NethServer Version: NS8
Module: mail
I tested my server for open relay and it is open to the internet. I cannot find any settings to block the server from being an open relay. Can anyone point me in the right direction?
AFAIK there are no mail relay settings. I can’t reproduce the open relay issue. Which open relay test did you use?
Is an internal/external LDAP/samba AD installed?
Did you customize the mail app?
1 Like
I ran a a SMTP diag tool from an extrenal network. Both the from and to address are not configured on my server. Message was accepted and delivered. Here is the log:
2024-04-03T21:58:30+01:00 [1:mail1:postfix/cleanup] 834531508105: message-id=<dc0e48bc5d007adb7a02723add4da4ff@iinnsite.com>
2024-04-03T21:58:30+01:00 [1:mail1:rspamd] #26(normal) ; task; rspamd_message_parse: loaded message; id: <dc0e48bc5d007adb7a02723add4da4ff@iinnsite.com>; queue-id: <834531508105>; size: 52799; checksum: <39ddd09ce1ac0149d6ebfe6a44598d9a>
2024-04-03T21:58:30+01:00 [1:mail1:rspamd] #26(normal) ; task; rspamd_spf_maybe_return: not stored SPF record for iinnsite.com (0xa4aa40bbeec59e2b) in LRU cache; flags=4; ttl=0
2024-04-03T21:58:31+01:00 [1:mail1:rspamd] #26(normal) ; task; rspamd_task_write_log: id: <dc0e48bc5d007adb7a02723add4da4ff@iinnsite.com>, qid: <834531508105>, ip: 185.69.145.254, from: <anyauthoriseduser@iinnsite.com>, (default: T (add header): [19.00/20.00] [RBL_SPAMHAUS_XBL(4.00){185.69.145.254:from;},BAYES_HAM(-3.00){100.00%;},HFILTER_HELO_5(3.00){GalaxyBook2Pro;},HFILTER_HOSTNAME_UNKNOWN(2.50){},RBL_SENDERSCORE(2.00){185.69.145.254:from;},RBL_SPAMHAUS_CSS(2.00){185.69.145.254:from;},RBL_SPAMHAUS_PBL(2.00){185.69.145.254:from;},RBL_VIRUSFREE_BOTNET(2.00){185.69.145.254:from;},HFILTER_FROMHOST_NORES_A_OR_MX(1.50){iinnsite.com;},AUTH_NA(1.00){},RDNS_NONE(1.00){},MX_INVALID(0.50){},R_MISSING_CHARSET(0.50){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ONCE_RECEIVED(0.10){},ARC_NA(0.00){},ASN(0.00){asn:25135, ipnet:185.69.144.0/22, country:GB;},DMARC_NA(0.00){iinnsite.com;},FREEMAIL_ENVRCPT(0.00){outlook.com;},FREEMAIL_TO(0.00){outlook.com;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},NEURAL_SPAM(0.00){0.945;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){no SPF record;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 52799, time: 783.715ms, dns req: 18, digest: <39ddd09ce1ac0149d6ebfe6a44598d9a>, rcpts: REDACTED@outlook.com, mime_rcpts: REDACTED@outlook.com
2024-04-03T21:58:31+01:00 [1:mail1:postfix/qmgr] 834531508105: from=<anyauthoriseduser@iinnsite.com>, size=53022, nrcpt=1 (queue active)
2024-04-03T21:58:32+01:00 [1:mail1:postfix/smtp] 834531508105: to=REDACTED@outlook.com, relay=outlook-com.olc.protection.outlook.com[52.101.68.9]:25, delay=1.8, delays=1.1/0.03/0.27/0.42, dsn=2.6.0, status=sent (250 2.6.0 <dc0e48bc5d007adb7a02723add4da4ff@iinnsite.com> [InternalId=3504693337945, Hostname=CWLP123MB3666.GBRP123.PROD.OUTLOOK.COM] 61473 bytes in 0.114, 523.491 KB/sec Queued mail for delivery → 250 2.1.5).
