• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Qmail acting as an open relay for local network

C

ComNet

New Pleskian
Hi,
I'm seeing a strange behavior on my Plesk 10.4.4: other hosts from the public subnet I purchased from my ISP are able to use unauthenticated SMTP as an open relay, while the rest of the world can't (I followed the steps and double-checked, to be sure, the official KB article at http://kb.parallels.com/en/1394).
The whitelist has only ::1 and 127.0.0.0/8 on the allowed entries, and nothing is blacklisted.
Do you have any idea why is it open-relaying from local subnet's hosts, and how to stop that?
Thanks,

Marco
 
Tried to restrict from 127.0.0.0/8 to 127.0.0.1/32, still seeing same behavior from other hosts in the same subnet.
Any hint?
 
Do you have pop-before-relay enabled? If so, and someone is doing pop3 logins from a particular IP then there will be a window where no smtp auth will be required. If the window is set to, say, 5 minutes and the user logs in every 5 minutes then effectively that IP is going to be able to use smtp anytime they want.
 
Faris Raouf said:
Do you have pop-before-relay enabled? If so, and someone is doing pop3 logins from a particular IP then there will be a window where no smtp auth will be required. If the window is set to, say, 5 minutes and the user logs in every 5 minutes then effectively that IP is going to be able to use smtp anytime they want.
Click to expand...

Thanks for your answer; unfortunately, that's quite not the case for two reasons:
  1. I don't relay ("SMTP relay closed"). Simple as that. :)
  2. The other hosts in the subnet are servers, so no POP3 authentication shall ever come from there.
 
Check /etc/xinetd.d/smtp_psa to make sure the settings you have configured in Plesk are actually reflected there, just in case?
 
Faris Raouf said:
Check /etc/xinetd.d/smtp_psa to make sure the settings you have configured in Plesk are actually reflected there, just in case?
Click to expand...

Thanks; I've been looking for a tcp-env configuration (as seen on this qmail page for "selective relaying" http://qmail.3va.net/qdp/qmail-antirelay.html), but I found none.
This is my smtp_psa started from xinetd:
Code: 
service smtp
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        disable         = no
        user            = root
        instances       = UNLIMITED
        env             = SHORTNAMES=1
        server          = /var/qmail/bin/tcp-env
        server_args     = -Rt0 /var/qmail/bin/relaylock /usr/sbin/rblsmtpd -r sbl.spamhaus.org -r xbl.spamhaus.org /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}
 
OK, I have no ideas at all I'm afraid.

Well, I do have one, but it should not make any difference. I notice you have shortnames enabled. How about changing it to off (in the panel, not editing the file). Yes, I know, it should have nothing to do with anything. But maybe it will kickstart something somewhere :) And if it makes no difference, put it back to how it was, obviously ;-)
 
You must log in or register to reply here.
Back
Top