SMTP relay problem.

[erostew]

Things were working perfectly on this server but my host upgraded exim a couple of weeks back. I started receiving bounce emails from exim for mail that it should never have been sending in the first place.

In effect ANY email that has a "From" with a local email address is not authenticated at all. This includes [email protected] and [email protected]. The bad part is that it also includes [email protected]. So stick any characters you want in front of @mydomain.com and the server will accept the email and send it.

At the moment my ip is banned on a few servers in korea, including yahoo.co.kr.

I would really like to get this fixed before someone starts spamming yahoo.com or something.

The latest 2.1.1 exim.conf and the latest exim.pl are in place.

Any help with this will be GREATLY appreciated.

Stew

 

[erostew]

Here's a little more info if it helps.

Test using bogus local sender address.Connected.
< 220 mail.myserver.com ESMTP Exim 4.67 Tue, 19 Jun 2007 15:02:34 -0400
> EHLO otherserver.com
< 250-mail.myserver.com Hello xxx.xxx.xxxxx.com [xx.xx.xx.xx]
250-SIZE 20971520
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
> RSET
< 250 Reset OK
> MAIL FROM:<[email protected]>
< 250 OK
> RCPT TO:<[email protected]>
< 250 Accepted
> DATA
< 354 Enter message, ending with "." on a line by itself
> From: [email protected]
> Subject: RelayCheck (ref no: 170) - Test using bogus local sender address.
> To: [email protected]
> Date: Tue, 19 Jun 2007 13:54:25 -0400
> X-Mailer: mail.myserver.com
> 
Encoding text
> message here
> <CR>
Tested SMTP host: mail.myserver.com
Test using bogus local sender address.
This test has been perfomed by RelayTest Pro 2.1.3 (Build 27).
More information:  http://www.digiarch.org/relaytest/
-----------------------------------------------------
Originator local MAC address: 
Originator local IP address:  *******
Originator local host name:   *******
Originator remote IP address: *******
Originator remote host name:  *******
> .
< 250 OK id=1I0iyJ-0006Ya-45
> QUIT
Disconnecting.
Disconnected.

 

[erostew]

log entry from one of the spam emails sent

2007-06-17 13:22:30 1HzySL-0007d7-PG <= [email protected] H=(eiftqwarl.net) [125.191.77.93] P=smtp S=1371 T="½Å7¼Ó ´ë7Ãâ 54" from <[email protected]> for [email protected] [email protected]

2007-06-17 13:22:33 1HzySL-0007d7-PG => [email protected] F=<postmaster@myserver> R=lookuphost T=remote_smtp S=1403 H=mx5.hanmail.net [222.231.35.25] C="250 2.0.0 b5I1F8huk274687190 Message accepted for delivery"

2007-06-17 13:22:33 1HzySL-0007d7-PG -> [email protected] F=<[email protected]> R=lookuphost T=remote_smtp S=1403 H=mx5.hanmail.net [222.231.35.25] C="250 2.0.0 b5I1F8huk274687190 Message accepted for delivery"

2007-06-17 13:22:33 1HzySL-0007d7-PG Completed

 

[erostew]

Anybody even have an idea of where to start looking for a solution to this?

I am pretty much exim ignorant and my host's tech support can't figure it out. he isn't an exim guru either.

 

[rohit]

do you have catch all ON?

 

[erostew]

do you have catch all ON?

Catch all is OFF for every account.

 

[erostew]

Anybody else?

I had to shut down exim last night to stop the spam going out.

 

[floyd]

Is 125.191.77.93 your server?

I seriously doubt that myserver.com is your domain so it makes it that much hard to diagnose the problem.

I can't answer questions unless people use their real domains and ip addresses.

Start over again and give us real domains, real ip addresses and real log entries.

 

[erostew]

Is 125.191.77.93 your server?

I seriously doubt that myserver.com is your domain so it makes it that much hard to diagnose the problem.

I can't answer questions unless people use their real domains and ip addresses.

Start over again and give us real domains, real ip addresses and real log entries.

No 125.191.77.93 is the address of the spammer. For obvious reasons I don't want to post real IPs and domain names for a server with an open relay in public. I might as well slit my own throat. However I will send you a PM with that info.

Stew

 

[floyd]

Check your
/etc/virtual/whitelist_senders
/etc/virtual/whitelist_domains

I know mine are empty. Your hosted domains should not be in there.

 

[erostew]

Check your
/etc/virtual/whitelist_senders
/etc/virtual/whitelist_domains

I know mine are empty. Your hosted domains should not be in there.

THANKS!

Apparently when exim was updated the installer just made a copy of /etc/virtual/domains and renamed it to /etc/virtual/whitelist_domains when they were creating the files needed by the new config. So every domain on the server is on the whitelist.

I was looking at exim.conf and never thought to check those new files.

Really appreciate the help.

 

[nobaloney]

They may have simply made a mistake; we've documented that if you want SpamBlocker to work for all your domains you should copy it to /etc/virtual/use_rbl_domains.

Jeff

 

[erostew]

They may have simply made a mistake; we've documented that if you want SpamBlocker to work for all your domains you should copy it to /etc/virtual/use_rbl_domains.

Jeff

Yes it was just a simple mistake. The tech wasn't really familiar with exim and was just trying to follow instructions and create the new files needed. It can be a bit of a challenge with things changing between versions, etc.