686 i686 i386 GNU/Linux
|
| --Packaging information--
| looks like this postfix comes from RPM package: postfix-2.3.3-2
|
| --main.cf non-default parameters--
| mydestination = $myhostname, $mydomain
| mynetworks = ddd.d.ddd.dd/27
| mynetworks_style = host
| smtpd_client_restrictions = permit_mynetworks, reject
| smtpd_data_restrictions = reject_unauth_pipelining
| smtpd_helo_restrictions = reject_invalid_helo_hostname,
| reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
| smtpd_reject_unlisted_sender = yes
| strict_rfc821_envelopes = yes
|
| --master.cf--
| smtp      inet  n       -       n       -       -       smtpd -v
| pickup    fifo  n       -       n       60      1       pickup
| cleanup   unix  n       -       n       -       0       cleanup
| qmgr      fifo  n       -       n       300     1       qmgr
| tlsmgr    unix  -       -       n       1000?   1       tlsmgr
| rewrite   unix  -       -       n       -       -       trivial-rewrite
| bounce    unix  -       -       n       -       0       bounce
| defer     unix  -       -       n       -       0       bounce
| trace     unix  -       -       n       -       0       bounce
| verify    unix  -       -       n       -       1       verify
| flush     unix  n       -       n       1000?   0       flush
| proxymap  unix  -       -       n       -       -       proxymap
| smtp      unix  -       -       n       -       -       smtp
| relay     unix  -       -       n       -       -       smtp -v
| ~        -o fallback_relay=
| showq     unix  n       -       n       -       -       showq
| error     unix  -       -       n       -       -       error
| discard   unix  -       -       n       -       -       discard
| local     unix  -       n       n       -       -       local
| virtual   unix  -       n       n       -       -       virtual
| lmtp      unix  -       -       n       -       -       lmtp
| anvil     unix  -       -       n       -       1       anvil
| scache    unix  -       -       n       -       1       scache
| maildrop  unix  -       n       n       -       -       pipe
| ~  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
| old-cyrus unix  -       n       n       -       -       pipe
| ~  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
| ${extension} ${user}
| cyrus     unix  -       n       n       -       -       pipe
| ~  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
| ${extension} ${user}
| uucp      unix  -       n       n       -       -       pipe
| ~  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
| ($recipient)
| ifmail    unix  -       n       n       -       -       pipe
| ~  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
| bsmtp     unix  -       n       n       -       -       pipe
| ~  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
| $recipient
|
| -- end of postfinger output --

- --
Bruce D. Meyer
Network Security Analyst
SC State Budget and Control Board
Department of the State CIO
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIPZB4OnwQTzUNxRoRAkoKAJwIbtOgP1JSpoaNAefKUOmOkJ03xwCghY3f
sHmLADJenq2Tu0EiAwCPsJU=
=CMeq
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

mouss-2
Bruce D. Meyer wrote:

