also sprach Bruce Burhans <bburhans@earthlink.net> [2002.03.20.0521 +0100]: > Would you mind explaining what the above means > to us lesser mortals, Martin? > `We are not all Gurus, you know...... i'll try... it's the log written by postfix, my mail transfer agent. > postfix/smtpd[6023]: connect from host074125.arnet.net.ar [200.45.74.125] that's relatively clear, huh? host074125.arnet.net.ar connects to port 25 of my mail server > postfix/smtpd[6023]: 6937F1673D: client=host074125.arnet.net.ar[200.45.74.125] the message is assigned an ID: 6937F1673D note the process id of the smtpd process being the same as above. > postfix/cleanup[6024]: 6937F1673D: message-id=<0000569d4d9a$000021ce$00002d35@64.197.156.227> purely informational... > postfix/qmgr[31979]: 6937F1673D: from=<opt-in@randbad.com>, size=5880, nrcpt=25 (queue active) okay, the fun starts. postfix received a message introduced on the SMTP level with a envelope sender opt-in@randbad.com. it's 5880 bytes in size and lists 25 recipients on the envelope. so far so good. if these 25 recipients are all local users on my system, this message will be happily accepted and delivered. however: > postfix/smtp[6038]: 6937F1673D: to=<kkelsplace@cs.com>, relay=mailin-02.mx.aol.com[64.12.136.121], delay=7, status=sent (250 OK) this is one of the 25 (not the ID, which is the same so you can associated log lines with each other). it was delivered to kkelsplace@cs.com, which was done through SMTP-speak with mailin-02.mx.aol.com, and successfully (code 250). this is the problem. it means that my server received a single message instructing it to relay it on to 25 recipients, which means that i had 25 times the load factor, and it also means that the spam comes through a connection from my server. the deal with relaying is that a mail server has to accept all mail whose envelope recipient is a domain that the mail server considers local. madduck.net is one such domain, for instance, pantsfullofunix.net another. all mail to <anything>@pantsfullofunix.net should be accepted by my server. you can also specify a range of IPs that may send a message to the server, whose final recipient is non-local to the server. in that case, the server is asked to forward that message where it has to go, which is known as relaying. it's kind of like a secretary to whom you can give your outgoing mail if you live in rooms 10-15. she won't carry mail from anywhere else onwards, but she will relay the mail for people in rooms 10-15 and bring it to the post office. my mail server will do so only for the 127.0.0.1 IP, which the spammer cannot impersonate unless he's got a local account (which he doesn't). one very last thing is TLS client authentication - here, the client's IP is not important (and thus this approach is great for dialup clients that would like to use your server regardless of their IP. to make sure that only privileged clients make use of that service, the client presents a certificate to the server, and only if the certificate is one of the ones that may relay does the server forward the mail. but this can't be the case in the above instance simply because it would be logged e.g. as so: postfix/smtpd[4714]: TLS connection established from A3c93.pppool.de[213.6.60.147]: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits) postfix/smtpd[4714]: A78FD11009: client=A3c93.pppool.de[213.6.60.147] postfix/cleanup[4716]: A78FD11009: message-id=<20020320071615.GB18637@fishbowl.madduck.net> ... and so on. did i make this a little clearer? do you understand now why i am confused? i know this topic quite well and i've been capable to run closed-relay mailservers for the better part of 6 years, but the above log entries are an indication of an abuse of my mail services despite the relay being closed... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck i need not suffer in silence while i can still moan, whimper and complain.
Attachment:
pgpztr_RRxZWB.pgp
Description: PGP signature