SMTP Relay stop

bainwave · September 23, 2019, 6:23pm

Hi all,
need your advise to stop SMTP relay in my production box.
Doubt it is open for SMTP relay.
Advise me the steps…

danb35 · September 18, 2019, 12:52pm

No, Neth isn’t an open SMTP relay. What makes you think it is?

bainwave · September 18, 2019, 1:12pm

Am seeing unknown mails being sent from my server GUI (queue management).
Correct me

pike · September 18, 2019, 2:19pm

Not quite “open”…
NethServer acts as a relay for some networks (green) and if something is enabled.
@bainwave can you verify from queue or log which is the ip sending messages and if any user is used for submitting?
Maybe you have a mass mailing worm inside your LAN and the relay is filtering (maybe) the messages …

danb35 · September 18, 2019, 2:30pm

It acts as a relay for green networks, but (by default) it requires authentication for any relaying.

bainwave · September 19, 2019, 2:21pm

@pike
Please bear with me… will update once i reach office…

pike · September 19, 2019, 4:13pm

I don’t have access to any SMTP relay configuration to verify.
Also: would you please describe what is your current setup?
Where is NethServer into network topology, what are it’s roles and what are services that it provides.

bainwave · September 20, 2019, 11:13am

@pike
how do i show SMTP relay configuration to verify?
My NethServer is behind Fortigate firewall and in a LAN with 10 other servers and its roles basically email
Please find the images shows about the services and spam mails being sent from my server.
Help me

pike · September 20, 2019, 12:43pm

As @danb35 wrote before

as default setting, Nethserver do not act as SMTP relay for no one, except the users of the server
Also, i am assuming that your server is acting as email and webmail server. No websites of any kind.
A little checklist for “sanitize” the situation. Do not consiter it complete.

If not already, enforce secure password policy ( Password policies, Strong password policy for Users)
Change root password and if possible any of other administrative users (by NethServer perspective)
Keep note the new password and of everything you are going to change from the next sections
Check “Trusted Network” and remove any public subnet or address who should not be here
Into “Email”, tab SMTP Access, ensure the list “Allow relay from IP addresses” is empty or only with ip addresses you choose to relay and uncheck the “advanced options” both for relay for trusted network and authentication on port 25.
Edit: Into Email, tab Mailboxes, uncheck “Allow unencrypted connections” if enable.
If not installed or enable, install or activate rSpamd

If all these settings are as described, i have to assume that someone found a password of one of your users, or one of your system into “Allow relay from IP addresses” list is compromised.
So pick one: remove entries from “Allow relay from IP addresses” or change all the users password.

Also: i am a Linux total n00b, there’s should be a way from shell to list all the ip addresses that are connected to a port or a service, but i don’t know which is.
And if the Fortigate is correctly configured and allows SMTP connections to internet only from NethServer, a computer into the lan could be coulprit for sending spam via nethserver using cached username and password into mail client or browser.

Summoning @support_team for more suggestions

pike · September 23, 2019, 1:14pm

@bainwave any news?

bainwave · September 23, 2019, 3:38pm

@pike.
Followed your suggestions, observed the situation under control.
Thanks for the suggestion.
Will observe for a couple of days and will let you know.
My server edition is 6.9 final. Planning to upgrade with the help of upgrade tool, but failed.
Now am planning to move the mailboxes from 6.9 to new server with 7.6 version installed.
Please let me know if you have any thoughts on it.
Thanks in advance

pike · September 23, 2019, 6:15pm

Version was a quite important information… And this should not be “6.9”, but 6.10, if it’s fully updated.

I don’t know if the upgrade tool (i don’t know if it was @davidep which posted about it) may receive interesting inputs from your experience…

bainwave · September 24, 2019, 2:38am

@pike
You are right it is 6.10 but not 6.9.
Any how, now I have the latest version VM, help me out to migrate the existing mail boxes in 6.10 to new server 7.6
–
Bain

pike · September 24, 2019, 1:28pm

I have no experience in migration, therefore i cannot help you for this task. IMVHO should open another support topic.

Next step: how’s going the modified setup? Blocking the possibly compromised settings can stop the flow, but don’t solve the effective problem. Which, until now, is not know for the community.

bainwave · September 25, 2019, 1:27am

@pike
This is getting interested day by day…
Although 90% of the issue fixed am still observing couple of machines in my network sending mails.
Getting checked for malware / virus infection in their machines today and will post the updates ASAP.

pike · September 25, 2019, 3:19pm

I hope that the epuration of bad software keeps proceeding, if the 90% is fixed, maybe some passwords (or crapwords) needs to be changed for safety.

Did you removed any host/subnet from Trusted networks and/or Allow relay from IP addresses?