SMTP Server is open for everyone?

Discussion in 'Technical' started by corndoge, Mar 21, 2016.

  1. corndoge

    corndoge New Member

    I've installed ispconfig on my debian a while ago with this tutorial: howtoforge(dot)com/perfect-server-debian-wheezy-apache2-bind-dovecot-ispconfig-3-p5

    I've noticed that someone uses my USERNAME@domain(dot)com and www-data@domain(dot)com e-mails to send viruses to myself.
    I can use this tool: wormly(dot)com/test_smtp_server
    And send E-Mails through my server with any name.
    Is that supposed to be like that or did I do something wrong?

    The E-Mail headers of the guys that sends the virus look like this:
    Return-Path: <MAINUSER@MAINUSER(dot)com>
    Delivered-To: MAINUSER@MAINUSER(dot)com
    Received: from localhost (localhost.localdomain [])
    by MAILSERVERDOMAIN (Postfix) with ESMTP id E0F50E673E
    for <MAINUSER@MAINUSER(dot)com>; Fri, 18 Mar 2016 13:29:36 +0100 (CET)
    X-Virus-Scanned: Debian amavisd-new at MAILSERVERDOMAIN
    Received: from MAILSERVERDOMAIN ([])
    by localhost (MAILSERVERDOMAIN []) (amavisd-new, port 10024)
    with ESMTP id BzlzDPkdsAxE for <MAINUSER@MAINUSER(dot)com>;
    Fri, 18 Mar 2016 13:29:35 +0100 (CET)
    Received: from 88-199-20-2.tktelekom(dot)pl (88-199-20-2.tktelekom(dot)pl [])
    by MAILSERVERDOMAIN (Postfix) with ESMTP id AE339DFA4D
    for <MAINUSER@MAINUSER(dot)com>; Fri, 18 Mar 2016 13:29:35 +0100 (CET)
    From: <MAINUSER@MAINUSER(dot)com>
    To: <MAINUSER@MAINUSER(dot)com>
    Subject: ***SPAM***Document2
    Thread-Topic: Document2
    Thread-Index: AdF+sJZYKtxaTvOhSFC+rMKD/CUwyg==
    Date: Fri, 18 Mar 2016 13:29:34 +0200
    Message-ID: <[email protected]>
    Accept-Language: en-GB, en-US
    Content-Language: en-US
    X-MS-Has-Attach: yes
    x-originating-ip: []
    Content-Type: multipart/mixed;
    MIME-Version: 1.0
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    What you did with your test is this: You have send an email TO your address and not trough your server. Trough would mean that you can send an email to e.g. a gmail account by using your server as a relay. Each email server has to accept an email that is for a local mailbox, if it won't accept them, then you won't be able to receive a single email as nobody would be able to send you an email. So this behaviour is absolutely fine.

    If you want to test your server to ensure that it is not a open relay, then use a tool like this:
  3. corndoge

    corndoge New Member

    Thank you for your reply. The diagnostic site you posted said indeed everything is fine and relay is denied.

    But the email headers with the virus mail look like it has been sent locally. Or is that also just fooling me?
    Is there any way to disable anonymous smtp usage?
    helo localhost
    250 server.domain
    ehlo localhost
    250 DSN
    mail from: <[email protected]>
    250 2.1.0 Ok
    rcpt to: <[email protected]>
    250 2.1.5 Ok
    354 End data with <CR><LF>.<CR><LF>
    Subject: bla
    250 2.0.0 Ok: queued as 52495DF9E1
    Mar 22 00:08:01 ns3 postfix/smtpd[2018]: connect from client.DOMAIN[client.IP]
    Mar 22 00:09:09 ns3 postfix/smtpd[2018]: 52495DF9E1: client=client.DOMAIN[client.IP]
    Mar 22 00:09:24 ns3 postfix/cleanup[2496]: 52495DF9E1: message-id=<>
    Mar 22 00:09:24 ns3 postfix/qmgr[28075]: 52495DF9E1: from=<[email protected]>, size=239, nrcpt=1 (queue active)
    Mar 22 00:09:27 ns3 postfix/smtpd[2605]: connect from localhost.localdomain[]
    Mar 22 00:09:27 ns3 postfix/smtpd[2605]: 93007DFC34: client=localhost.localdomain[]
    Mar 22 00:09:27 ns3 postfix/cleanup[2496]: 93007DFC34: message-id=<[email protected]>
    Mar 22 00:09:27 ns3 postfix/smtpd[2605]: disconnect from localhost.localdomain[]
    Mar 22 00:09:27 ns3 postfix/qmgr[28075]: 93007DFC34: from=<[email protected]>, size=1399, nrcpt=1 (queue active)
    Mar 22 00:09:27 ns3 amavis[3921]: (03921-18) Passed SPAMMY {RelayedTaggedInbound}, [client.IP]:58913 [client.IP] <[email protected]> -> <[email protected]>, Queue-ID: 52495DF9E1, mail_id: vy_45teWlRXQ, Hits: 18.313, size: 239, queued_as: 93007DFC34, 2708 ms
    Mar 22 00:09:27 ns3 postfix/smtp[2581]: 52495DF9E1: to=<[email protected]>, relay=[]:10024, delay=34, delays=31/0.01/0/2.7, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[]:10025): 250 2.0.0 Ok: queued as 93007DFC34)
    Mar 22 00:09:27 ns3 postfix/qmgr[28075]: 52495DF9E1: removed
    Mar 22 00:09:27 ns3 dovecot: auth-worker(2608): mysql(localhost): Connected to database dbispconfig
    Mar 22 00:09:27 ns3 dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'Junk'
    Mar 22 00:09:27 ns3 postfix/pipe[2606]: 93007DFC34: to=<[email protected]>, relay=dovecot, delay=0.21, delays=0.07/0.01/0/0.14, dsn=2.0.0, status=sent (delivered via dovecot service)
    Mar 22 00:09:27 ns3 postfix/qmgr[28075]: 93007DFC34: removed
    Mar 22 00:09:40 ns3 postfix/smtpd[2018]: disconnect from client.DOMAIN[client.IP]
    Last edited: Mar 22, 2016
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    It has not been sent locally, the email is from:

    Received: from 88-199-20-2.tktelekom(dot)pl (88-199-20-2.tktelekom(dot)pl [])

    Your server is not allowing any anonymous SMTP usage, it just accepts emails for your mailbox and that's what a mail server has to do. And thats what you tested above, you just tested that the mailserver is working correctly and if it is able to receive (not send!) emails for your local mailbox. If you don't want to receive any emails on this server, then delete all mailboxes and email domains in ISPConfig.
  5. corndoge

    corndoge New Member

    Yeah i noticed it doesnt send them to other servers but when I telnet to larger mail servers and type "mail from:" it says authentication required. (Thats my last question sorry for bugging you)
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You can't do the test like this as larger providers split their infrastructure into submission servers and receiving servers, so when you connect to a submission only server then you get an auth request off course as this server is not the one that receives any email, it is only used by customers to submit and relay outgoing emails. Your server is configured to for submission and receiving of emails on the same system as you probably don't run a datacenter with clusters of mail systems for ten thousands of customers, so your server provides both functions on the same machine.

Share This Page