Loading ...
Sorry, an error occurred while loading the content.

Re: SASL auth and (local) relaying through telnet

Expand Messages
  • Titanus Eramius
    On Thu, 6 Dec 2012 20:32:17 -0600 ... Thanks for the reply. I am not sure I follow here, could you please elaborate a bit? ... Yes, sorry about the munging and
    Message 1 of 7 , Dec 7, 2012
    • 0 Attachment
      On Thu, 6 Dec 2012 20:32:17 -0600
      /dev/rob0 <rob0@...> wrote:

      > On Fri, Dec 07, 2012 at 01:23:21AM +0100, Titanus Eramius wrote:
      > > My highest concern is to setup an open relay by accident, so
      > > in the process I've used an online anti-spam tester several
      > > times: http://www.antispam-ufrj.pads.ufrj.br/test-relay.html
      >
      > That need not be your highest concern.

      Thanks for the reply. I am not sure I follow here, could you please
      elaborate a bit?

      ...
      > Your munging makes it hard to say for sure, but I'm going to go out
      > on a limb and venture a guess that you host "my_domain.tld" on this
      > Postfix.
      >
      > That's not what "relaying" means. That's "accepting for delivery."
      > "Relaying" means taking mail for some OTHER site and sending it on
      > for the client.
      >
      > What exactly are you trying to prevent here?
      ...
      > So? Your telnet was to port 25.

      Yes, sorry about the munging and the inconsistency, I'm not sure why I
      did that. I see your point about submission and port 25, and I
      guess I still have some learning to do. Thanks for the pointer.

      In that light I realize my question is wrong, and I hope instead the
      following example might help to show what I mean.

      The example is without munging, and Postfix accepts a mail
      through telnet, and locally hands it over to Dovecot, which in turn
      delivers the mail.

      The delivery address exists on the server, and if it doesn't, then
      Postfix says "Recipient address rejected: User unknown in virtual
      mailbox table" just as it says "Relay access denied" if I try to relay
      mail through Postfix.

      $ dig nt-data.dk mx
      ;; ANSWER SECTION:
      nt-data.dk. 5860 IN MX 10 mx01.nt-data.dk.
      ...

      mx01.nt-data.dk. 5860 IN A 94.247.168.138
      ...

      titanus@asrock:~$ telnet 94.247.168.138 25
      Trying 94.247.168.138...
      Connected to 94.247.168.138.
      Escape character is '^]'.
      220 ntdata.nt-data.dk ESMTP Postfix
      EHLO fake
      250-ntdata.nt-data.dk
      250-PIPELINING
      250-SIZE 10240000
      250-ETRN
      250-STARTTLS
      250-AUTH PLAIN LOGIN
      250-AUTH=PLAIN LOGIN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      MAIL FROM:spam@...
      250 2.1.0 Ok
      RCPT TO:main@...
      250 2.1.5 Ok
      DATA
      354 End data with <CR><LF>.<CR><LF>
      content here
      .
      250 2.0.0 Ok: queued as EDB151746A80
      quit
      221 2.0.0 Bye
      Connection closed by foreign host.

      The maillog on the server looks like this:

      titanus@ntdata:~$ sudo cat /var/log/mail.log | grep "EDB151746A80"

      Dec 7 17:51:38 ntdata postfix/smtpd[26112]: EDB151746A80:
      client=unknown[92.243.255.38]

      Dec 7 17:51:51 ntdata postfix/cleanup[26118]: EDB151746A80:
      message-id=<>

      Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80:
      from=<SRS0=QfAL=KB=veryfakeaddress548562.tld=spam@...>,
      size=396, nrcpt=1 (queue active)

      Dec 7 17:51:51 ntdata postfix/pipe[26119]: EDB151746A80:
      to=<main@...>, relay=dovecot, delay=36, delays=36/0.01/0/0.17,
      dsn=2.0.0, status=sent (delivered via dovecot service)

      Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80: removed


      If at all possible, I would like the system not to accept the mail.

      Cheers
    • mouss
      ... mew :) you like cats too? or is it the pipe that you like? $ sudo grep .... /var/log/mail.log saves a few keystorkes .... keep
      Message 2 of 7 , Dec 9, 2012
      • 0 Attachment
        Le 07/12/2012 18:22, Titanus Eramius a écrit :
        > [snip]
        > titanus@asrock:~$ telnet 94.247.168.138 25
        > Trying 94.247.168.138...
        > Connected to 94.247.168.138.
        > Escape character is '^]'.
        > 220 ntdata.nt-data.dk ESMTP Postfix
        > EHLO fake
        > 250-ntdata.nt-data.dk
        > 250-PIPELINING
        > 250-SIZE 10240000
        > 250-ETRN
        > 250-STARTTLS
        > 250-AUTH PLAIN LOGIN
        > 250-AUTH=PLAIN LOGIN
        > 250-ENHANCEDSTATUSCODES
        > 250-8BITMIME
        > 250 DSN
        > MAIL FROM:spam@...
        > 250 2.1.0 Ok
        > RCPT TO:main@...
        > 250 2.1.5 Ok
        > DATA
        > 354 End data with <CR><LF>.<CR><LF>
        > content here
        > .
        > 250 2.0.0 Ok: queued as EDB151746A80
        > quit
        > 221 2.0.0 Bye
        > Connection closed by foreign host.
        >
        > The maillog on the server looks like this:
        >
        > titanus@ntdata:~$ sudo cat /var/log/mail.log | grep "EDB151746A80"

        <humour>
        mew :) you like cats too? or is it the pipe that you like?

        $ sudo grep "...." /var/log/mail.log

        saves a few keystorkes ....
        </humour>

        keep reading. answer below.

        >
        > Dec 7 17:51:38 ntdata postfix/smtpd[26112]: EDB151746A80:
        > client=unknown[92.243.255.38]
        >
        > Dec 7 17:51:51 ntdata postfix/cleanup[26118]: EDB151746A80:
        > message-id=<>
        >
        > Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80:
        > from=<SRS0=QfAL=KB=veryfakeaddress548562.tld=spam@...>,
        > size=396, nrcpt=1 (queue active)
        >
        > Dec 7 17:51:51 ntdata postfix/pipe[26119]: EDB151746A80:
        > to=<main@...>, relay=dovecot, delay=36, delays=36/0.01/0/0.17,
        > dsn=2.0.0, status=sent (delivered via dovecot service)
        >
        > Dec 7 17:51:51 ntdata postfix/qmgr[3981]: EDB151746A80: removed
        >
        >
        > If at all possible, I would like the system not to accept the mail.
        >

        why not? because you sent it using the telnet client program? there is
        no fundamental difference between mail sent using a "standard" MUA
        (thunderbird, outlook, ...) or a program such as telnet, netcat, ... or
        a script using perl, python, php, ...

        and no, spammers do not use the telnet program. that would be too slow!
        they (generally) use spam bots, which can send masse mails in a short
        time. trying to detect such bots is teh subject of anti-spam measures
        such as postcreen, greylisting, spam filters (that look for specific
        headers or other).
      • Titanus Eramius
        On Sun, 09 Dec 2012 16:37:12 +0100 ... For some odd reason I kindda do. Maybe it s the concept of a data-pipe itself, but I imagine I from now on is to lacy to
        Message 3 of 7 , Dec 13, 2012
        • 0 Attachment
          On Sun, 09 Dec 2012 16:37:12 +0100
          mouss <mouss@...> wrote:

          > <humour>
          > mew :) you like cats too? or is it the pipe that you like?
          >
          > $ sudo grep "...." /var/log/mail.log
          >
          > saves a few keystorkes ....

          For some odd reason I kindda do. Maybe it's the concept of a data-pipe
          itself, but I imagine I from now on is to lacy to use it together
          with grep :)

          > </humour>

          > > If at all possible, I would like the system not to accept the mail.
          > >
          >
          > why not? because you sent it using the telnet client program? there is
          > no fundamental difference between mail sent using a "standard" MUA
          > (thunderbird, outlook, ...) or a program such as telnet, netcat, ...
          > or a script using perl, python, php, ...
          >
          > and no, spammers do not use the telnet program. that would be too
          > slow! they (generally) use spam bots, which can send masse mails in a
          > short time. trying to detect such bots is teh subject of anti-spam
          > measures such as postcreen, greylisting, spam filters (that look for
          > specific headers or other).

          I see.
          It makes plenty of sense, and yes, off course this could be scriptet as
          well, I just thought the example with telnet was easy to illustrate.

          It might just be me and my wicked way of thinking that made me ask this
          question, but I'm glad I did even though the premises was wrong, since
          I leaned some new things.

          Thanks for all the replies.

          Cheers
        Your message has been successfully submitted and would be delivered to recipients shortly.