Hey, I've installed ispconfig on my debian a while ago with this tutorial: howtoforge(dot)com/perfect-server-debian-wheezy-apache2-bind-dovecot-ispconfig-3-p5 I've noticed that someone uses my USERNAME@domain(dot)com and www-data@domain(dot)com e-mails to send viruses to myself. I can use this tool: wormly(dot)com/test_smtp_server And send E-Mails through my server with any name. Is that supposed to be like that or did I do something wrong? The E-Mail headers of the guys that sends the virus look like this: Code: Return-Path: <MAINUSER@MAINUSER(dot)com> Delivered-To: MAINUSER@MAINUSER(dot)com Received: from localhost (localhost.localdomain [127.0.0.1]) by MAILSERVERDOMAIN (Postfix) with ESMTP id E0F50E673E for <MAINUSER@MAINUSER(dot)com>; Fri, 18 Mar 2016 13:29:36 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at MAILSERVERDOMAIN Received: from MAILSERVERDOMAIN ([127.0.0.1]) by localhost (MAILSERVERDOMAIN [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzlzDPkdsAxE for <MAINUSER@MAINUSER(dot)com>; Fri, 18 Mar 2016 13:29:35 +0100 (CET) Received: from 88-199-20-2.tktelekom(dot)pl (88-199-20-2.tktelekom(dot)pl [88.199.20.2]) by MAILSERVERDOMAIN (Postfix) with ESMTP id AE339DFA4D for <MAINUSER@MAINUSER(dot)com>; Fri, 18 Mar 2016 13:29:35 +0100 (CET) From: <MAINUSER@MAINUSER(dot)com> To: <MAINUSER@MAINUSER(dot)com> Subject: ***SPAM***Document2 Thread-Topic: Document2 Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg== Date: Fri, 18 Mar 2016 13:29:34 +0200 Message-ID: <[email protected]> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [192.168.0.28] Content-Type: multipart/mixed; boundary="_004_300621BC94B77642BC430B054CFFEC9C4A08FF5DBOROSBSboroloca_" MIME-Version: 1.0
What you did with your test is this: You have send an email TO your address and not trough your server. Trough would mean that you can send an email to e.g. a gmail account by using your server as a relay. Each email server has to accept an email that is for a local mailbox, if it won't accept them, then you won't be able to receive a single email as nobody would be able to send you an email. So this behaviour is absolutely fine. If you want to test your server to ensure that it is not a open relay, then use a tool like this: http://mxtoolbox.com/diagnostic.aspx
Thank you for your reply. The diagnostic site you posted said indeed everything is fine and relay is denied. But the email headers with the virus mail look like it has been sent locally. Or is that also just fooling me? edit: Is there any way to disable anonymous smtp usage? Code: helo localhost 250 server.domain ehlo localhost 250-server.domain 250-PIPELINING 250-SIZE 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from: <[email protected]> 250 2.1.0 Ok rcpt to: <[email protected]> 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Subject: bla bla . 250 2.0.0 Ok: queued as 52495DF9E1 quit mail.info Code: mail.info Mar 22 00:08:01 ns3 postfix/smtpd[2018]: connect from client.DOMAIN[client.IP] Mar 22 00:09:09 ns3 postfix/smtpd[2018]: 52495DF9E1: client=client.DOMAIN[client.IP] Mar 22 00:09:24 ns3 postfix/cleanup[2496]: 52495DF9E1: message-id=<> Mar 22 00:09:24 ns3 postfix/qmgr[28075]: 52495DF9E1: from=<[email protected]>, size=239, nrcpt=1 (queue active) Mar 22 00:09:27 ns3 postfix/smtpd[2605]: connect from localhost.localdomain[127.0.0.1] Mar 22 00:09:27 ns3 postfix/smtpd[2605]: 93007DFC34: client=localhost.localdomain[127.0.0.1] Mar 22 00:09:27 ns3 postfix/cleanup[2496]: 93007DFC34: message-id=<[email protected]> Mar 22 00:09:27 ns3 postfix/smtpd[2605]: disconnect from localhost.localdomain[127.0.0.1] Mar 22 00:09:27 ns3 postfix/qmgr[28075]: 93007DFC34: from=<[email protected]>, size=1399, nrcpt=1 (queue active) Mar 22 00:09:27 ns3 amavis[3921]: (03921-18) Passed SPAMMY {RelayedTaggedInbound}, [client.IP]:58913 [client.IP] <[email protected]> -> <[email protected]>, Queue-ID: 52495DF9E1, mail_id: vy_45teWlRXQ, Hits: 18.313, size: 239, queued_as: 93007DFC34, 2708 ms Mar 22 00:09:27 ns3 postfix/smtp[2581]: 52495DF9E1: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=34, delays=31/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 93007DFC34) Mar 22 00:09:27 ns3 postfix/qmgr[28075]: 52495DF9E1: removed Mar 22 00:09:27 ns3 dovecot: auth-worker(2608): mysql(localhost): Connected to database dbispconfig Mar 22 00:09:27 ns3 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'Junk' Mar 22 00:09:27 ns3 postfix/pipe[2606]: 93007DFC34: to=<[email protected]>, relay=dovecot, delay=0.21, delays=0.07/0.01/0/0.14, dsn=2.0.0, status=sent (delivered via dovecot service) Mar 22 00:09:27 ns3 postfix/qmgr[28075]: 93007DFC34: removed Mar 22 00:09:40 ns3 postfix/smtpd[2018]: disconnect from client.DOMAIN[client.IP]
It has not been sent locally, the email is from: Received: from 88-199-20-2.tktelekom(dot)pl (88-199-20-2.tktelekom(dot)pl [88.199.20.2]) Your server is not allowing any anonymous SMTP usage, it just accepts emails for your mailbox and that's what a mail server has to do. And thats what you tested above, you just tested that the mailserver is working correctly and if it is able to receive (not send!) emails for your local mailbox. If you don't want to receive any emails on this server, then delete all mailboxes and email domains in ISPConfig.
Yeah i noticed it doesnt send them to other servers but when I telnet to larger mail servers and type "mail from:" it says authentication required. (Thats my last question sorry for bugging you)
You can't do the test like this as larger providers split their infrastructure into submission servers and receiving servers, so when you connect to a submission only server then you get an auth request off course as this server is not the one that receives any email, it is only used by customers to submit and relay outgoing emails. Your server is configured to for submission and receiving of emails on the same system as you probably don't run a datacenter with clusters of mail systems for ten thousands of customers, so your server provides both functions on the same machine.
