Re: How to close an open relay (exim3)?

To: debian-user@lists.debian.org
Subject: Re: How to close an open relay (exim3)?
From: gerhard <ggrubbish@web.de>
Date: Sat, 29 Jan 2005 20:26:52 +0100
Message-id: <[🔎] 200501292026.53365.ggrubbish@web.de>
Reply-to: ggrubbish@web.de
In-reply-to: <[🔎] ctgfh3$en0$1@news.cistron.nl>
References: <[🔎] 200501291350.49925.ggrubbish@web.de> <[🔎] ctgfh3$en0$1@news.cistron.nl>

Hello Mike,

thank you for your answer.

Am Samstag 29 Januar 2005 18:01 schrieb Miquel van Smoorenburg:
> In article <[🔎] 200501291350.49925.ggrubbish@web.de>,
>
> gerhard  <ggrubbish@web.de> wrote:
> >:Relay test: #Test 9
> > [...}
> ><<< 250 <nobody%mail-abuse.org@[213.6.36.105]> verified
> >
> >>>> QUIT
> >
> ><<< 221 debian closing connection
> >Tested host banner: 220 debian ESMTP Exim 3.36 #1 Fri, 28 Jan 2005
> >20:06:42 +0100
> >System appeared to accept 1 relay attempts
> >Connection closed by foreign host.
> >
> >does "System appeared to accept 1 relay attempts
> >Connection closed by foreign host." mean, that exim rejected the
> > mail internaly after accept it to relay the mail, or is my exim an
> > open relay (if the firewall isn't up).
>
> The former. The standard exim assumes "nobody%mail-abuse.org" is
> a so-called "local part" and the validity of local-parts is not
> tested at SMTP time with the default Debian config (which I
> think is the wrong default, but hey).
>
> Add this to the "main" part (first part) of you exim.conf file:
>
>         # Verify addresses in the SMTP stage
>         receiver_try_verify = true

  exim -bh 213.6.36.137
LOG: Exim configuration error
  "receiver_try_verify" option set for the second time in line 205

 grep -n receiver_try_verify /etc/exim/exim.conf
126:  receiver_try_verify = true
205:receiver_try_verify = true

So, I assume that I already used that option before.

> Restart exim, and test again. 

That's another strange behavior of /etc/init.d/exim on my box: It 
doesn't behave like expected. If I try it  without args there appears  
no help information. If I restart it exim can not be found by ps axu|
grep exim, and no notice is shown.

I use exim/testing uptodate 3.36-13 and the startscript is the ame as in 
the package (untouched). I use amavisd-new as transport.
amavisd-new/testing uptodate 20030616p10-5

> However the test may still 
> succeed if exim decides ggrubbish%web.de is actually
> a valid local address (as it seems to do based on the
> next test, below). No reason to panic.

Ok, I try to stay calm ;-)

> Well, you're not an open relay, your system simply accepted the
> message. Something in your local configuration (perhaps
> rewrite rules) makes exim decide that ggrubbish%web.de@[213.6.36.124]
> is a local address, to be delivered locally to ggrubbish.
>
> >Here is the header of the mail I received:
> >
> ><quote>
> >Return-path: <securitytest@abuse.net>
> > Envelope-to: ggrubbish%web.de@[213.6.36.124]
> > Received: from localhost
> > [...]
> >        for <ggrubbish%web.de@[213.6.36.124]>; Tue, 18 Jan 2005
> > 22:37:26
>
> Yup, not a relay (it's not getting sent _out_ again).
>
> Mike.
Thank you for pointing that out. Now I feel a bit more comfortable.

