Re: Am I really an Open Relay?

[Kent West <westk@nicanor.acu.edu>]

Derrick 'dman' Hudson wrote:
> On Thu, Jul 18, 2002 at 08:57:58AM -0500, Kent West wrote:
> | My network security honcho just came in and told me that according to 
> | ORDB, my Debian box is an open relay. Am I really a relay, and how do I 
> | tighten up the security if I am? Thanks!
> |
> | Here's the message that ORDB sent to me:
>
> | >For details about the test results, please refer to
> | ><http://ORDB.org/lookup/?host=150.252.128.51>.
>
> The reason is this :
>     X-ORDB-Envelope-To: marvin%marvin.ordb.org@westek.acu.edu
>
> You're susceptible to the "percent hack" thing.  Remember test #9 from
> a few weeks ago?  The domain literal setting has nothing to do with
> it.  It would _appear_ to be fixed to that tester because it didn't
> know your actual domain.  (there is no domain literal in the above
> address, hence that setting has no effect on it)

I appreciate your response; I don't totally understand this explanation, 
but I think I understand you to say that my system allows relaying if 
the address is in the format "user%domain@mybox", because the percent 
sign bypasses the normal checks against relaying.


> | Here's what I think are probably the relevant snippets from my 
> | /etc/exim/exim.conf file:
> | 
> | ># Domains we relay for; that is domains that aren't considered local but 
> | >we # accept mail for them.
> | >
> | >#relay_domains = 
>
> You can uncomment this and leave it set to the empty list (which it
> should be by default anyways).
>
> What about "percent_hack_domains"?

Here's the snippet:

> # If you want Exim to support the "percent hack" for all your local domains,
> # percent_hack_domains=*




> Also can you post all the log entries relating to 17V0Qg-00019a-00?


I'm not sure how best to do that. I tried the command "sudo grep 
17V0Qg-00019a-00 *" from the /var/log directory, which resulted in:

> westek[westk]:/home/westk> cat greptext  
> auth.log:Jul 18 14:08:13 westek sudo:    westk : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/grep 17V0Qg-00019a-00 XFree86.0.log XFree86.1.log XFree86.2.log XFree86.3.log XFree86.4.log auth.log auth.log.0 auth.log.1.gz auth.log.2.gz auth.log.3.gz btmp btmp.1 cups daemon.log daemon.log.0 daemon.log.1.gz daemon.log.2.gz daemon.log.3.gz daemon.log.4.gz daemon.log.5.gz daemon.log.6.gz debug debug.0 debug.1.gz debug.2.gz debug.3.gz debug.4.gz dmesg exim faillog installer.log.1 jabber kern.log kern.log.0 kern.log.1.gz kern.log.2.gz kern.log.3.gz kern.log.4.gz ksymoops lastlog lastlog.1 libgnomeprint-install.log lilo_log.10005 lp-acct lp-errs lpr.log lpr.log.0 lpr.log.1.gz lpr.log.2.gz lpr.log.3.gz mail.err mail.err.0 mail.err.1.gz mail.info mail.info.0 mail.info.1.gz mail.log mail.log.0 mail.log.1.gz mail.warn mail.warn.0 mail.warn.1.gz messages messages.0 messages.1.gz messages.2.gz messages.3.gz news ntpstats samba scrollkeeper.log scrollkeeper.log.1 scrollkeeper.log.2 
setuid.cha
> auth.log:Jul 18 14:09:31 westek sudo:    westk : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/grep 17V0Qg-00019a-00 XFree86.0.log XFree86.1.log XFree86.2.log XFree86.3.log XFree86.4.log auth.log auth.log.0 auth.log.1.gz auth.log.2.gz auth.log.3.gz btmp btmp.1 cups daemon.log daemon.log.0 daemon.log.1.gz daemon.log.2.gz daemon.log.3.gz daemon.log.4.gz daemon.log.5.gz daemon.log.6.gz debug debug.0 debug.1.gz debug.2.gz debug.3.gz debug.4.gz dmesg exim faillog installer.log.1 jabber kern.log kern.log.0 kern.log.1.gz kern.log.2.gz kern.log.3.gz kern.log.4.gz ksymoops lastlog lastlog.1 libgnomeprint-install.log lilo_log.10005 lp-acct lp-errs lpr.log lpr.log.0 lpr.log.1.gz lpr.log.2.gz lpr.log.3.gz mail.err mail.err.0 mail.err.1.gz mail.info mail.info.0 mail.info.1.gz mail.log mail.log.0 mail.log.1.gz mail.warn mail.warn.0 mail.warn.1.gz messages messages.0 messages.1.gz messages.2.gz messages.3.gz news ntpstats samba scrollkeeper.log scrollkeeper.log.1 scrollkeeper.log.2 
setuid.cha
> auth.log:Jul 18 14:14:39 westek sudo:    westk : TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/grep 17V0Qg-00019a-00 XFree86.0.log XFree86.1.log XFree86.2.log XFree86.3.log XFree86.4.log auth.log auth.log.0 auth.log.1.gz auth.log.2.gz auth.log.3.gz btmp btmp.1 cups daemon.log daemon.log.0 daemon.log.1.gz daemon.log.2.gz daemon.log.3.gz daemon.log.4.gz daemon.log.5.gz daemon.log.6.gz debug debug.0 debug.1.gz debug.2.gz debug.3.gz debug.4.gz dmesg exim faillog installer.log.1 jabber kern.log kern.log.0 kern.log.1.gz kern.log.2.gz kern.log.3.gz kern.log.4.gz ksymoops lastlog lastlog.1 libgnomeprint-install.log lilo_log.10005 lp-acct lp-errs lpr.log lpr.log.0 lpr.log.1.gz lpr.log.2.gz lpr.log.3.gz mail.err mail.err.0 mail.err.1.gz mail.info mail.info.0 mail.info.1.gz mail.log mail.log.0 mail.log.1.gz mail.warn mail.warn.0 mail.warn.1.gz messages messages.0 messages.1.gz messages.2.gz messages.3.gz news ntpstats samba scrollkeeper.log scrollkeeper.log.1 scrollkeeper.log.2 
setuid.cha

but if I understand correctly, that's just reporting that I've run that 
grep command three times via sudo. In other words, there don't seem to 
be any logs (at least in this directory) referring to this number.

I just tried it again with the -r option, and found some references in 
maillog.0. So I changed to the /var/log/exim directory and tried the 
grep command again and got:
> westek:/var/log/exim# grep -r 17V0Qg-00019a-00 *
> mainlog.0:2002-07-17 20:50:07 17V0Qg-00019a-00 <= spamtest@mail.acu.edu H=ordb01.fnidder.dk (localhost.localdomain) [62.79.90.71] P=esmtp S=1025
> mainlog.0:2002-07-17 20:50:13 17V0Qg-00019a-00 => marvin%marvin.ordb.org@mail.acu.edu <marvin%marvin.ordb.org@westek.acu.edu> R=smarthost T=remote_smtp H=nicanor.acu.edu [150.252.135.30]
> mainlog.0:2002-07-17 20:50:13 17V0Qg-00019a-00 Completed

Thanks for your assistance!

Kent







--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org