Open relay

[attroll]

I think there may be an open relay on my server. I am not an expert at this but people are getting spammed through my server.

Is there a way to secure this open relay though WHM?

[cPanelTristan]

cPanel by default does not set the machine as an open relay, so it's more likely you have a user who is running a script that is sending emails out and spamming. This wouldn't indicate the machine is an open relay (open relay would mean anyone can send anything through your machine for their emails).

You can test if your machine is an open relay at this location:

Mail relay testing

They have a comprehensive check. You would need to test with a non-anonymous account there to get a valid check.

[attroll]

This is what I got. I am concerned also about the last statement "Could not reset connection, test failed.".

Mail relay testing
Connecting to 72.249.1.226 for anonymous test ...

<<< 220-at.mysite.net ESMTP Exim 4.69 #1 Thu, 28 Oct 2010 16:33:59 -0400
<<< 220-We do not authorize the use of this system to transport unsolicited,
<<< 220 and/or bulk e-mail.
>>> HELO Abuse.net: Home Page
<<< 250 at.mysite.net Hello verify.abuse.net [64.57.183.77]
Relay test 1
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 OK
>>> RCPT TO:<securitytest@abuse.net>
<<< 550-"JunkMail rejected - verify.abuse.net (Abuse.net: Home Page) [64.57.183.77] is in
<<< 550 an RBL, see http://www.spamhaus.org/query/bl?ip=64.57.183.77"
Relay test 2
>>> RSET
<<<
Relay test result
Could not reset connection, test failed.

[cPanelTristan]

First of all, I indicated an anonymous account should not be used to get an accurate test. Second, you want the connection to fail to relay, since this indicates the machine isn't an open relay.

[attroll]

That was my fault. I was in to much of a hurry. I missed filling in my email address and it went as anonymous.

I also restarted my mail server and pop3 server. So far I am no longer getting mail building up in my queue.

I will keep my fingers crosses.

[attroll]

I followed up on checking to see if I had a open relay and here are my results.

It does a check like this for 18 attempts and then on the final message that displays says this.
"All tested completed! Relays accepted by remote host."
Does this mean I have an open relay?

Here is a sample of the first attempt:

Method 0]
<<< 220-at.mysite.net ESMTP Exim 4.69 #1 Fri, 29 Oct 2010 00:14:52 -0400
>>> HELO mailradar.com
<<< 220-We do not authorize the use of this system to transport unsolicited,
>>> MAIL FROM: <antispam@mailradar.com>
<<< 220 and/or bulk e-mail.
>>> RCPT TO: <relaytest@mailradar.com>
<<< 250 at.mysite.net Hello node6.gecad.com [193.230.245.6]
>>> QUIT
<<< 250 OK
<<< 550-node6.gecad.com (mailradar.com) [193.230.245.6] is currently not permitted
<<< 550-to relay through this server. Perhaps you have not logged into the pop/imap
<<< 550-server in the last 30 minutes or do not have SMTP Authentication turned on
<<< 550 in your email client.
<<< 221 at.mysite.net closing connection
[TEST NOT PASSED]

[ReiJu]

seems like the post above is clearly shows that his cpanel server acts as an open relayer. how can we prevent this?

and is there any way to prevent php/script user from sending spam? since, in my observation, cpanel servers act as open relayer when you connect via localhost (that is what the php-script-spammer does all the time in my server, sending spam via smtp). take a look at this example: (example.org and yahoo.com is NOT in the server)

Code:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220-server42520x.masterweb.net ESMTP Exim 4.69 #1 Tue, 01 Feb 2011 04:35:23 +0000 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
helo localhost
250 server42520x.masterweb.net Hello localhost.localdomain [127.0.0.1]
mail from: <relay@example.org>
250 OK
rcpt to: <testes@yahoo.com>
250 Accepted
quit
221 server42520x.masterweb.net closing connection
Connection closed by foreign host.

activating RBL won't help in this localhost problem. and adding 127.0.0.0/8 as blacklisted IP doesn't help.

[ReiJu]

oops, my bad, attroll's server is fine and is not an open relayer, apologies. mine is.

