Hi all,
I want to check if my qmail installation is relaying mails for other hosts. I do a simple check like telnet localhost 25 MAIL FROM:someone@nonlocal.com RCPT TO:someother@nonlocal.com {output is relaying allowed this is ok since it is a local telnet and I have 127.0.0.1:allow,RELAYCLIENT="" in /etc/tcp.smtp}
Next I do a telnet 10.10.12.21 25 (my private IP) MAIL FROM:someone@nonlocal.com RCPT TO:someother@nonlocal.com {output is 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)}
So can I conclude that the external mails are not being relayed?
But now the problem starts. qmailctl stat gives : /service/qmail-pop3d: up (pid 22067) 9174 seconds /service/qmail-pop3d/log: up (pid 22066) 9174 seconds /service/qmail-send: up (pid 22062) 9174 seconds /service/qmail-send/log: up (pid 22063) 9174 seconds /service/qmail-smtpd: up (pid 22064) 9174 seconds /service/qmail-smtpd/log: up (pid 22065) 9174 seconds messages in queue: 32 messages in queue but not yet preprocessed: 0 And the messages are for external hosts, 20 Dec 2002 03:09:33 GMT #58808 4955 <> remote bounce.1194.39868523@bounce.bnb4.com 19 Dec 2002 17:21:14 GMT #58786 3714 <> remote adp501@friendly984send.com 20 Dec 2002 03:13:21 GMT #58809 5443 <> remote pro@speedsoffrslistings873009118273.com 19 Dec 2002 11:04:45 GMT #58787 23375 <> remote gbw135@isp3845mailer45.com 20 Dec 2002 04:11:52 GMT #58810 3563 <> remote adp124@friend284mail.com
So my server is probably relaying mails, most seem to be bouncing mails.
My /var/log/qmail/current is having entries like
@400000003e02aa63234a85e4 delivery 98: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ @400000003e02aa63234aa13c status: local 0/10 remote 0/20 Thanks in advance.
Bye.
Hello amish, good morning.
Just to make sure why qmail is relaying and what domains it isn't allowig to rely perform this check.
Check the config files for qmail and see what the local domain has been configured for. Besides that, to allow smtp relaying put in the ip addresses for all those local ip addressed that you would wanna relay for.
Telnet again to the machine once you have added the appropriate entries into /etc/tcp.smtp and resend the mail again. Be sure to relad the CDB file after you update /etc/tcp.smtp cause qmail won't change the routing preferences until the reolad of the cdb file has been done.
Check that out and let us know.
Bye for now and have a great day.
Trevor
On Fri, 20 Dec 2002 09:59:56 +0530 Amish Munshi amish_munshi@sify.com wrote:
- LUG meet on 12 Jan. 2003 @ VJTI
Hi all,
I want to check if my qmail installation is relaying mails for other hosts. I do a simple check like
telnet localhost 25 MAIL FROM:someone@nonlocal.com RCPT TO:someother@nonlocal.com {output is relaying allowed this is ok since it is a local telnet and I have 127.0.0.1:allow,RELAYCLIENT="" in /etc/tcp.smtp}
Next I do a telnet 10.10.12.21 25 (my private IP) MAIL FROM:someone@nonlocal.com RCPT TO:someother@nonlocal.com {output is 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)}
So can I conclude that the external mails are not being relayed?
