[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

How to close an open relay (exim3)?

Hello all,

I tested my exim 3 configuration on my workstation ;-) without the 
firewall up for being an open relay or not. I'm interested in rent a 
dedicated server in germany, and therefore to learn how to close such 
an open relay. See an extract of the used telnet session to 
relay-test.mail-abuse.org, the first 8 tests resulted in relay 
rejection, but the 9th test resulted in this answer:

>   telnet relay-test.mail-abuse.org
>
[...]
>>> rset
<<< 250 Reset OK
:Relay test: #Test 9
>>> mail from: <spamtest@A2469.a.pppool.de>
<<< 250 <spamtest@A2469.a.pppool.de> is syntactically correct
>>> rcpt to: <nobody%mail-abuse.org@[213.6.36.105]>
<<< 250 <nobody%mail-abuse.org@[213.6.36.105]> verified
>>> QUIT
<<< 221 debian closing connection
Tested host banner: 220 debian ESMTP Exim 3.36 #1 Fri, 28 Jan 2005 
20:06:42 +0100
System appeared to accept 1 relay attempts
Connection closed by foreign host.

does "System appeared to accept 1 relay attempts
Connection closed by foreign host." mean, that exim rejected the mail 
internaly after accept it to relay the mail, or is my exim an open 
relay (if the firewall isn't up).

An other non-anonymous test  
http://www.abuse.net/relay.html
resulted in the following outcome:

<quote>
Relay test result

 Hmmn, at first glance, host appeared to accept a message for relay.
 THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.

 Some systems appear to accept relay mail, but then reject messages 
internally rather than delivering them, but you cannot tell at this 
point whether the message will be relayed or not.

 If it is really an open relay, the test message will be delivered to 
you. If you do not receive the test message in your e-mail in the next 
few hours, it IS NOT an open relay.
</quote>

but I received the mail :-(, and I'm sure, that I had during the whole 
process of the test the same IP-address (I'm using a dial-up 
connection).

Here is the header of the mail I received:

<quote>
Return-path: <securitytest@abuse.net>
 Envelope-to: ggrubbish%web.de@[213.6.36.124]
 Received: from localhost
        ([127.0.0.1] helo=amavis ident=amavis)
        by debian with esmtp (Exim 3.36 #1 (Debian))
        id 1Cr12c-0005ia-00
        for <ggrubbish%web.de@[213.6.36.124]>; Tue, 18 Jan 2005 22:37:34 
+0100
 Received: from debian ([127.0.0.1])
        by amavis (debian [127.0.0.1]) (amavisd-new, port 10024) with 
ESMTP
        id 21874-02 for <ggrubbish%web.de@[213.6.36.124]>;
        Tue, 18 Jan 2005 22:37:26 +0100 (CET)
 Received: from www.abuse.net ([208.31.42.77])
        by debian with smtp (Exim 3.36 #1 (Debian))
        id 1Cr12U-0005iO-00
        for <ggrubbish%web.de@[213.6.36.124]>; Tue, 18 Jan 2005 22:37:26 
+0100
 To: ggrubbish <at> web.de
 From: securitytest@abuse.net
 Subject: Test for susceptibility of [213.6.36.124] to third-party mail 
relay
 Date: Tue, 18 Jan 2005 21:37:08 GMT
 Message-Id: <rlytest-1106084228-18357@abuse.net>
 Sender: securitytest@abuse.net
 X-Sender-IP: 213.6.36.124
 X-Envelope: <spamtest@[213.6.36.124]> -> 
<ggrubbish%web.de@[213.6.36.124]>
 X-Virus-Scanned: by AMaViS (<a 
href='http://amavis.org/'>http://amavis.org/</a>)
 X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at workgroup.home
 Status: R
 X-Status: NC
 X-KMail-EncryptionState: 
 X-KMail-SignatureState: 
 X-KMail-MDN-Sent: 
 
This is a test of third-party mail relay, generated via the
Network Abuse Clearinghouse at http://www.abuse.net.

    Target host = 213.6.36.124 A247c.a.pppool.de
    Test performed by <ggrubbish <at> web.de> from 213.6.36.124

A well-configured mail server should NOT relay third-party email.
Otherwise, the server is subject to abuse by vandals and spammers,
and probable blacklisting by recipients of the unwanted third-party
e-mail.

For information on how to secure a mail server against third-party
relay, visit <URL: 
http://www.mail-abuse.com/support/an_sec3rdparty.html>.
</quote>

I use STMP Auth  

here is the first section of my exim.conf:

$  egrep -v '#|^ *$' /etc/exim/exim.conf
qualify_domain = debian.workgroup.home
local_domains = 
127.0.0.1:localhost:debian:workgroup.home:debian.workgroup.home
local_domains_include_host = true
local_domains_include_host_literals = true
never_users = root
host_lookup = *
queue_remote_domains = *
headers_check_syntax
rbl_domains = blackholes.mail-abuse.org/reject : \
              dialups.mail-abuse.org/reject : \
              relays.mail-abuse.org/warn : \
              rbl.mail-abuse.org/reject
        rbl_hosts = !192.168.0.0/24:0.0.0.0/0
        recipients_reject_except = postmaster@workgroup.home
host_accept_relay = 127.0.0.1 : ::::1 : 172.16.240.0/24
host_auth_accept_relay = *
trusted_users = mail:uucp:amavis
gecos_pattern = ^([^,:]*)
gecos_name = $1
smtp_accept_queue_per_connection = 100
freeze_tell_mailmaster = true
received_header_text = "Received: \
         ${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
         {${if def:sender_ident {from ${sender_ident} }}\
         ${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
         by ${primary_hostname} \
         ${if def:received_protocol {with ${received_protocol}}} \
         id ${message_id}\
         ${if def:received_for {\n\tfor <$received_for>}}"
receiver_try_verify = true
message_filter = /etc/exim/exim_system_filter.conf
message_body_visible = 5000
message_filter_user = mail
message_filter_group = mail
errmsg_file = /etc/exim/exim_error_message.conf
warnmsg_file = /etc/exim/exim_warn_message.conf
ignore_errmsg_errors_after = 1d
timeout_frozen_after = 4d
accept_8bitmime
smtp_verify
end

I'm not shure if I have to close something else in my configuration, or 
wether it's a false positive.

Thanks in advance

Kind regards

Gerhard Gaußling


PS: I'm sorry for my possible/probably strange english.
Reply to: