0

I'm ashamed, but I have to ask for help. My server is being used for sending spam, I've found out I can simply connect with telnet (edit: from any server in office, home and even directly from CMD/Putty Telnet), add mail from/rcpt to/data without any login/authorization and send mail from my domain to any external mailbox (for example gmail accounts). I'm using Exim/SMTP/CSF on Debian, and have basic knowlegde about them. 

root@vps:~# telnet example.com 25
Trying 19x.10x.8x.1xx...
Connected to example.com.
Escape character is '^]'.
220 serwer.example.com.pl ESMTP Exim 4.91 Wed, 19 Sep 2018 10:48:05 
+0200
mail from: xyz@example.com
250 OK
rcpt to: outerbox@gmail.com
250 Accepted
data
354 Enter message, ending with "." on a line by itself
test data.
.
250 OK id=1g2Y9t-0003yu-Of

I want to prevent this and force any form of authentication to prevent sending spam from my server to external mailboxes. My second server while trying to do this same thing, after "rcpt to": command returns "550 authentication required". I think that's the proper behaviour, so you can't send spam.

In my exim.conf I've got empty relay parameters (I've tried putting my server's IP or localhost adress, without luck):

addresslist whitelist_senders = lsearch;/etc/virtual/whitelist_senders
addresslist blacklist_senders = lsearch;/etc/virtual/blacklist_senders
domainlist blacklist_domains = lsearch;/etc/virtual/blacklist_domains
domainlist whitelist_domains = lsearch;/etc/virtual/whitelist_domains
domainlist local_domains = lsearch;/etc/virtual/domains
domainlist relay_domains = 
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
hostlist auth_relay_hosts = 
hostlist bad_sender_hosts = lsearch;/etc/virtual/bad_sender_hosts
hostlist bad_sender_hosts_ip = net-lsearch;/etc/virtual/bad_sender_hosts
hostlist relay_hosts = 
hostlist whitelist_hosts = lsearch;/etc/virtual/whitelist_hosts
hostlist whitelist_hosts_ip = net-lsearch;/etc/virtual/whitelist_hosts

Authentication section

begin authenticators

plain:
    driver = plaintext
    public_name = PLAIN
    server_prompts = :
    server_condition = "${perl{smtpauth}}"
    server_set_id = $2

login:
    driver = plaintext
    public_name = LOGIN
    server_prompts = "Username:: : Password::"
    server_condition = "${perl{smtpauth}}"
    server_set_id = $1

How can I protect my smtp socket? How can i force "authentication required" process? I tried to compare .conf files with my second server, but despite 2 days of tries I'm out of luck.

Mateusz
  • 1
  • 1
  • 2
  • 1
    When you do this telnet attempt, are you doing it from the mailserver itself or from a separate server? – Jenny D Sep 19 '18 at 09:13
  • From a seperate server. I can do this even from Windows CMD / Putty from any computer in home or work. – Mateusz Sep 19 '18 at 09:21
  • Since it's working right on one server and not on the other, there must be some difference in the configuration, and it's easy to miss when you just look at them. You should download the full set of config files for each host to its own directory on a unix server. Then run `cd /path/to/oneserversconfig/; for file in *; do echo "Diffing file $file"; diff $file /path/to/secondserversconfig/$file; done`. This will show the actual difference for each file. – Jenny D Sep 19 '18 at 11:55
  • Great script, thank you :) I've used it, and there's only logs options difference and `keep_environment=PWD`. I've even copied working .conf to first server, of course with exim being restarted and nothing happend. I've also noticed, that proper working conf uses `hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts` content. Ip's from this file don't need auth, those which aren't there have `550 authentication required`. Before I've started anything, this line was looking same, then I've tried puting it content directly into .conf and as you can see parameter is now blank. – Mateusz Sep 19 '18 at 12:30
  • The sections from exim4.conf that you posted aren't decisive in blocking an attempt to send email; the logic that decides whether someone is allowed to send something or not is found in the `acl` section. Please run `/usr/sbin/exim4 -bV 2>/dev/null|grep 'Configuration file'`. That shows you which file is the active configuration file. From there, look at everything from the line that starts with `begin acl` up to the next line that starts with the `begin` keyword. This is what decides who is allowed to post. If you can't figure it out, please edit your answer and post the `acl` section. – Wouter Verhelst Sep 26 '18 at 15:08

1 Answers1

0

Remove the * from dc_relay. This allows anyone to send mails.
In file /etc/exim4/exim4.conf.localmacros add following 

MAIN_TLS_ENABLE = true

Please add server_mail_auth_condition check here

For more SMTP authentication info

sanjayparmar
  • 623
  • 8
  • 18
  • I've got `MAIN_TLS_ENABLE = yes` in my `exim.conf` file, and as you see there's no `*` on relay params so it shouldn't allow anyone to send mails.. about server_mail_auth_condition - i'll check it, but i'm not sure already how to use it.. – Mateusz Sep 19 '18 at 10:25
  • you can use under `login` section `server_mail_auth_condition = false or true` please http://www.pl.exim.org/exim-html-current/doc/html/spec_html/ch33.html check – sanjayparmar Sep 19 '18 at 11:20
  • I've done this and still nothing. I don't get it, on second server is almost same config and everything there is fine. corrected section looks like this: `plain: driver = plaintext public_name = PLAIN server_prompts = : server_condition = "${perl{smtpauth}}" server_set_id = $2 server_mail_auth_condition = true login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${perl{smtpauth}}" server_set_id = $1 server_mail_auth_condition = true` – Mateusz Sep 19 '18 at 11:27