[cPanelTristan]

Hello,

No, the above post doesn't show it acts as an open relay:

<<< 550-node6.gecad.com (mailradar.com) [193.230.245.6] is currently not permitted
<<< 550-to relay through this server. Perhaps you have not logged into the pop/imap
<<< 550-server in the last 30 minutes or do not have SMTP Authentication turned on
<<< 550 in your email client.
<<< 221 at.mysite.net closing connection
[TEST NOT PASSED]

TEST NOT PASSED means it isn't an open relay not to mention the part I put in bold that also indicates it isn't an open relay.

If the final test indicated otherwise, we would have to see the actual final test. Every time someone has indicated the server is an open relay, tests on that machine have shown the account was POP3 authenticating before trying to use SMTP, which then allows that user to send out emails (because of antirelayd using POP3 before SMTP authentication, which is authenticating). Any time that the account did not use POP3 to authenticate, it failed to allow SMTP to send out.

If you feel you are an open relay despite all the actual text in the messages provided in this thread that show the prior user was not passing the relay tests and the part bolded stating the account wasn't permitted to relay, please feel free to open a ticket using WHM > Support Center > Contact cPanel or via the link in my signature so we can test your machine. The only way it could be relaying openly is if the default cPanel settings were changed to allow an open relay.

Thank you.

Edit: I see that a post was made at the same time as mine about the prior user not being an open relay. Correct, and if you believe you are still, please feel free to open a ticket for us to investigate it.

[ReiJu]

I'll think about sending a support ticket. For now, I need to know where to look for, at least, turn off open relay from localhost.

Thank you.

[ReiJu]

Hmm, no comment from cPanel guys? I guess this means that cPanel makes the server open relay by default.

[cPanelTristan]

No reply is because I was unable troubleshoot your issue via the forum and, so, had no comments I could make otherwise, since we do not have sufficient details to do so. We need to see how the commands are being run and the machine's settings, which would need to be done by logging into it. As it stands, we aren't allowed to log into machines from forum requests. They have to be ticket requests.

If you would like to submit a ticket as requested, which takes about 5 minutes and is free to do, we'd be happy to see what's happening.

[cPanelTristan]

Actually, for localhost (not remote connections), it does default allow relay upon looking at this line in /etc/exim.conf file:

Code:

hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost

How precisely could you get to localhost without already having authenticated to the machine? Would you be able to explain why you feel this needs to be turned off?

[ReiJu]

No reply is because I was unable troubleshoot your issue via the forum and, so, had no comments I could make otherwise, since we do not have sufficient details to do so. We need to see how the commands are being run and the machine's settings, which would need to be done by logging into it. As it stands, we aren't allowed to log into machines from forum requests. They have to be ticket requests.

For directing into some exim configs, I think shell access is unneeded. I'll gladly excerpt the needed part, if you asked me.

And for the bolded part, is that also applied to these questions:

https://forums.cpanel.net/f43/restri...ns-174841.html
https://forums.cpanel.net/f5/user-ad...tml#post714631

Actually, for localhost (not remote connections), it does default allow relay upon looking at this line in /etc/exim.conf file:

Code:

hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost

That's a very nice information. So, what I need to stop the server from being open-relayer-from-localhost is just remove the "localhost" line, correct?

How precisely could you get to localhost without already having authenticated to the machine?

This is my server, I'm the administrator. I can ssh into it.

Would you be able to explain why you feel this needs to be turned off?

Why I feel the need for this?

Some (exploited) users in the server has cgi/php scripts which send spam emails via smtp (relayer) service (as mentioned in earlier post). Since the scripts are already inside the server, the scripts only need to do something like "telnet localhost 25" and send email from arbitrary envelope to arbitrary recipient. And they do that without smtp authentication. That is why I want to strip this capability, to prevent exim relay spams from this kind of source.

Thank you for the reply.

[cPanelTristan]

If you remove localhost from that relay_hosts line, it should then cease allowing it to relay from sending by localhost. This will likely break scripts functioning to send emails (you want them to authenticate anyway so you'll be forcing smtp authentication methods) and possibly impact webmail from working, but if that's the step you wish to pursue, then it is your server and certainly it is your choice.

I'm uncertain if sendmail might bypass this setting as it doesn't send using the normal mechanisms as exim. You may wish to remove sendmail as well on the machine if you want to prevent scripts from bypassing exim settings.