Sam Varshavchik wrote: > One of your users probably has his PC hacked, and it's being used to > spew spam. From your standpoint, your user validly authenticated > through your mail server, and is sending authenticated mail. > Thanks Sam.
Just as a follow up, we think we've found the problem. We had ESMTPAUTH enabled in the Courier esmptd configuration file. This allows authenticated relaying through the server. Someone outside had presumably managed to obtain authentication information to allow them access (yes, at least one of our users had a weak password). We have enabled some more logging, but we have to close it off for security so we may never find out. A solution to allow internal subnet relaying seems to be to put ESMTPAUTH into the smtpaccess files. This isn't documented, but I gather a whole range of environment variables can be enabled for specific address ranges in these files. Anyway it seems to work so far. cheers, Ken > Ken Sarkies writes: > >> Dec 24 01:08:02 hta21 courierd: newmsg,id=00055639.4B322B44.000076CB: >> dns; User (rrcs-24-105-132-156.nyc.biz.rr.com [::ffff:24.105.132.156]) >> Dec 24 01:08:02 hta21 courierd: >> started,id=00055639.4B322B44.000076CB,from=<msgcen...@wbhfcu.com>,module=esmtp,host=hotels.com,addr=<vwa...@hotels.com> >> >> >> >> There were a number of following outgoing mails with the same id >> which apparently derived from the original. In the (daylight saving >> ignorant) router log >> >> Dec 24 00:08:03 router Vigor: Virtual Server: 24.105.132.156:18623 -> >> 192.168.1.2:25 (TCP) SMTP >> >> showing a definite connection to our mailserver from outside. >> >> Is there any configuration mistake that we may have made that would >> allow this (or are we reading the logs incorrectly)? We have worked >> through the documentation many times over the years and cannot >> identify any other setting that might open us up. Can anyone please >> provide advice that may help us track this down. I won't dump all our >> configuration to the list just yet, awaiting advice. >> >> We are updating Courier to the latest version, although I don't >> remember seeing any critical fixes since the version we have. > ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
