Open relay

[attroll]

I think there may be an open relay on my server. I am not an expert at this but people are getting spammed through my server.

Is there a way to secure this open relay though WHM?

 

[cPanelTristan]

cPanel by default does not set the machine as an open relay, so it's more likely you have a user who is running a script that is sending emails out and spamming. This wouldn't indicate the machine is an open relay (open relay would mean anyone can send anything through your machine for their emails).

You can test if your machine is an open relay at this location:

Mail relay testing

They have a comprehensive check. You would need to test with a non-anonymous account there to get a valid check.

 

[attroll]

This is what I got. I am concerned also about the last statement "Could not reset connection, test failed.".

Mail relay testing
Connecting to 72.249.1.226 for anonymous test ...

<<< 220-at.mysite.net ESMTP Exim 4.69 #1 Thu, 28 Oct 2010 16:33:59 -0400
<<< 220-We do not authorize the use of this system to transport unsolicited,
<<< 220 and/or bulk e-mail.
>>> HELO Abuse.net: Home Page
<<< 250 at.mysite.net Hello verify.abuse.net [64.57.183.77]
Relay test 1
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<[email protected]>
<<< 250 OK
>>> RCPT TO:<[email protected]>
<<< 550-"JunkMail rejected - verify.abuse.net (Abuse.net: Home Page) [64.57.183.77] is in
<<< 550 an RBL, see http://www.spamhaus.org/query/bl?ip=64.57.183.77"
Relay test 2
>>> RSET
<<<
Relay test result
Could not reset connection, test failed.

 

[cPanelTristan]

First of all, I indicated an anonymous account should not be used to get an accurate test. Second, you want the connection to fail to relay, since this indicates the machine isn't an open relay.

 

[attroll]

That was my fault. I was in to much of a hurry. I missed filling in my email address and it went as anonymous.

I also restarted my mail server and pop3 server. So far I am no longer getting mail building up in my queue.

I will keep my fingers crosses.

 

[attroll]

I followed up on checking to see if I had a open relay and here are my results.

It does a check like this for 18 attempts and then on the final message that displays says this.
"All tested completed! Relays accepted by remote host."
Does this mean I have an open relay?

Here is a sample of the first attempt:

Method 0]
<<< 220-at.mysite.net ESMTP Exim 4.69 #1 Fri, 29 Oct 2010 00:14:52 -0400
>>> HELO mailradar.com
<<< 220-We do not authorize the use of this system to transport unsolicited,
>>> MAIL FROM: <[email protected]>
<<< 220 and/or bulk e-mail.
>>> RCPT TO: <[email protected]>
<<< 250 at.mysite.net Hello node6.gecad.com [193.230.245.6]
>>> QUIT
<<< 250 OK
<<< 550-node6.gecad.com (mailradar.com) [193.230.245.6] is currently not permitted
<<< 550-to relay through this server. Perhaps you have not logged into the pop/imap
<<< 550-server in the last 30 minutes or do not have SMTP Authentication turned on
<<< 550 in your email client.
<<< 221 at.mysite.net closing connection
[TEST NOT PASSED]

 

[ReiJu]

seems like the post above is clearly shows that his cpanel server acts as an open relayer. how can we prevent this?

and is there any way to prevent php/script user from sending spam? since, in my observation, cpanel servers act as open relayer when you connect via localhost (that is what the php-script-spammer does all the time in my server, sending spam via smtp). take a look at this example: (example.org and yahoo.com is NOT in the server)

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220-server42520x.masterweb.net ESMTP Exim 4.69 #1 Tue, 01 Feb 2011 04:35:23 +0000 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
helo localhost
250 server42520x.masterweb.net Hello localhost.localdomain [127.0.0.1]
mail from: <[email protected]>
250 OK
rcpt to: <[email protected]>
250 Accepted
quit
221 server42520x.masterweb.net closing connection
Connection closed by foreign host.

activating RBL won't help in this localhost problem. and adding 127.0.0.0/8 as blacklisted IP doesn't help.

 

[ReiJu]

oops, my bad, attroll's server is fine and is not an open relayer, apologies. mine is.