> Hopefully, I have answered each question asked by the various responders
> below:
>
>
> Key questions:
>
> Why does the external server pass mail from gmail.com to the internal
> mail server?
>
> I am not sure this question is asked correctly. To answer what is asked,
> that would be normal for the external mail server. it must send all mail
> destined for the internal domain on it's way to the internal mail server
> where it is stored until pickup by the clients.
>
> I 'think' perhaps what is meant to be asked is:
>
> Why does the external server pass mail from from the msn.com domain to
> the gmail.com domain (relay.) That is the question I have been
> struggling with for about a solid week now.
>
> "You said minimal changes'... *what* changes.
> Their were so many, I started with a clean main.cf file, and made no
> changes. It delivers mail perfectly, but also appears to still be an
> open relay.
>
>
>
> First, a demo of the relaying occurring with a default, unmodified
> main.cf file:
>
>
> relay session
> -------------
>
> [nf@thor ~]$ telnet test.test.tests.te.st 25
> Trying 333.3.333.333...
> Connected to test.test.tests.te.st.
> Escape character is '^]'.
> 220
> ***********************************************************************************220
> ********2********************************
> helo jerigjioe.com
> 250 test.test.tests.te.st
> mail from:<[hidden email]>
> 250 2.1.0 Ok
> rcpt to:<[hidden email]>
> 250 2.1.5 Ok
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> hi
> bye
> .
> 250 Requested mail action OK
> rset
> 250 2.0.0 Ok
> quit
> 221 test.test.tests.te.st PGP Universal service closing transmission
> channel
> Connection closed by foreign host.
> [nf@thor ~]$
>
>
> ---end of relay-----
>
> Next the [postconf -n] results for the PGP Universal Server
> (External/smarthost)
>
> ~ postconf- n: (PGP Machine - External)
>
>
> ~ [root@keys ovid]# postconf -n
> ~ alias_database = hash:/etc/postfix/aliases
> ~ alias_maps = hash:/etc/postfix/aliases
> ~ best_mx_transport = local
> ~ command_directory = /usr/sbin
> ~ config_directory = /etc/postfix
> ~ daemon_directory = /usr/libexec/postfix
> ~ inet_interfaces = 127.0.0.1
> ~ mail_name = PGP Universal (good luck nmap)
> ~ mail_owner = postfix
> ~ mailbox_size_limit = 104857600
> ~ mailq_path = /usr/bin/mailq.postfix
> ~ manpage_directory = /usr/share/man
> ~ message_size_limit = 104857600
> ~ mydestination = $myhostname, localhost.$mydomain
> ~ myhostname = test.test.tests.te.st
> ~ mynetworks_style = host
> ~ newaliases_path = /usr/bin/newaliases.postfix
> ~ queue_directory = /var/spool/postfix
> ~ readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
> ~ sample_directory = /usr/share/doc/postfix-2.0.18/samples
> ~ sendmail_path = /usr/sbin/sendmail.postfix
> ~ setgid_group = postdrop
> ~ smtpd_banner = $myhostname ESMTP PGP Universal
> ~ transport_maps = hash:/etc/postfix/transport
> ~ [root@keys ovid]#
>
>
>
> ------- end of pgp external postconf -n ---------
>
>
> Next the postconf -n of the internal postfix machine:
>
> -------------postconf -n internal postfix machine --------------
>
> [root@ciobrrnf2 postfix]# postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> html_directory = no
> mail_owner = postfix
> mailq_path = /usr/bin/mailq.postfix
> manpage_directory = /usr/share/man
> mydestination = $myhostname, localhost.$mydomain, localhost
> newaliases_path = /usr/bin/newaliases.postfix
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
> sample_directory = /usr/share/doc/postfix-2.3.3/samples
> sendmail_path = /usr/sbin/sendmail.postfix
> setgid_group = postdrop
> unknown_local_recipient_reject_code = 550
>
>
> ------------ end of internal postfix machine postconf -n -----------
>
>
> Path for mail in and out of my domain is:
> world <----> external<---->internal
>
> If you made it this far, here is a non-obfuscated telnet session
>
> [nf@thor ~]$ telnet mail1.isac.state.sc.us 25
> Trying 167.7.163.110...
> Connected to mail1.isac.state.sc.us.
> Escape character is '^]'.
> 220
> ***********************************************************************************220
> ********2********************************

postfix doesn't say such insanities ;-p you have something in the path
before the mail server.


> helo iamfake.biz
> 250 keys.isac.state.sc.us
> mail from:<[hidden email]>
> 250 2.1.0 Ok
> rcpt to:<[hidden email]>
> 250 2.1.5 Ok
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> Subject: Oh Boy! More Spam!
> Test
> I am spam
> Bye
> .
> 250 Requested mail action OK

postfix says "Ok: queued as somequeuid"

> rset
> 250 2.0.0 Ok
> quit
> 221 keys.isac.state.sc.us PGP Universal service closing transmission
> channel

postfix says "Bye".
> Connection closed by foreign host.
>
> 'keys' is an a record name for mail1. Both records exist.
>
> For obvious reaons, until i close this relay, I will shut it down each
> night, or when I see that a spammer is hitting it. Feel free to test, as
> I can see the difference between a test and a spammer losing his
> mind.  :-)

I just tested (sender is my addr, rcpt  has a -relaytest tag) and yes,
this is an open relay.

try
# postconf -e mynetworks=127.0.0.1
# postfix reload

and try again.


