Full solution to prevent misuse of mail relay under Qmail

Source: SCID

Software environment: redhat6.2 Qmail1.3

Hardware environment: HP Netserver E60 128M memory single Nic

1. What is mail relay and why should it be prevented from being abused?

After a Qmail server is configured, the server will have one or more domain names (these domain names should appear in the local or viritualdomains file). Then, Qmail-smtpd will listen to port 25, wait for a remote email sending request. Other mail servers on the network or MUA (Mail User Agent, such as outlook express and foxmail) sending emails will connect to port 25 of the Qmail server and send emails, the SMTP session process generally starts from remotely identifying your identity. The process is as follows:

HELO remote. system. domainname
250 Qmailserver. domain
Mail from: user@somewherer.net
250 OK
Rcpt to: user1@elsewhere.net

The domain name in the recipient's user1@elsewhere.net is not necessarily a local domain name, at this time the local system may have two answers. In the first case, the local Qmail server allows relay. It receives and agrees to pass a destination address that is not a local email, and in the second case, it does not receive non-local emails.

Qmail has a configuration file named rcpthosts (the file name is derived from the rcpt to Command), which determines whether TO accept an email. This email is accepted only when the Domain Name of the recipient address in an rcpt to command exists in the rcpthosts file. Otherwise, the email is rejected. If the file does not exist, all emails will be accepted. When a mail server forwards all emails (relay) regardless of the recipient and recipient, the mail server is called open relay. When the Qmail server does not have rcpthosts, It is open for forwarding.

If the system administrator sets his email server to open relay, some spam senders will use your email server as a relay station for forwarding self-forwarded emails, this will enable the recipient of spam to point at you, which may lead to retaliatory email bombs. Spam can also consume a lot of your resources and occupy your bandwidth. Even worse, your name may be blacklisted and become a target shared by other Email recipients. Your email will be rejected by these recipients.

2. method 1 to prevent mail relay from being abused

This method is only applicable when the user's IP address is fixed. For example, if an organization has its own class C address and its own LAN, the mail server only provides the LAN user with email sending and receiving.

The simplest way to set your own server to a non-open relay is to direct all domain names of your email server (if the dns mx record points to this machine, it should also include this domain name. For example, if your machine has three domain names mail.a.com.cn and mail1.a.com.cn, and MX of a.com.cn points to mail.a.com.cn, The rcphosts of Qmail should include mail.a.com.cn, mail1.a.com.cn and a.com.cn ). This will only allow the customer to connect to the server before sending emails, instead of allowing the user to forward emails through the server through MUA. Instead, the customer must use MUA to send emails, customers must be allowed to use the server to forward emails. Qmail-smtpd supports a method to selectively ignore rcpthosts files: if the environment variable RELAYCLIENT of Qmail-smtpd is set, the rcpthost file will be ignored and relay will be allowed. But how can I identify whether an email sender is a customer? Determines the source IP address of the sender. If the source IP address belongs to the local network, the sender is considered as the customer.

Here, we need to use the ucspi-tcp Software Package's tcpserver program. The function of this program is similar to the connection request that inetd-listens to, sets various environment variables for the Service to be started, and then starts the specified service. The configuration file of tcpserver is/etc/tcp. smtp, which defines whether to set RELAYCLIENT environment variables for a network. For example, if the local network is a class C address with the address 192.168.10.0/24, the content of tcp. smtp should be set as follows:

127.0.0.1: allow, RELAYCLIENT = ""
192.168.10.: allow, RELAYCLIENT = ""
: Allow

These rules mean that if the connection comes from 127.0.0.1 and 192.168.10, the environment variable RELAYCLIENT is allowed and set for the connection. Otherwise, other connections are allowed, but the RELAYCLIENT environment variable is not set. In this way, the connection number 25 from other places to the local machine will be allowed, but the connection will be rejected by Qmail-smptd because the environment variable is not set.