 

[cPanelTristan]

Hello,

No, the above post doesn't show it acts as an open relay:

<<< 550-node6.gecad.com (mailradar.com) [193.230.245.6] is currently not permitted
<<< 550-to relay through this server. Perhaps you have not logged into the pop/imap
<<< 550-server in the last 30 minutes or do not have SMTP Authentication turned on
<<< 550 in your email client.
<<< 221 at.mysite.net closing connection
[TEST NOT PASSED]

TEST NOT PASSED means it isn't an open relay not to mention the part I put in bold that also indicates it isn't an open relay.

If the final test indicated otherwise, we would have to see the actual final test. Every time someone has indicated the server is an open relay, tests on that machine have shown the account was POP3 authenticating before trying to use SMTP, which then allows that user to send out emails (because of antirelayd using POP3 before SMTP authentication, which is authenticating). Any time that the account did not use POP3 to authenticate, it failed to allow SMTP to send out.

If you feel you are an open relay despite all the actual text in the messages provided in this thread that show the prior user was not passing the relay tests and the part bolded stating the account wasn't permitted to relay, please feel free to open a ticket using WHM > Support Center > Contact cPanel or via the link in my signature so we can test your machine. The only way it could be relaying openly is if the default cPanel settings were changed to allow an open relay.

Thank you.

Edit: I see that a post was made at the same time as mine about the prior user not being an open relay. Correct, and if you believe you are still, please feel free to open a ticket for us to investigate it.

 

[ReiJu]

I'll think about sending a support ticket. For now, I need to know where to look for, at least, turn off open relay from localhost.

Thank you.

 

[ReiJu]

Hmm, no comment from cPanel guys? I guess this means that cPanel makes the server open relay by default.

 

[cPanelTristan]

No reply is because I was unable troubleshoot your issue via the forum and, so, had no comments I could make otherwise, since we do not have sufficient details to do so. We need to see how the commands are being run and the machine's settings, which would need to be done by logging into it. As it stands, we aren't allowed to log into machines from forum requests. They have to be ticket requests.

If you would like to submit a ticket as requested, which takes about 5 minutes and is free to do, we'd be happy to see what's happening.

 

[cPanelTristan]

Actually, for localhost (not remote connections), it does default allow relay upon looking at this line in /etc/exim.conf file:

hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost

How precisely could you get to localhost without already having authenticated to the machine? Would you be able to explain why you feel this needs to be turned off?

 

[ReiJu]

No reply is because I was unable troubleshoot your issue via the forum and, so, had no comments I could make otherwise, since we do not have sufficient details to do so. We need to see how the commands are being run and the machine's settings, which would need to be done by logging into it. As it stands, we aren't allowed to log into machines from forum requests. They have to be ticket requests.

For directing into some exim configs, I think shell access is unneeded. I'll gladly excerpt the needed part, if you asked me.

And for the bolded part, is that also applied to these questions:

https://forums.cpanel.net/f43/restrict-email-only-listed-domains-174841.html
https://forums.cpanel.net/f5/user-admin-activity-log-163053.html#post714631

Actually, for localhost (not remote connections), it does default allow relay upon looking at this line in /etc/exim.conf file:

hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost

That's a very nice information. So, what I need to stop the server from being open-relayer-from-localhost is just remove the "localhost" line, correct?

How precisely could you get to localhost without already having authenticated to the machine?

This is my server, I'm the administrator. I can ssh into it.

Would you be able to explain why you feel this needs to be turned off?

Why I feel the need for this?

Some (exploited) users in the server has cgi/php scripts which send spam emails via smtp (relayer) service (as mentioned in earlier post). Since the scripts are already inside the server, the scripts only need to do something like "telnet localhost 25" and send email from arbitrary envelope to arbitrary recipient. And they do that without smtp authentication. That is why I want to strip this capability, to prevent exim relay spams from this kind of source.

Thank you for the reply.

 

[cPanelTristan]

If you remove localhost from that relay_hosts line, it should then cease allowing it to relay from sending by localhost. This will likely break scripts functioning to send emails (you want them to authenticate anyway so you'll be forcing smtp authentication methods) and possibly impact webmail from working, but if that's the step you wish to pursue, then it is your server and certainly it is your choice.

I'm uncertain if sendmail might bypass this setting as it doesn't send using the normal mechanisms as exim. You may wish to remove sendmail as well on the machine if you want to prevent scripts from bypassing exim settings.

