Mailing List Archive: exim: users

Mail relay testing

Index | Next | Previous | View Threaded

buildy at gmail

Nov 14, 2007, 5:05 AM

Post #1 of 6 (3154 views)
Permalink

Mail relay testing

G'day All,
I ran a relay test at "http://www.abuse.net/relay.html" but do not
fully understand the results. Would some kind soul please pass an eye
over them and point out any problems please?

(I have edited names and IP's to be on the safe side, I'm not sure the
server is secure yet)
Mail relay testing
Connecting to domain1.net.au for registered user test ...
--- <START TEST> ---
<<< 220 mail.internaldomain ESMTP Exim 4.63 Wed, 14 Nov 2007 23:35:16 +1100
>>> HELO www.abuse.net
<<< 250 mail.internaldomain Hello www.abuse.net [208.31.42.77]
Relay test 1
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] abuse>
<<< 250 OK
>>> RCPT TO:<me [at] domain2>
<<< 550 Unrouteable address
Relay test 2
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest>
<<< 501 <spamtest>: sender address must contain a domain
Relay test 3
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<>
<<< 250 OK
>>> RCPT TO:<me [at] domain2>
<<< 550 Unrouteable address
Relay test 4
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<me [at] domain2>
<<< 550 Unrouteable address
Relay test 5
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest@[210.x.xxx.x]>
<<< 501 <spamtest@[210.x.xxx.x]>: domain literals not allowed
Relay test 6
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<me%domain2.com.au [at] domain1>
<<< 550 restricted characters in address
Relay test 7
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<me%domain2.com.au@[210.x.xxx.x]>
<<< 501 <me%domain2.com.au@[210.x.xxx.x]>: domain literals not allowed
Relay test 8
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<"me [at] domain2">
<<< 501 <"me [at] domain2">: recipient address must contain a domain
Relay test 9
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<"me%domain2.com.au">
<<< 501 <"me%domain2.com.au">: recipient address must contain a domain
Relay test 10
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<me [at] domain2@domain1.net.au>
<<< 501 <me [at] domain2@domain1.net.au>: malformed address:
@domain1.net.au> may not follow <me [at] domain2
Relay test 11
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<"me [at] domain2"@domain1.net.au>
<<< 550 restricted characters in address
Relay test 12
>>> RSET
<<< 554 Too many nonmail commands
Relay test result
Could not reset connection, test failed.
--- <END TEST> ---

Thanking you in anticipation,
build

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users-20070913 at djce

Nov 14, 2007, 5:23 AM

Post #2 of 6 (3057 views)
Permalink

Re: Mail relay testing [In reply to]

On Thu, Nov 15, 2007 at 12:05:17AM +1100, build wrote:
> G'day All,
> I ran a relay test at "http://www.abuse.net/relay.html" but do not
> fully understand the results. Would some kind soul please pass an eye
> over them and point out any problems please?
>
> >>> RSET
> <<< 554 Too many nonmail commands
> Relay test result
> Could not reset connection, test failed.

It might be useful to add

smtp_accept_max_nonmail_hosts = !www.abuse.net

to your config, then re-test. This should allow the test to complete, and
will probably show more meaningful results.

--
Dave Evans
http://djce.org.uk/
http://djce.org.uk/pgpkey

Attachments:

signature.asc (0.18 KB)

renaud at llorien

Nov 14, 2007, 5:28 AM

Post #3 of 6 (3061 views)
Permalink

Re: Mail relay testing [In reply to]

