[OT] Sendmail open relay problem

Alex Neuman alex at nkpanama.com
Mon Aug 9 23:23:25 IST 2004 

I would advise against pop-before-smtp and would recommend you use AUTH,
always - even on internal networks. You have accountability issues without
AUTH.

That and SSL.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Miguel Koren
Sent: Monday, August 09, 2004 2:26 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: [OT] Sendmail open relay problem

I have been running along with Mail Scanner just fine for a long, long
time and thought I had all my defenses in place. Over the weekend however
one of my servers seems to have been 'discovered' by a spamming operation
or a virus infected machine and I ended up with 75,000 files in the mqueue
directory this morning.

I use Sednmail 8.12.8 on Red Hat 9 in this case.

What I did is shut down Mail Scanner and Sendmail and deleted all those
files. It's possible that some were geunine emails but if so, very, very
few.

My understanding of Sendmail is that a relay is closed if the
/etc/mail/access file is ok. Here is what I have:

localhost.localdomain   RELAY
localhost               RELAY
127.0.0.1               RELAY

# internal
10.10.10.0              RELAY


I also have this in /etc/mail/relay-domains:

# internal
10.10.10.

# localhost
127.0.0.1
localhost
localhost.localdomain

I also run pop-before-smtp for our roaming users and I can't stop
using it short term. Perhaps some of the IPs I see in the pop-before-smtp
log are that particular spammer IP.

I don't think Red Hat 9 has any default users that can log in to email
with
default passwords. If anybody is intereseted, this
http://popbsmtp.sourceforge.net/ is a good system assuming it did not
cause
the problems. This system requires a change in
/etc/mail/sendmail.cf to make Sendmail check the pop-before-smtp database
before sending emails. This is the change that I made a long time ago:

Kpopauth hash -a<OK> /etc/mail/popauth

SLocal_check_rcpt
R$*             $: $(popauth $&{client_addr} $: <?> $)
R<?>            $@ NoPopAuth
R$*<OK>         $# OK
......

then I have all the rest of the normal file.

My theory is that there may be an infected machine logging in to pop and
then sending emails or a deliberate attempt to use pop with default users
gets the same result.

Summarizing:
a) are there any errors in access and relay-domains?
b) are there any known default users in Red Hat 9 that can access pop?
c) Would this sendmail.cf somehow mess up the relay checking (apart from
checking the database first)?

Miguel

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list