Which one? I’d like to reproduce the issue.
Does mxtoolbox report an open relay too?
2 Likes
mxtoolbox shows it may be an open relay.
May be an Open Relay Details area Ignore
More Information About Smtp Open Relay
During our diagnostics we attempt to simulate sending a message to a fake email address; test@example.com. We do this to try to detect if your server is an open relay, which means that it accepts mail to domains for which it is not responsible and then passes it along to the proper server. Your server responded with a 200 accepted code to our RCPT TO command. THIS DOES NOT MEAN YOU ARE OPERATING AN OPEN RELAY, only that you may be an open relay.
To test externally, I use telnet on port 25:
telnet to the mailhost on port 25
Escape character is ‘^]’.
220 ****************************
helo mis
250
mail from:someone@somewhere.com
250 2.1.0 Ok
rcpt to:someone@somewhere.com
250 2.1.5 Ok
data
354 End data with .
Subject:test 1912
testing
.
And what does the mailserver respond to the data command?
1 Like
Did you set up users using an account provuder like LDAP or Samba?
Let’s check the mail config (assuming the mail app instance is mail1):
runagent -m mail1 env
1 Like
I am using Samba.
runagent -m mail1 env
SHELL=/usr/bin/env
PATH=/home/mail1/.config/bin:/var/lib/nethserver/node/bin:/usr/local/agent/pyenv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/local/agent/bin
HOME=/home/mail1
USER=mail1
LOGNAME=mail1
TERM=xterm-256color
XDG_RUNTIME_DIR=/run/user/1003
LC_CTYPE=C.UTF-8
REGISTRY_AUTH_FILE=/etc/nethserver/registry.json
AGENT_BASEACTIONS_DIR=/usr/local/agent/actions
REDIS_ADDRESS=cluster-leader:6379
REDIS_REPLICA_ADDRESS=127.0.0.1:6379
REDIS_USER=module/mail1
REDIS_PASSWORD=REDACTED
PYTHONPATH=/home/mail1/.config/pypkg
CLAMAV_CUS_RATING=MEDIUM
DOVECOT_DISABLED_USERS=root
DOVECOT_QUOTA_MB=0
DOVECOT_SHAREDSEEN=
DOVECOT_SPAM_FOLDER=Junk
DOVECOT_SPAM_RETENTION=15
DOVECOT_SPAM_SUBJECT_PREFIX=***SPAM***
DOVECOT_TRUSTED_NETWORKS=10.5.4.0/24
IMAGE_DIGEST=sha256:050cc86db6b5dcd527d5df9a51ed0bce93edb34010140676443c2e2fa3902dac
IMAGE_ID=48883023da10633df84969cdc8fab83ba5ac6a5e420ca4d23dcef2b4e88eb57f
IMAGE_REOPODIGEST=ghcr.io/nethserver/mail@sha256:050cc86db6b5dcd527d5df9a51ed0bce93edb34010140676443c2e2fa3902dac
IMAGE_URL=ghcr.io/nethserver/mail:1.3.6
IMPORT_IMAGE_URL=ghcr.io/nethserver/mail:1.3.4
IMPORT_TASK_ID=ab77f2ed-288c-4ab9-a7cb-faeb3505946a
MAIL_CLAMAV_IMAGE=ghcr.io/nethserver/mail-clamav:1.3.6
MAIL_DOVECOT_IMAGE=ghcr.io/nethserver/mail-dovecot:1.3.6
MAIL_HOSTNAME=stedmond.co.uk
MAIL_POSTFIX_IMAGE=ghcr.io/nethserver/mail-postfix:1.3.6
MAIL_RSPAMD_IMAGE=ghcr.io/nethserver/mail-rspamd:1.3.6
MODULE_ID=mail1
MODULE_UUID=6208fbae-a06d-415c-80e3-18349071452f
NODE_ID=1
POSTFIX_HOSTNAME=stedmond.co.uk
POSTFIX_MILTERS=inet:localhost:11332
POSTFIX_ORIGIN=local.stedmond.co.uk