build wrote:
> G'day All,
> I ran a relay test at "http://www.abuse.net/relay.html" but do not
> fully understand the results. Would some kind soul please pass an eye
> over them and point out any problems please?
>
> (I have edited names and IP's to be on the safe side, I'm not sure the
> server is secure yet)
> Mail relay testing
> Connecting to domain1.net.au for registered user test ...
> --- <START TEST> ---
> <<< 220 mail.internaldomain ESMTP Exim 4.63 Wed, 14 Nov 2007 23:35:16 +1100
>>>> HELO www.abuse.net
> <<< 250 mail.internaldomain Hello www.abuse.net [208.31.42.77]
> Relay test 1
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] abuse>
> <<< 250 OK
>>>> RCPT TO:<me [at] domain2>
> <<< 550 Unrouteable address
> Relay test 2
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest>
> <<< 501 <spamtest>: sender address must contain a domain
> Relay test 3
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<>
> <<< 250 OK
>>>> RCPT TO:<me [at] domain2>
> <<< 550 Unrouteable address
> Relay test 4
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] domain1>
> <<< 250 OK
>>>> RCPT TO:<me [at] domain2>
> <<< 550 Unrouteable address
> Relay test 5
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest@[210.x.xxx.x]>
> <<< 501 <spamtest@[210.x.xxx.x]>: domain literals not allowed
> Relay test 6
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] domain1>
> <<< 250 OK
>>>> RCPT TO:<me%domain2.com.au [at] domain1>
> <<< 550 restricted characters in address
> Relay test 7
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] domain1>
> <<< 250 OK
>>>> RCPT TO:<me%domain2.com.au@[210.x.xxx.x]>
> <<< 501 <me%domain2.com.au@[210.x.xxx.x]>: domain literals not allowed
> Relay test 8
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] domain1>
> <<< 250 OK
>>>> RCPT TO:<"me [at] domain2">
> <<< 501 <"me [at] domain2">: recipient address must contain a domain
> Relay test 9
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] domain1>
> <<< 250 OK
>>>> RCPT TO:<"me%domain2.com.au">
> <<< 501 <"me%domain2.com.au">: recipient address must contain a domain
> Relay test 10
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] domain1>
> <<< 250 OK
>>>> RCPT TO:<me [at] domain2@domain1.net.au>
> <<< 501 <me [at] domain2@domain1.net.au>: malformed address:
> @domain1.net.au> may not follow <me [at] domain2
> Relay test 11
>>>> RSET
> <<< 250 Reset OK
>>>> MAIL FROM:<spamtest [at] domain1>
> <<< 250 OK
>>>> RCPT TO:<"me [at] domain2"@domain1.net.au>
> <<< 550 restricted characters in address
> Relay test 12
>>>> RSET
> <<< 554 Too many nonmail commands
> Relay test result
> Could not reset connection, test failed.
> --- <END TEST> ---
>

This means your server is not openrelay for the 11 first tests. And it rejected
any further attempts because too many nonmail commands (==RSET) were sent.

Attachments:

smime.p7s (3.21 KB)

buildy at gmail

Nov 14, 2007, 2:49 PM

Post #4 of 6 (3066 views)
Permalink

Re: Mail relay testing [In reply to]

> On Thu, Nov 15, 2007 at 12:05:17AM +1100, build wrote:
> > G'day All,
> > I ran a relay test at "http://www.abuse.net/relay.html" but do not
> > fully understand the results. Would some kind soul please pass an eye
> > over them and point out any problems please?
> >
> > >>> RSET
> > <<< 554 Too many nonmail commands
> > Relay test result
> > Could not reset connection, test failed.
> On 15/11/2007, Dave Evans <exim-users-20070913 [at] djce> wrote:
> It might be useful to add
>
> smtp_accept_max_nonmail_hosts = !www.abuse.net
>
> to your config, then re-test. This should allow the test to complete, and
> will probably show more meaningful results.
>
> --
> Dave Evans

G'day Renaud and Dave,
Thank you for your replies.

I wasn't sure where in the conf to add "smtp_accept_max_nonmail_hosts
= !www.abuse.net", so I put it at the beginning. I have a monolithic
conf file.