But now the problem starts. qmailctl stat gives :
/service/qmail-pop3d: up (pid 22067) 9174 seconds /service/qmail-pop3d/log: up (pid 22066) 9174 seconds /service/qmail-send: up (pid 22062) 9174 seconds /service/qmail-send/log: up (pid 22063) 9174 seconds /service/qmail-smtpd: up (pid 22064) 9174 seconds /service/qmail-smtpd/log: up (pid 22065) 9174 seconds messages in queue: 32 messages in queue but not yet preprocessed: 0
And the messages are for external hosts, 20 Dec 2002 03:09:33 GMT #58808 4955 <> remote bounce.1194.39868523@bounce.bnb4.com 19 Dec 2002 17:21:14 GMT #58786 3714 <> remote adp501@friendly984send.com 20 Dec 2002 03:13:21 GMT #58809 5443 <> remote pro@speedsoffrslistings873009118273.com 19 Dec 2002 11:04:45 GMT #58787 23375 <> remote gbw135@isp3845mailer45.com 20 Dec 2002 04:11:52 GMT #58810 3563 <> remote adp124@friend284mail.com
So my server is probably relaying mails, most seem to be bouncing mails.My /var/log/qmail/current is having entries like
@400000003e02aa63234a85e4 delivery 98: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ @400000003e02aa63234aa13c status: local 0/10 remote 0/20
Thanks in advance.
Bye.
-- _______________________________________________
Greetings to all...
Need to know, how to identify and block Kazaa Ver 2.x traffic using IPTables on RedHat 8.0. (default server install)
thanks
Ripunjay Bararia
(e) ripunjay@bararia.com
On 24/12/02 18:20 +0530, Ripunjay Bararia wrote:
Need to know, how to identify and block Kazaa Ver 2.x traffic using IPTables on RedHat 8.0. (default server install)
Kazaa 2 uses dynamic high ports. Use proxy based firewalls to block it, no firewall rules. Oh, and have a policy banning Kazaa on your network, and then fire anyone who violates it.
Devdas Bhagat
Greetings, Merry Christmas to all...
By Proxy based firewalls do you mean that the internal users on my NATted LAN do not have a default route to the internet and they need to connect to the net using only a proxy (squid etc...), well that is a bit of a problem as the squid is there for http only rest every one on the LAN need to be able to connect to the external FTP servers the upload and MySQL servers for updating things etc thus not a very easy thing to implement.
I have blocked kazaa.com from both the proxy and using BIND (made a new zone kazaa.com and put * A 127.0.0.1, record in there, internally every one uses the internal DNSes only.) Still users and myself are able to use kazaa without the users seeing the kazaa.com's homepage, which no one every saw, too busy to download *.* from the WEB...
I have heard on other lists that there is a way to block Kazaa from network using some sort of Signature filter with IPTables/Chains etc...
Any ideas will be really appreciated....
Thanks
Ripunjay Bararia
-----Original Message----- From: linuxers-admin@mm.ilug-bom.org.in [mailto:linuxers-admin@mm.ilug-bom.org.in]On Behalf Of Devdas Bhagat Sent: Tuesday, December 24, 2002 10:35 PM To: linuxers@mm.ilug-bom.org.in Subject: Re: [ILUG-BOM] How to Stop Kazaa traffic using IPTables
Kazaa 2 uses dynamic high ports. Use proxy based firewalls to block it, no firewall rules. Oh, and have a policy banning Kazaa on your network, and then fire anyone who violates it.
Devdas Bhagat
-- _______________________________________________
On 25/12/02 11:52 +0530, Ripunjay Bararia (ILUG-MUM) wrote:
By Proxy based firewalls do you mean that the internal users on my NATted LAN do not have a default route to the internet and they need to connect to the net using only a proxy (squid etc...), well that is a bit of a problem
Yes. Use a proxy per protocol you need.
<snip>
I have heard on other lists that there is a way to block Kazaa from network using some sort of Signature filter with IPTables/Chains etc...
Not really workable. Kazaa v1 used 1214/tcp, 2 uses dynamic port allocation.
Use a policy, fire violators. Educate your users.
Devdas Bhagat
Hi all,
Warning to readers: Long message...
On Wed, 25 Dec 2002, Ripunjay Bararia (ILUG-MUM) wrote:
Greetings, Merry Christmas to all... By Proxy based firewalls do you mean that the internal users on my NATted LAN do not have a default route to the internet and they need to connect to the net using only a proxy (squid etc...), well that is a bit of a problem as the squid is there for http only rest every one on the LAN need to be able to connect to the external FTP servers the upload and MySQL servers for updating things etc thus not a very easy thing to implement.
