Hi,
I did a fresh qmail instalation in a server in my work
and before to liberate the access to users, I'am
testing the mail server to find some security breachs.
#############################
PS: I put a message some days ago about SMTP-AUTH and
TLS/SSL together. Sorry about this question, because I
was using recordio in my run smtpd script. When
recordio is used in a TLS/SSL conection, qmail break
it. So, don�t use recordio if you don�t get errors,
only use to do some administrative process. I'am
talking about this because in the end of this message,
you will understand.
#############################
Now, I need to come back to my problem.
I connected my server to the internet. It�s responding
connections, I can to do relay tests, send and receive
messages (internal or external), all looks like ok.
The problem is: if I connect to internet out of my
network with a dial-up conection, I get authentication
(with a valid user) on my mailserver corretly. After
this authetication, I tried to use other mail account
(in the same MUA client) with a different mail and
username that doesn�t exists in my mailserver and for
this account, I put my mailserver in a POP and SMTP
configuration.
For my surprise, I can send messages with this
account. Well, my relay is OPEN, correct?
Bellow, my example:
MAIL SERVER: server.test.com
POP SERVER: pop.test.com
SMTP SERVER: smtp.test.com
VALID USER: [EMAIL PROTECTED]
E-MAIL: [EMAIL PROTECTED]
This is OK
MAIL SERVER: server.test.com
POP SERVER: pop.test.com
SMTP SERVER: smtp.test.com
INVALID USER: [EMAIL PROTECTED]
E-MAIL USER: [EMAIL PROTECTED]
This is WRONG
So, when I authenticate first with the valid user in
my domain ([EMAIL PROTECTED]), I can send messages with
the [EMAIL PROTECTED] user.
The result is that my relay is OPEN while exists
connection and the IP is present in my
/home/vpomail/etc/open-smtp.
How can I block this?
I did various relay tests from the internet in
mailserver and it doesn�t permit connections if the
remote user don�t to authenticate, but in the
situation above, the mailserver don�t block a invalid
user.
Is there way to permit only authenticated (SMTP-AUTH
or TLS/SSL) smtpd connection? This would to force a
user to enable authentications in your MUA�s and
invalid accounts wouldn�t get a connection to do spam
to the network.
I have installed: qmail-1.03, toaster-0.5,
vpopmail-5.3.19, courier-imap-2.1.2.
My tcp.smtp file:
127.:allow,RELAYCLIENT=""
192.168.23.:allow,RELAYCLIENT=""
My open-smtp file:
127.:allow,RELAYCLIENT=""
My smtpd run file:
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 10000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v -x
/home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp
/var/qmail/bin/qmail-smtpd server.test.com \
/home/vpopmail/bin/vchkpw /bin/true 2>&1
Anyone could help me?
PS2: Sorry for some mistakes in my english.
Regards,
Tato