POSTFIX_TRUSTED_NETWORK=10.5.4.0/24
PREV_IMAGE_DIGEST=sha256:d609f68dbf387514e3a31d160730e8ee5a0e3dca9ae2b90a937486685d6df8cd
PREV_IMAGE_ID=97e56b524be43de6d550585cb71785564dd50dbc8e0aa1b0c543039acb45804b
PREV_IMAGE_REOPODIGEST=ghcr.io/nethserver/mail@sha256:d609f68dbf387514e3a31d160730e8ee5a0e3dca9ae2b90a937486685d6df8cd
PREV_IMAGE_URL=ghcr.io/nethserver/mail:1.3.5
PREV_MAIL_CLAMAV_IMAGE=ghcr.io/nethserver/mail-clamav:1.3.5
PREV_MAIL_DOVECOT_IMAGE=ghcr.io/nethserver/mail-dovecot:1.3.5
PREV_MAIL_POSTFIX_IMAGE=ghcr.io/nethserver/mail-postfix:1.3.5
PREV_MAIL_RSPAMD_IMAGE=ghcr.io/nethserver/mail-rspamd:1.3.5
RSPAMD_antispam_checks_enabled=1
RSPAMD_greylist_enabled=
AGENT_INSTALL_DIR=/home/mail1/.config
AGENT_STATE_DIR=/home/mail1/.config/state
AGENT_ID=module/mail1
I tested your server using mxtoolbox and it seems to be no open relay.
I can’t reproduce the issue on my servers.
Could you please explain your setup in detail and how you tested and also answer the question from @jaywalker?
I have set up another firewall in front of the mail server to stop relay access.
To answer @jaywalker question, the message was queqed for delivery.
1 Like
Does your server have the latest updates?
Cluster is up to date.
1 Like
I can’t reproduce the issue on my test servers, all I get is:
MAIL FROM:<chris@contoso.com>
250 2.1.0 Ok
RCPT TO:<kate@fabrikam.com>
554 5.7.1 <kate@fabrikam.com>: Relay access denied
I tried different setups but no open relay.
Your configuration looks ok to me.
You could check the config files of postfix:
Enter mail instance:
runagent -m mail1
Search for relay config in postfix config files:
podman exec -ti postfix grep -r 'mynetworks =\|relayhost =' /etc/postfix
2 Likes
This is what is in my config. I did not set any of these up, the mail server was migrated from NethServer 7.
podman exec -ti postfix grep -r ‘mynetworks =|relayhost =’ /etc/postfix
/etc/postfix/main.cf:mynetworks = 127.0.0.1/32 10.5.4.0/24 sqlite:$meta_directory/mynetworks.cf
/etc/postfix/main.cf.proto:#mynetworks = 168.100.3.0/28, 127.0.0.0/8
/etc/postfix/main.cf.proto:#mynetworks = $config_directory/mynetworks
/etc/postfix/main.cf.proto:#mynetworks = hash:/etc/postfix/network_table
/etc/postfix/main.cf.proto:#relayhost = $mydomain
/etc/postfix/main.cf.proto:#relayhost = [gateway.my.domain]
/etc/postfix/main.cf.proto:#relayhost = [mailserver.isp.tld]
/etc/postfix/main.cf.proto:#relayhost = uucphost
/etc/postfix/main.cf.proto:#relayhost = [an.ip.add.ress]
1 Like
Please check the mynetworks in the sqlite database:
runagent -m mail1 podman exec postfix sqlite3 /srv/pcdb.sqlite 'SELECT * FROM mynetworks;'
EDIT:
Which distro do you use for NS8?
10.65.11.12
10.65.11.46
Distro is [Rocky Linux 9.3 (Blue Onyx)]
1 Like
Do you know these IPs?
Yes, internal servers, but I don’t use them anymore.
1 Like