For safety, I recommend that you firewall the IP (block connections from
all but few IPs that you will use for testing) until the problem is fixed.

[snip]
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

mouss-2
mouss wrote:

> Bruce D. Meyer wrote:
>> [snip]
>>
>>
>> If you made it this far, here is a non-obfuscated telnet session
>>
>> [nf@thor ~]$ telnet mail1.isac.state.sc.us 25
>> Trying 167.7.163.110...
>> Connected to mail1.isac.state.sc.us.
>> Escape character is '^]'.
>> 220
>> ***********************************************************************************220
>>
>> ********2********************************
>
> postfix doesn't say such insanities ;-p you have something in the path
> before the mail server.
>
>
>> helo iamfake.biz
>> 250 keys.isac.state.sc.us
>> mail from:<[hidden email]>
>> 250 2.1.0 Ok
>> rcpt to:<[hidden email]>
>> 250 2.1.5 Ok
>> data
>> 354 Start mail input; end with <CRLF>.<CRLF>
>> Subject: Oh Boy! More Spam!
>> Test
>> I am spam
>> Bye
>> .
>> 250 Requested mail action OK
>
> postfix says "Ok: queued as somequeuid"
>
>> rset
>> 250 2.0.0 Ok
>> quit
>> 221 keys.isac.state.sc.us PGP Universal service closing transmission
>> channel
>
> postfix says "Bye".
>> Connection closed by foreign host.
>>
>> 'keys' is an a record name for mail1. Both records exist.
>>
>> For obvious reaons, until i close this relay, I will shut it down each
>> night, or when I see that a spammer is hitting it. Feel free to test, as
>> I can see the difference between a test and a spammer losing his
>> mind.  :-)
>
> I just tested (sender is my addr, rcpt  has a -relaytest tag) and yes,
> this is an open relay.
>
> try
> # postconf -e mynetworks=127.0.0.1
> # postfix reload
>
> and try again.

I doubt this would help. you have
inet_interfaces = 127.0.0.1
so it is not this server that receives mail.

can you show master.cf?

>
>
> For safety, I recommend that you firewall the IP (block connections
> from all but few IPs that you will use for testing) until the problem
> is fixed.
>
> [snip]

Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

bdmeyer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did follow mouss recommendation, which definitely kill the open relay.
I also can send zero email to the domain at the momement.


You are correct, it is not the server that receives email. The external
server (PGP Universal) is the one that receives email.


Here is the master.cf file from the internal postfix server:

howq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
~  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
~  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
~  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
~  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
~  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
~  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient



mouss wrote:
| mouss wrote:
|> Bruce D. Meyer wrote:
|>> [snip]
|>>
|>>
|>> If you made it this far, here is a non-obfuscated telnet session
|>>
|>> [nf@thor ~]$ telnet mail1.isac.state.sc.us 25
|>> Trying 167.7.163.110...
|>> Connected to mail1.isac.state.sc.us.
|>> Escape character is '^]'.
|>> 220
|>>
***********************************************************************************220

|>>
|>> ********2********************************
|>
|> postfix doesn't say such insanities ;-p you have something in the path
|> before the mail server.
|>
|>
|>> helo iamfake.biz
|>> 250 keys.isac.state.sc.us
|>> mail from:<[hidden email]>
|>> 250 2.1.0 Ok
|>> rcpt to:<[hidden email]>
|>> 250 2.1.5 Ok
|>> data
|>> 354 Start mail input; end with <CRLF>.<CRLF>
|>> Subject: Oh Boy! More Spam!
|>> Test
|>> I am spam
|>> Bye
|>> .
|>> 250 Requested mail action OK
|>
|> postfix says "Ok: queued as somequeuid"
|>
|>> rset
|>> 250 2.0.0 Ok
|>> quit
|>> 221 keys.isac.state.sc.us PGP Universal service closing transmission
|>> channel
|>
|> postfix says "Bye".
|>> Connection closed by foreign host.
|>>
|>> 'keys' is an a record name for mail1. Both records exist.
|>>
|>> For obvious reaons, until i close this relay, I will shut it down each
|>> night, or when I see that a spammer is hitting it. Feel free to test, as
|>> I can see the difference between a test and a spammer losing his
|>> mind.  :-)
|>
|> I just tested (sender is my addr, rcpt  has a -relaytest tag) and yes,
|> this is an open relay.
|>
|> try
|> # postconf -e mynetworks=127.0.0.1
|> # postfix reload
|>
|> and try again.
|
| I doubt this would help. you have
| inet_interfaces = 127.0.0.1
| so it is not this server that receives mail.
|
| can you show master.cf?
|
|>
|>
|> For safety, I recommend that you firewall the IP (block connections
|> from all but few IPs that you will use for testing) until the problem
|> is fixed.
|>
|> [snip]
|

- --
Bruce D. Meyer
Network Security Analyst
SC State Budget and Control Board
Department of the State CIO
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIPaZ9OnwQTzUNxRoRAut5AJkBBP/1RztFXW71gKinGqEg/vvFqgCffuDx
pwi5ofHGmJq0TAePMEIhSi8=
=raXB
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Randy Ramsdell
In reply to this post by mouss-2
mouss wrote:

> mouss wrote:
>> Bruce D. Meyer wrote:
>>> [snip]
>>>
>>>
>>> If you made it this far, here is a non-obfuscated telnet session
>>>
>>> [nf@thor ~]$ telnet mail1.isac.state.sc.us 25
>>> Trying 167.7.163.110...
>>> Connected to mail1.isac.state.sc.us.
>>> Escape character is '^]'.
>>> 220
>>> ***********************************************************************************220
>>>
>>> ********2********************************
>>
>> postfix doesn't say such insanities ;-p you have something in the
>> path before the mail server.
>>
>>
>>> helo iamfake.biz
>>> 250 keys.isac.state.sc.us
>>> mail from:<[hidden email]>
>>> 250 2.1.0 Ok
>>> rcpt to:<[hidden email]>
>>> 250 2.1.5 Ok
>>> data
>>> 354 Start mail input; end with <CRLF>.<CRLF>
>>> Subject: Oh Boy! More Spam!
>>> Test
>>> I am spam
>>> Bye
>>> .
>>> 250 Requested mail action OK
>>
>> postfix says "Ok: queued as somequeuid"
>>
>>> rset
>>> 250 2.0.0 Ok
>>> quit
>>> 221 keys.isac.state.sc.us PGP Universal service closing transmission
>>> channel
>>
>> postfix says "Bye".
>>> Connection closed by foreign host.
>>>
>>> 'keys' is an a record name for mail1. Both records exist.
>>>
>>> For obvious reaons, until i close this relay, I will shut it down each
>>> night, or when I see that a spammer is hitting it. Feel free to
>>> test, as
>>> I can see the difference between a test and a spammer losing his
>>> mind.  :-)
>>
>> I just tested (sender is my addr, rcpt  has a -relaytest tag) and
>> yes, this is an open relay.
>>
>> try
>> # postconf -e mynetworks=127.0.0.1
>> # postfix reload
>>
>> and try again.
>
> I doubt this would help. you have
> inet_interfaces = 127.0.0.1
> so it is not this server that receives mail.
>
> can you show master.cf?
>
>>
>>
>> For safety, I recommend that you firewall the IP (block connections
>> from all but few IPs that you will use for testing) until the problem
>> is fixed.
>>
>> [snip]
>
Is this a government server? and
Does the following setting need to define who the server will relay to?
"smtpd_recipient_restrictions" and define "reject_unauth_destination"
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

mouss-2
Randy Ramsdell wrote:
> [snip]
> Is this a government server? and
> Does the following setting need to define who the server will relay to?
> "smtpd_recipient_restrictions" and define "reject_unauth_destination"


the default smtpd_recipient_restrictions (permit_mynetworks,
reject_unauth_destination) is safe as long as
- mynetworks is correctly set (does not include the universe)
- the connections come directly (not proxied)



Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

bdmeyer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I currently have mynetworks set to:

mynetworks = 127.0.0.0/8 167.7.163.106/32

However, the mail comes into .110 which is a PGP Universal Server
running postfix acting as a smarthost.

- --Bruce


mouss wrote:
| Randy Ramsdell wrote:
|> [snip]
|> Is this a government server? and
|> Does the following setting need to define who the server will relay to?
|> "smtpd_recipient_restrictions" and define "reject_unauth_destination"
|
|
| the default smtpd_recipient_restrictions (permit_mynetworks,
| reject_unauth_destination) is safe as long as
| - mynetworks is correctly set (does not include the universe)
| - the connections come directly (not proxied)
|
|
|

- --
Bruce D. Meyer
Network Security Analyst
SC State Budget and Control Board
Department of the State CIO
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIPaztOnwQTzUNxRoRAhLxAJ9Wc1SC8Vr4en3TSk2qvmSemZRUYQCdEnSP
roICSfWvb0GqWxFLSqY6dBA=
=ikBk
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Brian Evans - Postfix List
In reply to this post by bdmeyer
Bruce D. Meyer wrote:
> Hopefully, I have answered each question asked by the various responders
> below:
[snip]

>
> Next the [postconf -n] results for the PGP Universal Server
> (External/smarthost)
>
> ~ postconf- n: (PGP Machine - External)
>
>
> ~ [root@keys ovid]# postconf -n
> ~ alias_database = hash:/etc/postfix/aliases
> ~ alias_maps = hash:/etc/postfix/aliases
> ~ best_mx_transport = local
> ~ command_directory = /usr/sbin
> ~ config_directory = /etc/postfix
> ~ daemon_directory = /usr/libexec/postfix
> ~ inet_interfaces = 127.0.0.1
As mouss pointed out, this "external" postfix instance only listens to
LOCALHOST.
Some other program is accepting the SMTP connect from the outside world.

> ~ mail_name = PGP Universal (good luck nmap)
> ~ mail_owner = postfix
> ~ mailbox_size_limit = 104857600
> ~ mailq_path = /usr/bin/mailq.postfix
> ~ manpage_directory = /usr/share/man
> ~ message_size_limit = 104857600
> ~ mydestination = $myhostname, localhost.$mydomain
> ~ myhostname = test.test.tests.te.st
> ~ mynetworks_style = host
This means accept everything from LOCALHOST.

> ~ newaliases_path = /usr/bin/newaliases.postfix
> ~ queue_directory = /var/spool/postfix
> ~ readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
> ~ sample_directory = /usr/share/doc/postfix-2.0.18/samples
> ~ sendmail_path = /usr/sbin/sendmail.postfix
> ~ setgid_group = postdrop
> ~ smtpd_banner = $myhostname ESMTP PGP Universal
> ~ transport_maps = hash:/etc/postfix/transport
> ~ [root@keys ovid]#
>
> ------- end of pgp external postconf -n ---------

Fix the program that is doing the accept and then report.

Brian
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

bdmeyer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks. I'll dig and see what I can find.
- --Bruce

Brian Evans wrote:
| Bruce D. Meyer wrote:
|> Hopefully, I have answered each question asked by the various responders
|> below:
| [snip]
|>
|> Next the [postconf -n] results for the PGP Universal Server
|> (External/smarthost)
|>
|> ~ postconf- n: (PGP Machine - External)
|>
|>
|> ~ [root@keys ovid]# postconf -n
|> ~ alias_database = hash:/etc/postfix/aliases
|> ~ alias_maps = hash:/etc/postfix/aliases
|> ~ best_mx_transport = local
|> ~ command_directory = /usr/sbin
|> ~ config_directory = /etc/postfix
|> ~ daemon_directory = /usr/libexec/postfix
|> ~ inet_interfaces = 127.0.0.1
| As mouss pointed out, this "external" postfix instance only listens to
| LOCALHOST.
| Some other program is accepting the SMTP connect from the outside world.
|
|> ~ mail_name = PGP Universal (good luck nmap)
|> ~ mail_owner = postfix
|> ~ mailbox_size_limit = 104857600
|> ~ mailq_path = /usr/bin/mailq.postfix
|> ~ manpage_directory = /usr/share/man
|> ~ message_size_limit = 104857600
|> ~ mydestination = $myhostname, localhost.$mydomain
|> ~ myhostname = test.test.tests.te.st
|> ~ mynetworks_style = host
| This means accept everything from LOCALHOST.
|> ~ newaliases_path = /usr/bin/newaliases.postfix
|> ~ queue_directory = /var/spool/postfix
|> ~ readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
|> ~ sample_directory = /usr/share/doc/postfix-2.0.18/samples
|> ~ sendmail_path = /usr/sbin/sendmail.postfix
|> ~ setgid_group = postdrop
|> ~ smtpd_banner = $myhostname ESMTP PGP Universal
|> ~ transport_maps = hash:/etc/postfix/transport
|> ~ [root@keys ovid]#
|>
|> ------- end of pgp external postconf -n ---------
|
| Fix the program that is doing the accept and then report.
|
| Brian

- --
Bruce D. Meyer
Network Security Analyst
SC State Budget and Control Board
Department of the State CIO
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIPbU5OnwQTzUNxRoRArl4AJ9MBujMGy7b6TbjHkyNhTA4D8zFrQCffkdx
FzLoJHfUeeCyxfI9I3q32io=
=4TsV
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

mouss-2
In reply to this post by bdmeyer
Bruce D. Meyer wrote:
> I currently have mynetworks set to:
>
> mynetworks = 127.0.0.0/8 167.7.163.106/32
>
> However, the mail comes into .110 which is a PGP Universal Server
> running postfix acting as a smarthost.

open relay must be fixed on the first server that accepts mail. in your
case, this is the PGP Universal server.

an alternative is to run a postfix listener that will pass mail to the
pgp server. This way, postfix will block relay. something like this:

internet -> postfix -> pgp server -> postfix.


Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Brian Evans - Postfix List
In reply to this post by bdmeyer
Bruce D. Meyer wrote:
> Thanks. I'll dig and see what I can find.
> --Bruce

One solution that you may find to your liking is to make this naughty
app a After-queue filter.
(See http://www.postfix.org/FILTER_README.html#advanced_filter )

This allows you to harness Postfix's safe relay capabilities (use
relay_recipient_maps or other _maps to stop bounces) while doing any
'filter' operation after you have correctly accepted an email.

This is only one suggestion if this "PGP Universal" isn't so smart.

Brian

>
> Brian Evans wrote:
> | Bruce D. Meyer wrote:
> |> Hopefully, I have answered each question asked by the various
> responders
> |> below:
> | [snip]
> |>
> |> Next the [postconf -n] results for the PGP Universal Server
> |> (External/smarthost)
> |>
> |> ~ postconf- n: (PGP Machine - External)
> |>
> |>
> |> ~ [root@keys ovid]# postconf -n
> |> ~ alias_database = hash:/etc/postfix/aliases
> |> ~ alias_maps = hash:/etc/postfix/aliases
> |> ~ best_mx_transport = local
> |> ~ command_directory = /usr/sbin
> |> ~ config_directory = /etc/postfix
> |> ~ daemon_directory = /usr/libexec/postfix
> |> ~ inet_interfaces = 127.0.0.1
> | As mouss pointed out, this "external" postfix instance only listens to
> | LOCALHOST.
> | Some other program is accepting the SMTP connect from the outside world.
> |
> |> ~ mail_name = PGP Universal (good luck nmap)
> |> ~ mail_owner = postfix
> |> ~ mailbox_size_limit = 104857600
> |> ~ mailq_path = /usr/bin/mailq.postfix
> |> ~ manpage_directory = /usr/share/man
> |> ~ message_size_limit = 104857600
> |> ~ mydestination = $myhostname, localhost.$mydomain
> |> ~ myhostname = test.test.tests.te.st
> |> ~ mynetworks_style = host
> | This means accept everything from LOCALHOST.
> |> ~ newaliases_path = /usr/bin/newaliases.postfix
> |> ~ queue_directory = /var/spool/postfix
> |> ~ readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
> |> ~ sample_directory = /usr/share/doc/postfix-2.0.18/samples
> |> ~ sendmail_path = /usr/sbin/sendmail.postfix
> |> ~ setgid_group = postdrop
> |> ~ smtpd_banner = $myhostname ESMTP PGP Universal
> |> ~ transport_maps = hash:/etc/postfix/transport
> |> ~ [root@keys ovid]#
> |>
> |> ------- end of pgp external postconf -n ---------
> |
> | Fix the program that is doing the accept and then report.
> |
> | Brian
>

Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

bdmeyer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mouss and Brian,
        Thanks. I will read on those idea's. I have asked the vendor to discuss
with me in better detail what is happening on their server.

My only reason for setting the PGP server up as a smarthost was because
it does different things based on rules. I am considering changing the
way mail enters the network so that pgp isn't the first thing it hits.
Both of your recommendations bear consideration before I change
everything over.

Thank you.

If I learn what is going on with the Universal Server and can discuss
it, I will post that info here.

- --Bruce

Brian Evans wrote:
| Bruce D. Meyer wrote:
|> Thanks. I'll dig and see what I can find.
|> --Bruce
|
| One solution that you may find to your liking is to make this naughty
| app a After-queue filter.
| (See http://www.postfix.org/FILTER_README.html#advanced_filter )
|
| This allows you to harness Postfix's safe relay capabilities (use
| relay_recipient_maps or other _maps to stop bounces) while doing any
| 'filter' operation after you have correctly accepted an email.
|
| This is only one suggestion if this "PGP Universal" isn't so smart.
|
| Brian
|>
|> Brian Evans wrote:
|> | Bruce D. Meyer wrote:
|> |> Hopefully, I have answered each question asked by the various
|> responders
|> |> below:
|> | [snip]
|> |>
|> |> Next the [postconf -n] results for the PGP Universal Server
|> |> (External/smarthost)
|> |>
|> |> ~ postconf- n: (PGP Machine - External)
|> |>
|> |>
|> |> ~ [root@keys ovid]# postconf -n
|> |> ~ alias_database = hash:/etc/postfix/aliases
|> |> ~ alias_maps = hash:/etc/postfix/aliases
|> |> ~ best_mx_transport = local
|> |> ~ command_directory = /usr/sbin
|> |> ~ config_directory = /etc/postfix
|> |> ~ daemon_directory = /usr/libexec/postfix
|> |> ~ inet_interfaces = 127.0.0.1
|> | As mouss pointed out, this "external" postfix instance only listens to
|> | LOCALHOST.
|> | Some other program is accepting the SMTP connect from the outside
|> world.
|> |
|> |> ~ mail_name = PGP Universal (good luck nmap)
|> |> ~ mail_owner = postfix
|> |> ~ mailbox_size_limit = 104857600
|> |> ~ mailq_path = /usr/bin/mailq.postfix
|> |> ~ manpage_directory = /usr/share/man
|> |> ~ message_size_limit = 104857600
|> |> ~ mydestination = $myhostname, localhost.$mydomain
|> |> ~ myhostname = test.test.tests.te.st
|> |> ~ mynetworks_style = host
|> | This means accept everything from LOCALHOST.
|> |> ~ newaliases_path = /usr/bin/newaliases.postfix
|> |> ~ queue_directory = /var/spool/postfix
|> |> ~ readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
|> |> ~ sample_directory = /usr/share/doc/postfix-2.0.18/samples
|> |> ~ sendmail_path = /usr/sbin/sendmail.postfix
|> |> ~ setgid_group = postdrop
|> |> ~ smtpd_banner = $myhostname ESMTP PGP Universal
|> |> ~ transport_maps = hash:/etc/postfix/transport
|> |> ~ [root@keys ovid]#
|> |>
|> |> ------- end of pgp external postconf -n ---------
|> |
|> | Fix the program that is doing the accept and then report.
|> |
|> | Brian
|>
|

- --
Bruce D. Meyer
Network Security Analyst
SC State Budget and Control Board
Department of the State CIO
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIPcE8OnwQTzUNxRoRAqu3AKCBsMoPMBxVwTUKwXr3ebF4vYmOxgCbBvp3
HBRKL00IJd0PhwXrN6d2Le0=
=wsmq
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Brian Evans - Postfix List
In reply to this post by Brian Evans - Postfix List
Brian Evans wrote:
> Bruce D. Meyer wrote:
>> Thanks. I'll dig and see what I can find.
>> --Bruce
>
> One solution that you may find to your liking is to make this naughty
> app a After-queue filter.
> (See http://www.postfix.org/FILTER_README.html#advanced_filter )

Oops,  forgot this wont work unless it's queued.  However, as mouss
suggested, you can setup "PGP Universal" as the relay for port 25, then
relay back to postfix on a different port which relays to your internal
SMTP.

