[exim] Weird SMTP auth issue

Inizio della pagina
Delete this message
Reply to this message
Autore: Marcin Krol
Data:  
To: exim users
Oggetto: [exim] Weird SMTP auth issue
Hello everyone,

I have a situation with SMTP auth that is theoretically impossible - I
have this domain hosted that is definitely not an open relay (no tests
show that it is open), yet it seems that in a peculiar situation some
mail can be relayed without authentication, or at least logs say so:

2007-09-12 10:31:20 1IVNZQ-000ErL-4m <= info@???
H=ado91.neoplus.adsl.tpnet.pl (Piotr) [83.25.92.91]:49287
I=[83.149.103.42]:25 P=smtp S=7049993
id=52BF1DA69B364CA7B25565A71A2C251B@dystrybucjapolnoc T="Fw:
Wysylanie..." from <info@???> for mangled-1@???
mangled-2@??? mangled-3@??? mangled-4@???

Some of the users at domain in question have not turned on SMTP
authentication and yet they can send mail using "smtp" protocol (not
esmtp/esmtpa) to remote domain, even though "exim -bh their.ip.add.ress"
test shows that they should not be able to do so!

E.g. test "exim -bh 83.25.92.91" with HELO ends up with "550
authentication required". Same with ESMTP:

da3 (83.149.103.42) ~ % exim -bh 83.25.92.91

<cut>
220 da3.domeny.com ESMTP Thu, 13 Sep 2007 12:24:17 +0200
helo Piotr
250 da3.domeny.com Hello ado91.neoplus.adsl.tpnet.pl [83.25.92.91]
mail from: info@???
250 OK
rcpt to: mangled-1@???
<cut>
550 authentication required
LOG: H=ado91.neoplus.adsl.tpnet.pl (Piotr) [83.25.92.91]
F=<info@???> rejected RCPT mangled-1@???:
authentication required

Now, what is really strange is that this "quiet relay" situation ends up
when (dynamic) sending address in question for particular domain hits
some RBL. From this moment on, mail cannot be sent without
authentication, with particular config as follows:

deny dnslists = list.dsbl.org
log_message = BLOKOWANIE PRZEZ RBL list.dsbl.org $tod_log
!authenticated = *

The only other info I have is that OTHER users at that IP address
(located in private IP network connected via typical DSL/masquerade
device) have their authentication turned on as it should be and they do
authenticate while sending mail from that IP address.

If anybody sends a hint why this happens, it would be greatly appreciated.



Full test output:

da3 (83.149.103.42) ~ % exim -bh 83.25.92.91

**** SMTP testing session as if from host 83.25.92.91
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)

LOG: SMTP connection from [83.25.92.91]
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 83.25.92.91
>>> IP address lookup yielded ado91.neoplus.adsl.tpnet.pl
>>> gethostbyname looked up these IP addresses:
>>> name=ado91.neoplus.adsl.tpnet.pl address=83.25.92.91
>>> checking addresses for ado91.neoplus.adsl.tpnet.pl
>>> 83.25.92.91 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 da3.domeny.com ESMTP Thu, 13 Sep 2007 12:24:17 +0200
helo Piotr
250 da3.domeny.com Hello ado91.neoplus.adsl.tpnet.pl [83.25.92.91]
mail from: info@???
250 OK
rcpt to: syl.wia1@???
>>> using ACL "check_recipient"
>>> processing "deny"
>>> check domains = +local_domains
>>> wp.pl in "lsearch;/etc/virtual/domains"? no (end of list)
>>> wp.pl in "+local_domains"? no (end of list)
>>> deny: condition test failed
>>> processing "accept"
>>> check hosts = +auth_relay_hosts
>>> host in "*"? yes (matched "*")
>>> host in "+auth_relay_hosts"? yes (matched "+auth_relay_hosts")
>>> check condition = ${if eq {$interface_port}{587} {yes}{no}}
>>>                 = no
>>> accept: condition test failed
>>> processing "deny"
>>> check domains = !+local_domains
>>> wp.pl in "!+local_domains"? yes (end of list)
>>> check local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
>>> syl.wia1 in "^[./|] : ^.*[@%!] : ^.*/\.\./"? no (end of list)
>>> deny: condition test failed
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check sender_domains = +whitelist_domains
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/whitelist_domains"?

no (end of list)
>>> dystrybucjapolnoc.com in "+whitelist_domains"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check hosts = +whitelist_hosts
>>> host in "lsearch;/etc/virtual/whitelist_hosts"? no (end of list)
>>> host in "+whitelist_hosts"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check hosts = +whitelist_hosts_ip
>>> host in "net-lsearch;/etc/virtual/whitelist_hosts"? no (end of list)
>>> host in "+whitelist_hosts_ip"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check senders = +whitelist_senders
>>> info@??? in

