How to close an open relay (exim3)?
Hello all,
I tested my exim 3 configuration on my workstation ;-) without the
firewall up for being an open relay or not. I'm interested in rent a
dedicated server in germany, and therefore to learn how to close such
an open relay. See an extract of the used telnet session to
relay-test.mail-abuse.org, the first 8 tests resulted in relay
rejection, but the 9th test resulted in this answer:
> telnet relay-test.mail-abuse.org
>
[...]
>>> rset
<<< 250 Reset OK
:Relay test: #Test 9
>>> mail from: <spamtest@A2469.a.pppool.de>
<<< 250 <spamtest@A2469.a.pppool.de> is syntactically correct
>>> rcpt to: <nobody%mail-abuse.org@[213.6.36.105]>
<<< 250 <nobody%mail-abuse.org@[213.6.36.105]> verified
>>> QUIT
<<< 221 debian closing connection
Tested host banner: 220 debian ESMTP Exim 3.36 #1 Fri, 28 Jan 2005
20:06:42 +0100
System appeared to accept 1 relay attempts
Connection closed by foreign host.
does "System appeared to accept 1 relay attempts
Connection closed by foreign host." mean, that exim rejected the mail
internaly after accept it to relay the mail, or is my exim an open
relay (if the firewall isn't up).
An other non-anonymous test
http://www.abuse.net/relay.html
resulted in the following outcome:
<quote>
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.
Some systems appear to accept relay mail, but then reject messages
internally rather than delivering them, but you cannot tell at this
point whether the message will be relayed or not.
If it is really an open relay, the test message will be delivered to
you. If you do not receive the test message in your e-mail in the next
few hours, it IS NOT an open relay.
</quote>
but I received the mail :-(, and I'm sure, that I had during the whole
process of the test the same IP-address (I'm using a dial-up
connection).
Here is the header of the mail I received:
<quote>
Return-path: <securitytest@abuse.net>
Envelope-to: ggrubbish%web.de@[213.6.36.124]
Received: from localhost
([127.0.0.1] helo=amavis ident=amavis)
by debian with esmtp (Exim 3.36 #1 (Debian))
id 1Cr12c-0005ia-00
for <ggrubbish%web.de@[213.6.36.124]>; Tue, 18 Jan 2005 22:37:34
+0100
Received: from debian ([127.0.0.1])
by amavis (debian [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP
id 21874-02 for <ggrubbish%web.de@[213.6.36.124]>;
Tue, 18 Jan 2005 22:37:26 +0100 (CET)
Received: from www.abuse.net ([208.31.42.77])
by debian with smtp (Exim 3.36 #1 (Debian))
id 1Cr12U-0005iO-00
for <ggrubbish%web.de@[213.6.36.124]>; Tue, 18 Jan 2005 22:37:26
+0100
To: ggrubbish <at> web.de
From: securitytest@abuse.net
Subject: Test for susceptibility of [213.6.36.124] to third-party mail
relay
Date: Tue, 18 Jan 2005 21:37:08 GMT
Message-Id: <rlytest-1106084228-18357@abuse.net>
Sender: securitytest@abuse.net
X-Sender-IP: 213.6.36.124
X-Envelope: <spamtest@[213.6.36.124]> ->
<ggrubbish%web.de@[213.6.36.124]>
X-Virus-Scanned: by AMaViS (<a
href='http://amavis.org/'>http://amavis.org/</a>)
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at workgroup.home
Status: R
X-Status: NC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:
This is a test of third-party mail relay, generated via the
Network Abuse Clearinghouse at http://www.abuse.net.
Target host = 213.6.36.124 A247c.a.pppool.de
Test performed by <ggrubbish <at> web.de> from 213.6.36.124
A well-configured mail server should NOT relay third-party email.
Otherwise, the server is subject to abuse by vandals and spammers,
and probable blacklisting by recipients of the unwanted third-party
e-mail.
For information on how to secure a mail server against third-party
relay, visit <URL:
http://www.mail-abuse.com/support/an_sec3rdparty.html>.
</quote>
I use STMP Auth
here is the first section of my exim.conf:
$ egrep -v '#|^ *$' /etc/exim/exim.conf
qualify_domain = debian.workgroup.home
local_domains =
127.0.0.1:localhost:debian:workgroup.home:debian.workgroup.home
local_domains_include_host = true
local_domains_include_host_literals = true
never_users = root
host_lookup = *
queue_remote_domains = *
headers_check_syntax
rbl_domains = blackholes.mail-abuse.org/reject : \
dialups.mail-abuse.org/reject : \
relays.mail-abuse.org/warn : \
rbl.mail-abuse.org/reject
rbl_hosts = !192.168.0.0/24:0.0.0.0/0
recipients_reject_except = postmaster@workgroup.home
host_accept_relay = 127.0.0.1 : ::::1 : 172.16.240.0/24
host_auth_accept_relay = *
trusted_users = mail:uucp:amavis
gecos_pattern = ^([^,:]*)
gecos_name = $1
smtp_accept_queue_per_connection = 100
freeze_tell_mailmaster = true
received_header_text = "Received: \
${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
{${if def:sender_ident {from ${sender_ident} }}\
${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
by ${primary_hostname} \
${if def:received_protocol {with ${received_protocol}}} \
id ${message_id}\
${if def:received_for {\n\tfor <$received_for>}}"
receiver_try_verify = true
message_filter = /etc/exim/exim_system_filter.conf
message_body_visible = 5000
message_filter_user = mail
message_filter_group = mail
errmsg_file = /etc/exim/exim_error_message.conf
warnmsg_file = /etc/exim/exim_warn_message.conf
ignore_errmsg_errors_after = 1d
timeout_frozen_after = 4d
accept_8bitmime
smtp_verify
end
I'm not shure if I have to close something else in my configuration, or
wether it's a false positive.
Thanks in advance
Kind regards
Gerhard Gaußling
PS: I'm sorry for my possible/probably strange english.
Reply to: