Good morning. I'm a little worried about my Qmail server (I'm using Plesk 7.5.4). We're using SMTP authentication (configured under "Mail" option at Plesk administrator) and everything looks close and secure, till we found that messages containing virus (inside zip files) are being delivered to users in our server. And worst: these messages were being sent from our own SMTP server!

I've discoverd that if you're using default's Plesk Qmail install, anyone is able to send messages to local domains (listed in the rcpthosts file) using the server's SMTP server, whithout any kind of authentication :eek: !

Here's a quick explanation (from command prompt anywhere):

telnet smtp.yourdomain.com 25
220 smtp.yourdomain.com ESMTP
helo
250 smtp.yourdomain.com
mail from:anybody@anywhere.com
250 ok
rcpt to:someone@yourdomain.com
250 ok
data
354 go ahead
subject=test
content
.
250 ok 1149174825 qp 6354

Where "yourdomain.com" is a domain configured at Plesk and "anywhere.com" can be whatever you want.

And the message is sent without any athentication method... Is that ok? Most SMTP servers I have used does not allow this, requiring some authentication, even if the message are destinated to a local address/domain.

You can also do this with your e-mail client program (ie. Outlook). Just configure the SMTP server and test it. As long as you're a sending a message to a local domain you'll not be blocked by a 553 error or something else. The message simply goes to it's destination.

This flaw can be used (matter of fact *is* being used) by spammers. The messages are being delivered to our domains as local messages (also bypassing SPF verification since Plesk 7.5.4 does not offer SPF checks and the messages are delivere internally/locally). I believe is pretty easy to built a tool or a simple script that can use this flaw to send spam or spread virus, bypassing many security protections on the way (for example: our server is using a MX gateway that do SPF/ORBL checks/etc before delivering the message to the server. The thing is that, without authentication, anyone can send messages directly to our domains, bypassing any security check.

Are you guys aware of this? Have something to share? Tips to avoid it? There's got to be a way to make Plesk's Qmail server asks for authentication BEFORE sending the message, locally or remotely (it shouldn't matter).

Many thanks!

Found similar problem in this thread: http://forums.ev1servers.net/showthread.php?t=16111

And I must say that it definely can be avoided with tools such as eMPF - http://www.inter7.com/?page=empf. The question is: how can we do it without breaking Plesk's Qmail version? :confused:

there are also several other posibilities to take into consideration.

1) Someone is spoofing the mail server
2) Someone is using insecure PHP or PERL or other scripts to send this spam.
3) One of your clients has a virus or other spyware on there computer which uses your mail server.

Only option 1 is feasible since we do not host anything except mail in this server and none of our users are infected, but it doesn't seam to be the case.

Note that we're not facing tradicional spam flood problems by a open relay. We have a very specific problem: Plesk's Qmail setting will AWAYS relay for anything (and anybody) whitout asking for authentication as long as the message has a rcpt to a local domain (it doesn't matter from where it cames), even if you have set "SMTP" or "POP3 lock time" as a authentication method in Plesk Mail settings.

If you use Plesk you can make a test by yourself: just configure an email account (ie. in Outlook) to send messages using your Plesk SMTP server but do not set any kind of SMTP authentication for this account (ie. "my server requires SMTP authentication"). You wont not be able to send messages to any domain, except those hosted in your Plesk machine. And that's the problem: this is done whitout any kind of authentication and can be performed from anywhere, as long as your server has TCP/IP port 25 open (which makes sense if you're hosting a SMTP server...).

For me this is a very serious problem, and can be easily used to spread spam and viroses among your domains.

Is simple as this:

telnet smtp.yourdomain.com 25
220 smtp.yourdomain.com ESMTP
helo
250 smtp.yourdomain.com
mail from:anybody@anywhere.com
250 ok
rcpt to:someone@yourdomain.com
250 ok
data
354 go ahead
subject=test
content
.
250 ok 1149174825 qp 6354

If "anybody@anywhere.com" is not a valid user in the server (valid user means that he need to be authenticated somehow - SMTP_AUTH or POP3) it SHOULDN'T be able to send anything from your server. But Plesk's Qmail allows it.

As I stated before, this problem (imho) brings other bad implications: a malicious user can pretend to be a user from a local domain, completelly bypassing SPF protection you might have anywhere in your mail infra-estructure and also pretending to be a valid user (from the user's perspective). For example: in our case we're receiving e-mail messages from "MAILER-DAEMON@mydomain.com" with a subject "failure notice" (very common) with a virus file called "details.txt" zipped and attached to the message. Not to mention other possible exploits that can be built from this Plesk's vunerability.

the only time ive seen somthing like that happen is when a server was exploited and smtp was replaced with a hacked up version that would allow an open relay reguardless. Other then that i would say check your relay domains.

Gary, sorry to tell you that this is not the case. This is a "out of the box Plesk's feature". You can check by yourself if you own a Plesk machine (see my previous message).

Anybody else confirms?

Just stating my experiences with the countless servers ive touched and realistic possibilities....

I thank you for that. Just to clarify: are you saying that Plesk's Qmail server do require authentication/credentials to relay messages addressed to local domains?

That's funny, because I've checked on three different machines (all running Plesk 7.5.4 with it's default Qmail - and those machines are not compromissed by hackers/crackers anyhow) and I was able to send from local domain user to domain local user, and the server never prompted for credentials...

Alex, I verified that it is doing the same thing for me.
I am now wondering how to fix this.
Ben

i hate to sound like an idiot here if this seems stupid to someone more knowledgeable than myself, but if you require authentication to deliver mail to local users, how do you expect to receive mail from other servers?

unless you are trying to lock down a mailserver that is used for internal company email only and shouldn't receive mail from any other servers, i think you have no choice but to leave it accepting mail for your local domains from unauthenticated users. if anything, you'll want to be putting your energies into spam filtering and systems like spf. (spf support is provided with qmail in plesk8, by the way.)

Revolution, you're right and I understand that this is a expected behaviour. But in Plesk this behaviour allows a malicious user to send messages to your domain as a legitimate user. It's just a matter of (1) guess a valid e-mail address on the domain (ie. MAILER-DEMON@yourdomain.com) and (2) use the domain's SMTP server (ie. smtp.yourdomain.com) to send messages (virus, anything) to other emails/users in that same domain.

I'm not a MTA/SMTP expert, but I know that there's a way to force users to authenticate before sending messages throught SMTP servers even if the message is addressed to a domain allowed in the rcpthosts file. I just don't know how, so I'll try to exemplify with real examples:

DOMAIN: iventure.com.br (hosted in a Plesk box)
DOMAIN: hubner.org.br (hosted in a Linux/Qmail box)

The SMTP servers are (hard to guess): smtp.iventure.com.br and smtp.hubner.org.br.

Ok, If you try to send message to a local domain in the "iventure.com.br" server, you'll *not* be asked for credentials, that's what the following commands show:

01: telnet smtp.iventure.com.br 25
02: 220 mail7.worldispnetwork.com ESMTP
03: helo
04: 250 mail7.worldispnetwork.com
05: mail from:test@test.com
06: 250 ok
07: rcpt to:test@iventure.com.br
08: 250 ok
09: data
10: 354 go ahead
11: subject=test
12: content
13:.
14: 250 ok 1149023436 qp 11545
15: quit
16: 221 adt2.amazonia.org.br
17: Connection closed by foreign host.

Now, if you try to do the same with a secure SMTP server such as SMTP.HUBNER.ORG.BR you'll be blocked and required for authentication. See below (and test by yourself):

01: telnet smtp.hubner.org.br 25
02: 220 smtp.hubner.org.br ESMTP
03: helo
04: 250 smtp.hubner.org.br
05: mail from:alex@test.com.br
06: 250 ok
07: rcpt to:alex@hubner.org.br
08: 553 THIS SERVER IS TO BE USED WITH AUTHENTICATION (#5.7.1)
09: Connection to host lost.

Of course I'm not talking about regular mail delivery from one SMTP system to another. I'm talking about sending messages (creating/originating messages) via a SMTP hosted by Plesk. And this can be done from a multitude of ways: from the command prompt to the regular e-mail clients (ie. Outlook and Thunderbird) and (of course) worms and scripts deliberately created to exploit this kind of behaviour from the Plesk's Qmail service.

Currently I'm receiving virus from users who are not legitimate users, but can bypass protections such as SPF and MX gateways in a very easy way (with no authentication) since they are sending messages FROM our domain and WITHIN our domain. That's a serious flaw if you ask me, and I'm trying to mitigate it somehow.

I believe if you have your own domain's spf record set correctly, and defined as strict (~all rather than ?all), and have proper spf settings with qmail (in plesk, go to Server > Mail, enable spf, choose, for example, "reject mail when SPF resolves to 'fail'/deny"), then spf should do the job as the email will be originating from a host not allowed per your domain's spf record..

Also note that smtp.hubner.org.br is not the publicly-advertised mail server for hubner.org.br. It may not make a difference, but you might want to try this same test on the domain's public mail server.

If I'm not wrong "~all" produces a soft fail, not a block response (which is achieved using "-all" sintax). But as I told before, SPF is useless in this case because (1) Plesk 7.5.x does not provide SPF protection bundled with it's Qmail service and (2) the message will aways receive a "pass" response for SPF queries since the malicious user is sending the message throught the domain's SMTP server, which of course must be authorized in the DNS/SPF record.

The hostnames are also not important here. You can use any A record that points to the SMTP server IP's address to send the messages. Matter of fact, you can use only the IP address of the server to send the messages.

Just to add more to this thread: Mailenable Pro/Ent versions has an interesting feature: "Senders from local domains must authenticate to relay". That's exactly what I'm looking for Plesk/Qmail config.

Makes A LOT of sense to support this kind of thing because of the problems and security concerns I've stated before.

Also, this is a very good preso about how email works (including relaying, MTA, SMTP, etc, etc). Recommended as a background for the subject for those (me included) not used to this wild world of email.

Still looking for a solution...

who found the solution...

so it wont allow any user to send the email?

Qmail already supports SMTP authentication, the mail server by default should be accepting ALL mail for your domain, regardless of who it's from, unless you have RBL's or other 'features' enabled to reject specific mail sources. This is by default practice of almost *any* mailserver out there. 'Relaying' means that the mail will be leaving your server and going to a remote host, if the mail is going to a domain hosted on the same server, then it is not relaying, therefor it will not require authentication. What should be happening however, is spamassassin (or similar application) should be flagging these as spam due to the way they were sent, then having your application filter it to the trash.

I checked my Plesk 8.1 and I have exact same problem with Qmail and could not find any resolution for this prolem.
Can send emails and Spamassassign do not even reacting on anything.....

Anyone has any advice?

I am able to send email out also, no checks.

and email gets send.

all i have to do is place the mail server and the rest what i want, send to out to gmail and was delivered.

im trying to undestand what jerickson said, and seems right, but why can i still go around authentication?

(already send out tiquet, got same response as here, still did not solve my mail problem)