"lsearch;/etc/virtual/whitelist_senders"? no (end of list)
>>> info@??? in "+whitelist_senders"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check local_parts = postmaster
>>> syl.wia1 in "postmaster"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check local_parts = abuse
>>> syl.wia1 in "abuse"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check local_parts = hostmaster
>>> syl.wia1 in "hostmaster"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check authenticated = *
>>> accept: condition test failed
>>> processing "deny"
>>> check domains = +use_rbl_domains
>>> wp.pl in "lsearch;/etc/virtual/use_rbl_domains"? no (end of list)
>>> wp.pl in "+use_rbl_domains"? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check domains = +use_rbl_domains
>>> wp.pl in "+use_rbl_domains"? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check domains = +use_rbl_domains
>>> wp.pl in "+use_rbl_domains"? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check domains = use_rbl_domains
>>> wp.pl in "use_rbl_domains"? no (end of list)
>>> deny: condition test failed
>>> processing "deny"
>>> check senders = +blacklist_senders
>>> info@??? in

"lsearch;/etc/domeny/blacklist_senders"? no (end of list)
>>> info@??? in "+blacklist_senders"? no (end of list)
>>> deny: condition test failed
>>> processing "require"
>>> check verify = sender
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing info@???
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domains"? yes

(matched "lsearch;/etc/virtual/domains")
>>> dystrybucjapolnoc.com in "! +local_domains"? no (matched "!

+local_domains")
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domainowners"? yes

(matched "lsearch;/etc/virtual/domainowners")
>>> calling majordomo_aliases router
>>> majordomo_aliases router declined for info@???
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domainowners"? yes

(matched "lsearch;/etc/virtual/domainowners")
>>> calling virtual_aliases_nostar router
>>> virtual_aliases_nostar router declined for info@???
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domainowners"? yes

(matched "lsearch;/etc/virtual/domainowners")
>>> calling virtual_user router
>>> routed by virtual_user router
>>> ----------- end verify ------------
>>> check acl = acl_nsvdom
>>> using ACL "acl_nsvdom"
>>> processing "accept"
>>> check condition = ${lookup {${lc:$sender_address_domain}}

partial1-lsearch {/etc/domeny/wildcard_whitelist_domains} {yes}{no}}
>>>                 = no
>>> accept: condition test failed
>>> processing "require"
>>> check verify = sender/callout=120s,defer_ok

>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing info@???
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domains"? yes

(matched "lsearch;/etc/virtual/domains")
>>> dystrybucjapolnoc.com in "! +local_domains"? no (matched "!

+local_domains")
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domainowners"? yes

(matched "lsearch;/etc/virtual/domainowners")
>>> calling majordomo_aliases router
>>> majordomo_aliases router declined for info@???
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domainowners"? yes

(matched "lsearch;/etc/virtual/domainowners")
>>> calling virtual_aliases_nostar router
>>> virtual_aliases_nostar router declined for info@???
>>> dystrybucjapolnoc.com in "lsearch;/etc/virtual/domainowners"? yes

(matched "lsearch;/etc/virtual/domainowners")
>>> calling virtual_user router
>>> routed by virtual_user router
>>> Cannot do callout: neither router nor transport provided a host list
>>> ----------- end verify ------------
>>> require: condition test succeeded
>>> processing "accept"
>>> accept: condition test succeeded
>>> require: condition test succeeded
>>> processing "deny"
>>> check dnslists = list.dsbl.org
>>> DNS list check: list.dsbl.org
>>> new DNS lookup for 91.92.25.83.list.dsbl.org
>>> DNS lookup for 91.92.25.83.list.dsbl.org failed
>>> => that means 83.25.92.91 is not listed at list.dsbl.org
>>> deny: condition test failed
>>> processing "deny"
>>> check dnslists = sbl.spamhaus.org
>>> DNS list check: sbl.spamhaus.org
>>> new DNS lookup for 91.92.25.83.sbl.spamhaus.org
>>> DNS lookup for 91.92.25.83.sbl.spamhaus.org failed
>>> => that means 83.25.92.91 is not listed at sbl.spamhaus.org
>>> deny: condition test failed
>>> processing "deny"
>>> check dnslists = dnsbl.njabl.org
>>> DNS list check: dnsbl.njabl.org
>>> new DNS lookup for 91.92.25.83.dnsbl.njabl.org
>>> DNS lookup for 91.92.25.83.dnsbl.njabl.org failed
>>> => that means 83.25.92.91 is not listed at dnsbl.njabl.org
>>> deny: condition test failed
>>> processing "accept"
>>> check domains = +local_domains
>>> wp.pl in "+local_domains"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check domains = +relay_domains
>>> wp.pl in "lsearch;/etc/virtual/domains : localhost"? no (end of list)
>>> wp.pl in "+relay_domains"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check hosts = +relay_hosts
>>> host in "net-lsearch;/etc/virtual/pophosts : 127.0.0.1"? no (end of

list)
>>> host in "+relay_hosts"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check hosts = +auth_relay_hosts
>>> host in "+auth_relay_hosts"? yes (matched "+auth_relay_hosts" - cached)
>>> check authenticated = *
>>> accept: condition test failed
>>> accept: endpass encountered - denying access

550 authentication required
LOG: H=ado91.neoplus.adsl.tpnet.pl (Piotr) [83.25.92.91]
F=<info@???> rejected RCPT mangled-1@???:
authentication required



--
Marcin Król