[Tfug] Qmail and Open Relay

Andrew Ayre andy at britishideas.com
Sat Jun 9 15:58:40 MST 2007 

Thanks for the detailed info - I will go through that later and see what we
need to change. :)

I used tcpdump to record all traffic on port 25 overnight. I checked every
single successful AUTH LOGIN that occurred. It was split about 50/50 with
the following combinations:

  username: info, password: company

  username: info, password: root

However there are lots of attempts with the same username/password
combinations that fail with:

  454 oops, unable to write pipe and I can't auth (#4.3.0)

I wrote a PHP script to attempt to send 100 emails using the info/company
combination, one after the other. 5 out of 100 were accepted.

I then modified the PHP script to use a username of info and a password of
"foobar". 4 out of 100 were accepted.

So I guess if you keep on hitting the SMTP server you will get some emails
through.

Kind of worrying...

The tcpdump also shows the spam going back out again. Our server has already
been backlisted by one domain... :(

Andy


-----Original Message-----
From: tfug-bounces at tfug.org [mailto:tfug-bounces at tfug.org]On Behalf Of
kelley g
Sent: Saturday, June 09, 2007 2:39 PM
To: tfug at tfug.org
Subject: Re: [Tfug] tfug Digest, Vol 47, Issue 13


>Hi Kelley,
>
>We want to stop these messages getting into the send queue. Right now they
>appear to overwhelm qmail after a while and it exits. I'll look into the
>double bounce possibility. Also I think we will try running tcpdump on port
>25.
>We don't appear to have logs of the delivered mail.

Andy

unmodified qmail follows the smtp protocol specs regarding mail acceptance -
it accepts every mail incoming mail. this does not mean it will relay or
deliver these messages. tcpserver is designed to impliment tcp connection
acl's well before a messasge gets to the queue at a low cost. additionally,
qmail queue replacements allow qmail to get rid of and tag incoming mail
according to whatever features you want to impliment.

qmail shouldn't exit under low resource conditions, it degrades gracefully.
it's more likely that it's the perl processes associated with qmail-scanner
causing mail delivery problems. you should be using daemontools to keep your
processes alive. maybe your box is getting brought down by
spamassassin/clamd loads? without knowing more about your setup i can't help
you. maybe you need a dedicated virus scanning spam tagging box?

if you're using dns blacklists, make sure your list of sites is up to date.
you will create havoc with your networking if your blacklist lookups are
timing out cause a site is unavailable.

as far as keeping messages from the originating server off the queue, that's
easy; 'tcp.smtp' is your friend.
if you're using vpopmail, it's probably in '/home/vpopmail/etc/'

add an explicit deny line for the server annoying your queue.
'202.99.204.66:deny'

run 'qmailctl cdb' to rebuild the cdb hash. if you don't have the qmailctl
script, maybe 'service qmail cdb'
or rtfm for rebuilding the cdb file.

also, simscan is a much more scalable queue replacement than qmail-scanner,
(C vs perl). i replaced it on my mailservers years ago and never looked
back. here's a good place to start if you want to update your mail software.
be careful if you're using a mysql-vpopmail setup. database schemas can
change if you're running a really old box.

http://shupp.org/toaster/

also if you're running bind dns on the box(es), you may want to consider
djbdns as a replacement. djbdns has a much lighter footprint and no pesky
memory, cache poisoning or stability issues. http://cr.yp.to/djbdns.html

fyi, if you're running a mailserver without logs for performance reasons,
you really shouldn't. look into a dedicated logging box. it needn't be
powerful, just simple and secure. (trustix) all your various servers would
like to offload their logging. if you get a nasty windows worm, you may need
to do some forensics using the logs. you should know how to turn them on,
etc. in the event of a root compromise, you can possibly look to see what
happened on a box on which the cracker cannot cover their tracks.

qmail's not that hard to administer, but unique in it's config compared to
sendmail or postfix. once you get the concepts down, any other mail server
seems deeply inflexible. :) but then, i'm a developer and like to have my
fingers on all the buttons.

enjoy!

--

kelley g
520.770.1200
ooooooooooooooooooooooooooooo
http://toasterz.com
open minds - open source
ooooooooooooooooooooooooooooo


_______________________________________________
Tucson Free Unix Group - tfug at tfug.org
Subscription Options:
http://www.tfug.org/mailman/listinfo/tfug_tfug.org

More information about the tfug mailing list