# my postfix is a openrelay ;(

## MaGuS

Hi all,

last night somebody send a lot of mails with my postfix. Now I'm listed in ordb.org. I did some changes in the main.cf. and now most of the testmails don't pass postfix, but one mail does

Here is the link to the ordb header: Link

```

smtpd_delay_reject = yes

smtpd_helo_required = yes

smtpd_recipient_restrictions =

        #reject_non_fqdn_hostname,

        reject_non_fqdn_sender,

        reject_invalid_hostname,

        reject_non_fqdn_recipient,

        #reject_unknown_sender_domain,

        #reject_unknown_recipient_domain,

        reject_unauth_pipelining,

        permit_mynetworks,

        reject_unauth_destination,

        check_client_access pcre:/etc/postfix/client_checks.pcre,

        check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,

        check_sender_access hash:/etc/postfix/sender_checks,

        check_client_access hash:/etc/postfix/client_checks,

        reject_rbl_client relays.ordb.org,

        reject_rbl_client inputs.relays.osirusoft.com,

        reject_rbl_client dialups.relays.osirusoft.com,

        reject_rbl_client spamhaus.relays.osirusoft.com,

        reject_rbl_client proxies.relays.monkeys.com,

        reject_rbl_client opm.blitzed.org,

        check_relay_domains,

        reject_maps_rbl,

        reject

smtpd_client_restrictions =

        permit_mynetworks,

        reject

```

this I had to comment out because of my dns.

```

        reject_unknown_sender_domain,

        reject_unknown_recipient_domain,

```

If I put it into the main.cf every first mail to a domain fail because he cannot find the domain. But the spam goes through too.

SMTP_AUTH and pop beforce smtp aren't possible because my ISP send me mails for my domain and for an other domain I am the MX ....

What I am doing wrong?

Best regards,

   Magnus

----------

## psp

Hmm... I can't work it out. I've installed postfix with default restrictions and I cannot relay off of my box using this "crack". It seems that he is imbedding an address within an address and postfix is seeing the mail coming from $mynetworks. Postfix by default allows relaying for all hosts in the same network. Since the mail seems to be going to your domain, it is let through.

Could you provide more information? Postfix version, the values of $mynetworks, etc.

----------

## neilhwatson

I'm curious as to exactly why you commented out those two lines?  SMTP is highly relient on DNS.  If your DNS service is not working then better to fix that then work around it by opening Postfix (assuming those comment caused your relay problem).

----------

## MaGuS

if I put in this two line. ORDP test also fails ....

I only commented this out because we need the e-mail service.

----------

## neilhwatson

Having commented out these:

reject_unknown_sender_domain, 

reject_unknown_recipient_domain, 

I believe Postfix will not reject people who relay via unknown domains.  This has made your box an open relay.  Any postfix experts care to comment?

----------

## vicay

 *neilhwatson wrote:*   

> Having commented out these:
> 
> reject_unknown_sender_domain, 
> 
> reject_unknown_recipient_domain, 
> ...

 

Hello,

Postfix decides upon the following parameters for which

destinations it accepts mail.

please check in your /etc/postfix/main.cf:

mynetworks

-> should contain the network addresses which are considered

     as "trusted". Please have a special on netmasks!!!

     These networks are allowed to relay

mydestination

-> domains which postfix wants to deliver locally

relay_domains

-> domains which postfix accepts, but wants to relay to another

    host (internal mailserver...)

then change your smtpd_recipient_restrictions to a minimum,

smtpd_recipient_restrictions =  permit_mynetworks,

				             reject_unauth_destination

After that you should test yourself and via ORDB,

if you still permit relaying (but this should not be the case)

Please do not use comment signs (#) within multiline statements!!!

Best regards

vicay

----------

## MaGuS

The problem is, he schould accept all mails from my clients to send them direct. so relay_domains  would be the hole inet or not?

----------

## Chris W

I would suggest reverting to the out-of-the-box main.cf file.  Out-of-the-box Postfix does not relay mail for external users.  Change only the minimum possible settings and follow the wise advice from the file: 

```
# NOTE - CHANGE NO MORE THAN 2-3 PARAMETERS AT A TIME, AND TEST IF

# POSTFIX STILL WORKS AFTER EVERY CHANGE.
```

My config, which accepts mail for my domain, acts as backup for another, allows unlimited outgoing mail from my network, and doesn't relay has only had the following changed: myhostname, myorigin, mydestination, relay_domains, and smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination.

Once you think you have it corrected, you can perform a series of tests by executing: 

```
telnet relay-test.mail-abuse.org
```

 from the mail server machine.  The remote server will probe your SMTP port with a few tens of different ways that spammers try to obscure their activities and show you the result.  Postfix, by default, rejects all of them.

----------

## MaGuS

I love this forum, better then every mailinglist. I will test @work.

Thanks you all!