The test was the same with the difference below:
--- <START TEST> ---
Relay test 12
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM:<spamtest [at] domain1>
<<< 250 OK
>>> RCPT TO:<me [at] domain2@[210.x.xxx.x]>
<<< 501-<me [at] domain2@[210.x.xxx.x]>: malformed address:
@[210.x.xxx.x]> may not follow <me [at] domain2
<<< 501 Too many syntax or protocol errors
Relay test 13
>>> RSET
<<<
Relay test result
Could not reset connection, test failed.
--- <END TEST> ---

Where should I put the config line?
Thanks again in anticipation,
build

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

Nov 14, 2007, 3:27 PM

Post #5 of 6 (3069 views)
Permalink

Re: Mail relay testing [In reply to]

build wrote:

*trimmed*

>>>> RCPT TO:<me [at] domain2@[210.x.xxx.x]>
> <<< 501-<me [at] domain2@[210.x.xxx.x]>: malformed address:
> @[210.x.xxx.x]> may not follow <me [at] domain2
>
> Where should I put the config line?
> Thanks again in anticipation,
> build
>

It is probably in the right place - anywhere that precedes the first of the acl_
clauses.

But if you wish to traffic in IP vs DNS-locatable <domain>.<tld>
you may also need to add:

allow_domain_literals = true

CAVEAT: Though required by RFC, this is quite commonly NOT enabled, due to
historical abuse.

In our case, we use acl's to further limit receipt of such literals sent TO our
IP's to messages addressed ONLY to postmaster@, hostmaster@, and abuse@
.. which are also limited to singeton arrivals only - no 'piggyback' broadcasts.

..and have had nary a problem with it the past many years.

JFWIW, I'd not be too concerned with making the test 'easier'.

That your server is kicking the test suite out where, why, and how it is now
doing is a fairly decent idicator that it would do the same with a 'real'
attempt to do unauthorized relaying.

QED.

Limiting errors and (our choice) NOT offering pipelining, are helpful measures
in themselves, as are limiting the simultaneous connections per remote host.

CAVEAT - that last would want an exception for a bespoke / in-house relay
network. But you can do that, too, w/o opening it up to 'the world'.

For ANY new installation though, it pays to have plenty of log file space,
'log_selector = +all', and 'tail -f ' (at least) the exim mainlog frequently so
as to spot anomalies.

IF/as/when you have surprises that are in need of debugging, you can add
log_message and logwrite to your acl clauses with coded ID's so you can tell
which ones are actively involved and more easily scrutinize / edit the right ones.

Much easier to start verbose and back-down the logging, commnet OFF the extra
log writing later than to wander about in the dark.

And don't forget the *extensive* debug capability Exim has w/o need to even have
a cable plugged in. There's no other MTA even close to the ease of use or
comprehensiveness of that suite.

HTH,

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbh at conducive

Nov 14, 2007, 4:44 PM

Post #6 of 6 (3060 views)
Permalink

Re: Mail relay testing [In reply to]

build wrote:
> On 15/11/2007, W B Hacker <wbh [at] conducive> wrote:
>> build wrote:
>>
>> *trimmed*
>>
*trimmed*

>>
> Thanks Bill,
> "All tests performed, no relays accepted."
> Added comments to entries in conf so I know what they are in the
> future then I commented out those lines.
>
> Should I run this test on a regular basis?
> If so:
> How often? Daily? Weekly? Monthly?
> Can I somehow run it from the mail server itself using cron?
>
> Again, thanking you regards,
> build
>

Ordinarily no need to even run it a second time *unless* you
have made the 'dangerous' sort of changes to the configuration.

Until/ unless you are comfortable with what 'dangerous' might be, I'd suggest
running it after ANY change to your configuration.

Further - no matter how good the lockdown of Exim itself, if you support the
traditional system /etc/aliases router, and/or do a silent accept then
'blackhole' on, for example 'catch-all' traffic, some of the open-relay testers
out there may at least 'brand' your server as an open-relay due to *appearing*
to accept traffic and onpass it willy-nilly.

A way around that used here is to put ALL addressees - including 'postmaster@"
into a single DB/file, use that (and no other) for verifying recipient instead
of a router-walk in verify mode, and/or set routers to 'no_verify' even if they
are good for delivery.

CAVEAT: that is arguably less efficient, and certainly less flexible than
letting Exim do the built-in 'require verify = recipient' router-query walk.

But it gives us a *single* known, predictable, place to manage ALL users,
regardless of virtual/local, *and web'ish* - whatever. Senders AND recipients.

Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads