Two "findings" Nessus Plugin 10167: NTMail3 Arbitrary Mail Relay TCP post 25
An open SMTP relay is running on the remote host. Nessus has detected that the remote SMTP server allows anyone to use it as a mail relay provided that the source address is set to '<>'. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted. Reconfigure your SMTP server so that it cannot be used as an indiscriminate SMTP relay. Make sure that the server uses appropriate access controls to limit the extent to which relaying is possible. https://en.wikipedia.org/wiki/Email_spam <-- This URL does not help http://www.nthelp.com/40/ntmailspam.htm <-- This does not resolve. Nessus Plugin 11852: MTA Open Mail Relaying Allowed (thorough test) TCP port 25 Plugin Output: Nessus was able to relay mails by sending those sequences : MAIL FROM: <nessus@localhost> RCPT TO: <nob...@example.com> An open SMTP relay is running on the remote host. Nessus has detected that the remote SMTP server is insufficiently protected against mail relaying. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted. Reconfigure your SMTP server so that it cannot be used as an indiscriminate SMTP relay. Make sure that the server uses appropriate access controls to limit the extent to which relaying is possible. https://en.wikipedia.org/wiki/Email_spam Here is my "postconf -nf", slightly redacted: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 5 debug_peer_list = 127.0.0.1 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = local_transport = error:local mail delivery is disabled mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix mydestination = mynetworks = 127.0.0.0/8 <and other IP subnets> myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES relay_recipient_maps = hash:/etc/postfix/relay_recipients relayhost = $mydomain sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = /usr/lib64/postfix smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_ciphers = high smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_security_level = may smtp_use_tls = yes smtpd_client_restrictions = permit_mynetworks, reject smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem smtpd_tls_ciphers = high smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 smtpd_tls_key_file = /etc/pki/tls/private/postfix.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 ______________________________________________________________________________________________ Daniel E. White daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov> NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC) Office: (301) 286-6919 Mobile: (240) 513-5290