However, tcopserver does not directly use the/etc/tcp. smtp File, but needs to first convert the file into a cbd file:
[Ideal @ aidmail/etc] $ # tcprules tcp. smtp. cdb tcp. smtp. temp <tcp. smtp

Then, the run file in the/service/Qmail-smtpd Directory should have the following content:
/Usr/local/bin/tcpserver-v-p-x/etc/tcp. smtp. cdb

As you can see, tcpserver uses the/etc/smtp. cbd file. If there are multiple local networks, these networks must all appear in the/etc/tcp. smtp File. In this way, local customers are allowed to relay emails to prevent abuse of relay.

3. method 2 to prevent mail relay from being abused

This method is sufficient for LAN applications, but it is not suitable for email systems such as 263 or 163, because the users of these email systems are distributed all over the world, users may send emails from any IP address connection. Therefore, you need to find other methods to limit the misuse of the relay function of the email system.

If vpopmail is used in the Qmail system, you can use vpopmail's configuration options for roaming users to prevent the relay function of the mail system from being abused.

If you want to allow roaming users to use mail relay on the mail server, you must use the following configuration options when installing vpopmail:

[Root @ aidmail vpopmail-4.9.4] #./configure -- enable-roaming-users = y

The principle of its support for roaming users is that when a roaming user obtains a mail through pop3, the address is allowed to forward the mail through the mail server within a certain period of time. After vpopmail is installed, use cron to regularly run the program as follows:

40 ***/home/vpopmail/bin/clearopensmtp 2> & 1>/dev/null
 

That is, to clear the list of IP addresses that allow relay every 40 minutes, when a user first obtains a mail through pop3 (because receiving a mail through pop3 requires authentication, it can be guaranteed that this is a valid user.) After the end, the user can forward the mail within 40 minutes, and then the system will not be allowed to forward the mail through the system.

4. Method 3 to prevent mail relay from being abused

For a Mail System With roaming users, another way to prevent the relay function from being abused is to require user authentication when sending emails, just as users need authentication when receiving emails. It is assumed that the system has been successfully installed with the Qmail-1.03 and vpopmail, and the original system runs properly.

4. 1. Download the program:

Qmail-smtp Patch: http://members.elysium.pl/brush/Qmail-smtpd-auth/

Password verification Patch: http://members.elysium.pl/brush/cmd5checkpw/

Download qmail-smtpd-auth-0.26.tar.gzand 5checkpw-0.22.tar.gz from these two addresses.

4. 2. Compile and install Qmail-smtpd

Decompress qmail-smtpd-auth-0.26.tar.gz:

[Root @ www src] # tar xvfz Qmail-smtpd-auth-0.26.tar.gz
[Root @ www src] # cd Qmail-smtpd-auth-0.26
[Root @ www Qmail-smtpd-auth-0.26] # ls
CHANGES Makefile readme todo inetd. conf Qmail-smtpd.c
Qmail-smtpd.patch
 

Copy the Qmail-smtp.c under the successfully installed Qmail directory to the Qmail-smtpd-auth-0.26 directory:

[Root @ www Qmail-smtpd-auth-0.26] # cp ../Qmail-1.03/Qmail-smtpd.c ./
 

Then patch the file:

[Root @ www Qmail-smtpd-auth-0.26] # patch-p1 <Qmail-smtpd.patch
 

Copy the Qmail-smtpd.c to the Qmail source file directory:

[Root @ www Qmail-smtpd-auth-0.26] # cp Qmail-smtpd.c ../Qmail-1.03
 

It is best to back up the original file first. Compile Qmail-smtpd separately:

[Root @ aidmail Qmail-smtpd] # make Qmail-smtpd
./Load Qmail-smtpd rcpthosts. o commands. o timeoutread. o
Timeoutwrite. o ip. o ipme. o ipalloc. o control. o constmap. o
Received. o date822fmt. o now. o Qmail. o cdb. a fd. a wait.
Datetime. a getln. a open. a sig. a case. a env. a stralloc.
Alloc. a substdio. a error. a str. a fs. a auto_Qmail.o 'cat
Socket. lib'
 

Copy the newly generated Qmail-smtpd to the/var/Qmail/bin directory. Back up the original execution file.

4.3.compile and install kpw-0.22.tar.gz

Decompress, compile, and install:

[Root @ www src] # tar xvfz cmd5checkpw-0.22.tar.gz
[Root @ www src] # cd cmd5checkpw-0.22
& Nbs