Brian

>
> This allows you to harness Postfix's safe relay capabilities (use
> relay_recipient_maps or other _maps to stop bounces) while doing any
> 'filter' operation after you have correctly accepted an email.
>
> This is only one suggestion if this "PGP Universal" isn't so smart.
>
> Brian
>>
>> Brian Evans wrote:
>> | Bruce D. Meyer wrote:
>> |> Hopefully, I have answered each question asked by the various
>> responders
>> |> below:
>> | [snip]
>> |>
>> |> Next the [postconf -n] results for the PGP Universal Server
>> |> (External/smarthost)
>> |>
>> |> ~ postconf- n: (PGP Machine - External)
>> |>
>> |>
>> |> ~ [root@keys ovid]# postconf -n
>> |> ~ alias_database = hash:/etc/postfix/aliases
>> |> ~ alias_maps = hash:/etc/postfix/aliases
>> |> ~ best_mx_transport = local
>> |> ~ command_directory = /usr/sbin
>> |> ~ config_directory = /etc/postfix
>> |> ~ daemon_directory = /usr/libexec/postfix
>> |> ~ inet_interfaces = 127.0.0.1
>> | As mouss pointed out, this "external" postfix instance only listens to
>> | LOCALHOST.
>> | Some other program is accepting the SMTP connect from the outside
>> world.
>> |
>> |> ~ mail_name = PGP Universal (good luck nmap)
>> |> ~ mail_owner = postfix
>> |> ~ mailbox_size_limit = 104857600
>> |> ~ mailq_path = /usr/bin/mailq.postfix
>> |> ~ manpage_directory = /usr/share/man
>> |> ~ message_size_limit = 104857600
>> |> ~ mydestination = $myhostname, localhost.$mydomain
>> |> ~ myhostname = test.test.tests.te.st
>> |> ~ mynetworks_style = host
>> | This means accept everything from LOCALHOST.
>> |> ~ newaliases_path = /usr/bin/newaliases.postfix
>> |> ~ queue_directory = /var/spool/postfix
>> |> ~ readme_directory = /usr/share/doc/postfix-2.0.18/README_FILES
>> |> ~ sample_directory = /usr/share/doc/postfix-2.0.18/samples
>> |> ~ sendmail_path = /usr/sbin/sendmail.postfix
>> |> ~ setgid_group = postdrop
>> |> ~ smtpd_banner = $myhostname ESMTP PGP Universal
>> |> ~ transport_maps = hash:/etc/postfix/transport
>> |> ~ [root@keys ovid]#
>> |>
>> |> ------- end of pgp external postconf -n ---------
>> |
>> | Fix the program that is doing the accept and then report.
>> |
>> | Brian
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: Request for help closing open relay

Joe-274
In reply to this post by bdmeyer
Bruce D. Meyer wrote:

> Mouss and Brian,
>     Thanks. I will read on those idea's. I have asked the vendor to
> discuss
> with me in better detail what is happening on their server.
>
> My only reason for setting the PGP server up as a smarthost was because
> it does different things based on rules. I am considering changing the
> way mail enters the network so that pgp isn't the first thing it hits.
> Both of your recommendations bear consideration before I change
> everything over.

We recently installed a pgp universal server, and found that it's smtp
capabilities are pretty basic, and while it does have some interesting
functionality, it lacks configurability.

We accept incoming mail on our postfix MX servers, and route it to the
pgp appliance based on rules.
We also route outgoing mail through the gpg server if it satisfies
certain criteria. In either case, the pgp appliance hands off mail to a
postfix smart host, since it's unable to do the complex sort of mail
routing we need.

Joe