The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Demo Accounts & Spam Open Relay

Discussion in 'General Discussion' started by qkslvr, Mar 22, 2004.

  1. qkslvr

    qkslvr Member

    Joined:
    Mar 2, 2003
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Hello All,

    This seems like a pretty obvious problem to me, but it hasn't been corrected yet. Can someone tell me why DEMO accounts have the ability to send any email at all?! I think someone needs to add the ability to easily remove authentication for exim so that demo accounts can't be used as open relays. I believe that this has been a real problem for some time. Obviously it's not as bad as true open relays, but all one has to do is go down the list of cpanel hosts that offer demos, and bang....

    Anyways, we'd like to offer the cpanel demo again if this problem could be addressed.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you want it fixing, you'd be better off logging a Bug Report with cPanel.
     
  3. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    If that's the only thing you're worried about, you could try cpaneldemos.com (I'm not affiliated in any way). They will host your demo for you. I am using their service and am very satisfied.
    I have mine setup as demo.mydomain.com.
     
  4. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    Some things you can do is:
    Assuming an account name of 'demo':

    1) Set the email accounts it can create to 0 so that only the system user is able to send mail.

    2) disable that system user from sending mail by doing this:

    In /etc/exim.pl in the checkuserpass funtion add this line after the $user if modified:
    Code:
       $user =~ s/\%/@/g;
       $user = 'GoAwayLuser' if $user eq 'demo';
    
    IE it should look like this:
    Code:
    sub checkuserpass {
       my($user,$pass,$shift) = @_;
       my($domain);
       my($owner,$homedir,$uid,$gid);
       if ($user eq "" || ($user eq $pass && length($shift)>0)) { #netscape sucks!
          $user = $pass;
          $pass = $shift;
       }
             
       $user =~ s/\%/@/g;
       $user = 'GoAwayLuser' if $user eq 'demo';
    ...
    
    This may not be 100% effective as there is still PHP scripts running as nobody that they could use, so it'd be good to tighten down your PHP install as well.
     
  5. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    I'm trying to setup this method but I can't find the right line you're referring to:

    sub checkuserpass {
    my($user,$pass,$shift) = @_;
    my($domain);
    my($owner,$homedir,$uid,$gid);
    if ($user eq "" || ($user eq $pass && length($shift)>0)) { #netscape sucks!
    $user = $pass;
    $pass = $shift;
    }

    $user =~ s/\%/\@/g;

    if ($user =~ /\@/) {
    ($user,$domain) = split(/\@/,$user);
    if ($domain eq "") {
    return "no";
    }
    $owner = getdomainowner($domain);
    if ($owner eq "") {
    return "no";
    }
    $homedir = gethomedir($owner);
    if ($homedir eq "" || $homedir eq "/") {
    return "no";
    }
    (undef,undef,$uid,$gid) = getpwnam($owner);
    } else {
    (undef,undef,$uid,$gid) = getpwnam($user);
    }
    if (checkpass($user,$pass,$homedir,$domain)) {
    return "yes";
    } else {
    return "no";
    }
    }

    --

    Which line is it?
     
  6. chadi

    chadi BANNED

    Joined:
    Apr 20, 2004
    Messages:
    415
    Likes Received:
    0
    Trophy Points:
    0
    I'm sorry ...realized its the very end....question though...for the lines

    $user =~ s/\%/@/g;
    $user = 'GoAwayLuser' if $user eq 'demo';

    is "s/\%/@/g;" where I would put the actual username? Second line: "GoAwayLuser" would I replace that with something else?
     
  7. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    4
    Trophy Points:
    18
    Right after that line. Reread the post carefully.
     
Loading...

Share This Page