But there's another thing that appeared this afternoon while retesting 
the situation:

# exim -bh 172.181.203.112

**** SMTP testing session as if from host 172.181.203.112
**** Not for real!

>>> host in host_lookup? yes (*)
>>> looking up host name for 172.181.203.112
>>> IP address lookup yielded acb5cb70.ipt.aol.com
>>> host in host_reject? no (option unset)
>>> host in host_reject_recipients? no (option unset)
>>> host in rbl_hosts? yes (0.0.0.0/0)
>>> checking RBL domain blackholes.mail-abuse.org/reject
>>> RBL lookup for 112.203.181.172.blackholes.mail-abuse.org failed
>>> => that means it's not black listed at blackholes.mail-abuse.org
>>> checking RBL domain dialups.mail-abuse.org/reject
>>> RBL lookup for 112.203.181.172.dialups.mail-abuse.org failed
>>> => that means it's not black listed at dialups.mail-abuse.org
>>> checking RBL domain relays.mail-abuse.org/warn
>>> RBL lookup for 112.203.181.172.relays.mail-abuse.org failed
>>> => that means it's not black listed at relays.mail-abuse.org
>>> checking RBL domain rbl.mail-abuse.org/reject
>>> RBL lookup for 112.203.181.172.rbl.mail-abuse.org failed
>>> => that means it's not black listed at rbl.mail-abuse.org
>>> host in auth_hosts? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in receiver_unqualified_hosts? no (option unset)
>>> host in helo_verify? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 debian ESMTP Exim 3.36 #1 Sat, 29 Jan 2005 14:10:09 +0100
mail from: <spamtest@acb5cb70.ipt.aol.com>
>>> spamtest@acb5cb70.ipt.aol.com in sender_reject? no (option unset)
>>> spamtest@acb5cb70.ipt.aol.com in sender_reject_recipients? no 
(option unset)
250 <spamtest@acb5cb70.ipt.aol.com> is syntactically correct
rcpt to:<nobody%mail-abuse.org@[172.181.203.112]>
>>> [172.181.203.112] in local_domains? yes (matched [172.181.203.112])
>>> host in receiver_verify_hosts? yes (*)
>>> [172.181.203.112] in local_domains? yes (matched [172.181.203.112])
>>> [172.181.203.112] in percent_hack_domains? no (end of list)
>>> debian.workgroup.home in local_domains? yes (matched 
debian.workgroup.home)
>>> debian.workgroup.home in percent_hack_domains? no (end of list)
>>> debian.workgroup.home in local_domains? yes (matched 
debian.workgroup.home)
>>> debian.workgroup.home in percent_hack_domains? no (end of list)
250 <nobody%mail-abuse.org@[172.181.203.112]> verified
[waits for sth. a command I don't know (I'm not that good in SMTP) I 
tried ENTER]
500 Unrecognized command

I don't know how to close the session, but anyway:

I felt strange about the behavior of exim while I got a dial-up 
connection to compuserve/AOL.
Compuserve/AOL got an IP range from 172.128.0.0 to 172.191.255.255 
according to the whois database.
My local net got a range  172.16.0.0/24 thats right according to RFC 
1918 http://www.netzmafia.de/rfc/rfc/rfc1918.txt .

   The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

Extract from the 1st section of my exim.conf:

        rbl_hosts = !192.168.0.0/24:0.0.0.0/0
|---------------------------^^^^ ok should be  172.16.0.0/24, but 
because of that it's even stranger, that AOL IP's matches. 
        recipients_reject_except = postmaster@workgroup.home
        host_accept_relay = 127.0.0.1 : ::::1 : 172.16.240.0/24
|-----------------------------------------------------------^^^ here you 
can see explicit 172.16.240.0/24 and not that address range from AOL 
 172.128.0.0 - 172.191.255.255

Sorry, I don't understand that...

Thanks in advance

Kind regards

Gerhard Gaußling

Reply to:

Follow-Ups:
- Re: How to close an open relay (exim3)?
  - From: "Miquel van Smoorenburg" <miquels@cistron.nl>

References:
- How to close an open relay (exim3)?
  - From: gerhard <ggrubbish@web.de>
- Re: How to close an open relay (exim3)?
  - From: "Miquel van Smoorenburg" <miquels@cistron.nl>

Prev by Date: Re: can't write to floppy: no fd0
Next by Date: Re: what is my IP?
Previous by thread: Re: How to close an open relay (exim3)?
Next by thread: Re: How to close an open relay (exim3)?
Index(es):
- Date
- Thread