Hi,
I did a fresh qmail instalation in a server in my work
and before to liberate the access to users, I'am
testing the mail server to find some security breachs.
#############################
PS: I put a message some days ago about SMTP-AUTH and
TLS/SSL together. Sorry about this question, because I
was using recordio in my run smtpd script. When
recordio is used in a TLS/SSL conection, qmail break
it. So, donīt use recordio if you donīt get errors,
only use to do some administrative process. I'am
talking about this because in the end of this message,
you will understand.
#############################
Now, I need to come back to my problem.
I connected my server to the internet. Itīs responding
connections, I can to do relay tests, send and receive
messages (internal or external), all looks like ok.
The problem is: if I connect to internet out of my
network with a dial-up conection, I get authentication
(with a valid user) on my mailserver corretly. After
this authetication, I tried to use other mail account
(in the same MUA client) with a different mail and
username that doesnīt exists in my mailserver and for
this account, I put my mailserver in a POP and SMTP
configuration.
For my surprise, I can send messages with this
account. Well, my relay is OPEN, correct?
Bellow, my example:
MAIL SERVER: server.test.com
POP SERVER: pop.test.com
SMTP SERVER: smtp.test.com
VALID USER: [EMAIL PROTECTED]
E-MAIL: [EMAIL PROTECTED]
This is OK
MAIL SERVER: server.test.com
POP SERVER: pop.test.com
SMTP SERVER: smtp.test.com
INVALID USER: [EMAIL PROTECTED]
E-MAIL USER: [EMAIL PROTECTED]
This is WRONG
So, when I authenticate first with the valid user in
my domain ([EMAIL PROTECTED]), I can send messages with
the [EMAIL PROTECTED] user.
The result is that my relay is OPEN while exists
connection and the IP is present in my
/home/vpomail/etc/open-smtp.
How can I block this?
I did various relay tests from the internet in
mailserver and it doesnīt permit connections if the
remote user donīt to authenticate, but in the
situation above, the mailserver donīt block a invalid
user.
Is there way to permit only authenticated (SMTP-AUTH
or TLS/SSL) smtpd connection? This would to force a
user to enable authentications in your MUAīs and
invalid accounts wouldnīt get a connection to do spam
to the network.
I have installed: qmail-1.03, toaster-0.5,
vpopmail-5.3.19, courier-imap-2.1.2.
My tcp.smtp file:
127.:allow,RELAYCLIENT=""
192.168.23.:allow,RELAYCLIENT=""
My open-smtp file:
127.:allow,RELAYCLIENT=""
My smtpd run file:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 10000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v -x
/home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp
/var/qmail/bin/qmail-smtpd server.test.com \
/home/vpopmail/bin/vchkpw /bin/true 2>&1
Anyone could help me?
PS2: Sorry for some mistakes in my english.
Regards,
Tato