----------

## MaGuS

 :Sad: 

Now I did only 4 changes in the original main.cf and my box is still an open relay:

```

Mar 18 08:42:13 [postfix/smtpd] connect from groundzero.ordb.org[62.242.0.190]

Mar 18 08:42:14 [postfix/smtpd] 930143F676: client=groundzero.ordb.org[62.242.0.190]

Mar 18 08:42:14 [postfix/cleanup] 930143F676: message-id=<20030318074214.930143F676@ftp.hinzke.de>

Mar 18 08:42:14 [postfix/qmgr] 930143F676: from=<spamtest@ftp.hinzke.de>, size=1041, nrcpt=1 (queue active)

Mar 18 08:42:15 [postfix/smtpd] disconnect from groundzero.ordb.org[62.242.0.190]

Mar 18 08:42:15 [postfix/smtp] 930143F676: to=<marvin@marvin.ordb.org>, orig_to=<marvin.ordb.org!marvin@[62.8.219.66]>, relay=groundzero.ordb.org[62.242.0.190], delay=1, status=sent (250 Ok: queued as 9D4B42AA1E)

```

I onyl changed:

myhostname = ftp.hinzke.de

myorigin = hinzke.de

mydestination = hinzke.de, nhlf.de, hinzke.com

smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination

This one I didn't changed:

#relay_domains = $mydestination

Now ORDB still say I am a open relay, but 'telnet relay-test.mail-abuse.org' show this:

```

Tested host banner: 220 ftp.hinzke.de ESMTP Postfix

System appeared to reject relay attempts

```

Any hints?   :Crying or Very sad: 

Best regards,

   MagnusLast edited by MaGuS on Tue Mar 18, 2003 7:58 am; edited 1 time in total

----------

## vicay

 *MaGuS wrote:*   

> 
> 
> Now I did only 4 changes in the original main.cf and my box is still an open relay:
> 
> ```
> ...

 

Hello again,

what says the  mynetworks parameter

whats your own IP, what is the inet_interfaces parameter set to?

best regards

vicay

----------

## MaGuS

Hi,

mynetworks and inet_interfaces are commented out, because I use the original main.cf.

The mashine got two public an two private IP's. But only the two private net's should be allowed to send mail over this postfix.

Thank for any help!

Best regards,

   Magnus

----------

## MaGuS

OK, I don't understand postfix!

I add the mynetworks parameter:

mynetworks = 192.168.2.0/28, 192.168.3.0/28, 62.8.219.71/8

I am the 62.8.219.71/8. Without this entry I cannot send mails to outside domains. With this entry I can. 

But why the (/%/($/  ORDB can send mails through postfix?

Here again the link to the mail header of ordb

best regards,

    Magnus

----------

## vicay

 *MaGuS wrote:*   

> OK, I don't understand postfix!
> 
> I add the mynetworks parameter:
> 
> mynetworks = 192.168.2.0/28, 192.168.3.0/28, 62.8.219.71/8
> ...

 

Hello again,

ahh, that seems to be the reason.  :Smile: 

You added the whole 62.0.0.0/8

segment to your trusted networks,

so all people with legal addresses

between 62.0.0.0 and 62.255.255.255

can use your postfix as a relay.

(btw ordb itself belongs to this segment too.)

you should change this according

to your subnet-segment or 

to a single-host entry:

```

mynetworks = 192.168.2.0/28, 192.168.3.0/28, 62.8.219.71/32,

127.0.0.0/8

```

btw, are you sure about the /28 

for the internal networks?

best regards

vicay

----------

## MaGuS

mhhhhh that could be the problem ...

i need a privat net 192.168.2.1 - 192.168.2.254

never realy understood /8 /32 etc.  :Wink: 

----------

## bLanark

As an alternative, you could use iptables to only allow access to port 25 from the local host, or any other machines on your internal network. 

bLanark

----------

## MaGuS

Hi all again,

thank you all, it save now!

```

The host you submitted at ORDB.org (62.8.219.66), has been thoroughly

checked, and does not seem to permit relaying.

```

The iptables think would be a workaround and I don't like it.  :Wink: 

Thanks again!

Best regards,

   Magnus

----------

## bLanark

<I>The iptables think would be a workaround and I don't like it. </I>

Think of it as "belt and braces". Protect your system with a firewall that only allows access to ports you choose from hosts/networks you choose. At least that's what the security guys would recommend.

But you're right, it's good to have everything configured correctly. 

bLanark

----------

## vicay

 *MaGuS wrote:*   

> mhhhhh that could be the problem ...
> 
> i need a privat net 192.168.2.1 - 192.168.2.254
> 
> never realy understood /8 /32 etc. 

 

ok, then you have to specify

192.168.2.0/24  :Smile: 

best regards

vicay

----------

## Zu`

 *MaGuS wrote:*   

> 
> 
> never realy understood /8 /32 etc. 

 

This is called CIDR notation. It's a fairly easy notation once you get the hang of it. 

This short explanation might help you out.

----------

## MaGuS

ohh!   :Razz: 

Thank you very much!

----------

## cryos

If the iptables solution was employed to block port 25 to all but internal addresses then no one would be able to send mail to his SMTP server either as other SMTP daemons connect directly to your SMTP server to send mail to you and others on your mail server  :Smile: 

Just thought I would point that out for others. If you do have your server hosting a domain then all IPs should be able to access port 25 to deliver the mail to your server from everyone else on the Internet. One other solution in this case is to use SMTP Auth also - it gives roaming users access to an SMTP server however they are connected too!

----------