 

[ReiJu]

Unfortunately, even after I removed the localhost line, and restarting exim, exim still act as open relayer for localhost. And when I blocked smtp from localhost (via iptables), just like you wrote, webmail stop working. So, even if I succeeded in forcing auth smtp in exim, I lost webmail capability. This is dead end, I think. (there must be a lot of other options and methods out there, but what's the point in buying cpanel, then?)

This will excite spammers for sure.

 

[mtindor]

Unfortunately, even after I removed the localhost line, and restarting exim, exim still act as open relayer for localhost. And when I blocked smtp from localhost (via iptables), just like you wrote, webmail stop working. So, even if I succeeded in forcing auth smtp in exim, I lost webmail capability. This is dead end, I think. (there must be a lot of other options and methods out there, but what's the point in buying cpanel, then?)

This will excite spammers for sure.

This isn't a cPanel issue. Exim is doing exactly what it is supposed to do on any machine that it is installed on. It is NOT an "open relay".

Your problem would be solved by getting rid of those accounts that spammers are hijacking to relay spam via scripts that they install. Your customers are your problem, not Exim or cPanel. Find the scripts / accounts being abused, and terminate them with extreme prejudice.

 

[cPanelTristan]

Hello,

And when I blocked smtp from localhost (via iptables), just like you wrote, webmail stop working. So, even if I succeeded in forcing auth smtp in exim, I lost webmail capability.

I didn't indicate to block SMTP from localhost to my knowledge, since blocking SMTP (port 25, I would imagine you mean here) in iptables from localhost will prevent sending emails. SMTP is the sending mechanism for accounts locally. On the other hand, I did mention to remove sendmail (not SMTP) from being used. Also, I mentioned that removing localhost from allowing it to relay would possibly break webmail as well.

What you are probably really trying to do is to prevent spoofing, since that's the issue here rather than sending after authenticating via localhost (any script that is on an account is authenticated after all). There's a difference between spoofing and relaying (localhost has authenticated whether by logging into an account or being a script on an authorized account).

You can prevent spoofing on webmail itself by using the following type of rule:

acl_check_data:
deny
 authenticated	 = *
 condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
  { !eqi{$authenticated_id} {${address:$header_From:}} }\
 }\
 }
 message	 = Your FROM must be as the account you have authenticated with, your email is not delivered.

This would go into the box where it has begin acl directly about it (the second box in the Advanced Editor) and should prevent spoofing via webmail. If you want to prevent not authenticating for scripts and force SMTP authentication for those scripts, you would need to revoke sendmail as I already stated earlier.

If you do not want to remove sendmail, you can instead try adding additional logging and preventative measures such as these options:

1. WHM > Tweak Settings:

Prevent “nobody” from sending mail [?]

Prevent the user “nobody” from sending out mail to remote addresses
(PHP and CGI scripts generally run as “nobody” if you are using mod_php or have Suexec disabled.)

If you are using DSO for the PHP handler, this option is not advised. You can see in WHM > Apache Configuration > PHP and SuExec Configuration area which PHP handler is being used on the machine.

2. WHM > Exim Configuration

Set the Sender: Header when the mail sender changes the sender (-f flag passed to sendmail).

3. WHM > Exim Configuration > Advanced Editor

Add the following in the topmost box:

log_selector = +all

This adds extra logging to /var/log/exim_mainlog file such as subject and command path.

4. WHM > EasyApache (Apache Update)

Step 6, Exhaustive Options List in the PHP section (PHP 4 and/or PHP 5) > MailHeaders

For information on this option, please see CHOON.NET : Resources : Scripts & Patches : PHP Mail Header Patch

Thanks.

 

[ReiJu]

@mtindor: i did try to find the offending php/cgi script, but it's hard, since the execution of the php script was done in a split second. so i wanted to know if there any alternative way of preventing this. and for i spent some money to buy cpanel, i think it wise enough to ask cpanel people for information and help.

@cPanelTristan: no, of course not. I know that you didn't ever suggest me to block smtp from localhost via iptables. I just wanted to show you that I did what you suggested (editing exim config), but still not working, and when I tried an alternative way, with blocking via iptables, it only proved that what you said is true: webmail is broken. I can't do a lot of things with sendmail, because some of my scripts use it heavily.

I'll give the acl and mail headers thing a try. Thanks.