The default route will always point to the machine that acts as gateway for your LAN. As for blocking KaZaa, I found some interesting info here,
http://www.checkpoint.com/ (continuation) techsupport/documentation/smartdefense/cpai-2002-13.htm
The information presented there is specific to Checkpoint firewall but can be used to implement similar things using iptables + <a proxy>
Some info from the site: KaZaA is usually communicating through port 1214/TCP. Make sure that your security policy blocks this port (On the Perimeter Firewall). For traveling users, connecting to the corporate networks via VPN, this step usually have no effect. Therefore, it is highly recommended to block KaZaA at the Desktop Policy.
Since the KaZaA service was designed to traverse firewalls and use port 80 (http) it is necessary to use NG Feature Pack 3 P2P catcher. (this is Checkpoint Specific) This would verify that KaZaA is blocked, even if it is using port 80.
Outgoing KaZaa connections should have some HTTP headers in them distinguishing them from the rest. You can probably implement a simple rule using Squid (I am guessing). I don't know about TIS FW toolkit and Socks, may be somebody on list can throw some light on how these might be useful here.
Else use Snort to check for KaZaa packet patterns and then block those on the internal interface of your FW using Snort Addon scripts. For more info see www.snort.org.
Here are "Bane Banaye" snort rules from their distribution: :) --------------------------- policy.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) GET request"; flags:A+; content:"GET "; depth:4; reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com; classtype:protocol-command-decode; sid:1383; rev:3;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) traffic"; flags:A+; content:"X-Kazaa-Username"; reference:url,www.kazaa.com; classtype:protocol-command-decode; sid:1699; rev:2;) sid-msg.map:1383 || P2P Fastrack (kazaa/morpheus) GET request || url,www.kazaa.com || url,www.musiccity.com/technology.htm sid-msg.map:1699 || P2P Fastrack (kazaa/morpheus) traffic || url,www.kazaa.com --------------------------
A much simpler hassle-free setup might be following:
* Block 1214/TCP inbound on perimeter FW * Block 1214/TCP _both_ inbound and outbound for Desktop clients. This is easier if you use Linux on desktops, simple iptables rules. If you use XP use built in firewall / Set Security Policies tighter. IF you use Win98 use ZoneAlarm or something similar to disable KaZaa from connecting. Apply secure policies using poledit.exe on Win9x.
And if all this doesn't suffice, make sure you have stricter policies for use of resources on your corporate LAN, and report offenders to higher management. ;)
I have blocked kazaa.com from both the proxy and using BIND (made a new zone kazaa.com and put * A 127.0.0.1, record in there, internally every one uses the internal DNSes only.) Still users and myself are able to use kazaa without the users seeing the kazaa.com's homepage, which no one every saw, too busy to download *.* from the WEB...
Now you know why...
have fun, Rajesh
On 25/12/02 11:50 -0500, Rajesh Deo wrote:
Some info from the site: KaZaA is usually communicating through port 1214/TCP.
This is KaZaA v1, not v2. <snip>
And if all this doesn't suffice, make sure you have stricter policies for use of resources on your corporate LAN, and report offenders to higher management. ;)
This is the correct method.
Devdas Bhagay
Hi Ripunjay,
You need to block incoming/outgoing port 1214 tcp/udp
- Mayank
----- Original Message ----- From: "Ripunjay Bararia (ILUG-MUM)" ilug-mum@ddcpl.com To: linuxers@mm.ilug-bom.org.in Sent: Wednesday, December 25, 2002 11:52 AM Subject: RE: [ILUG-BOM] How to Stop Kazaa traffic using IPTables
- LUG meet on 12 Jan. 2003 @ VJTI
Greetings, Merry Christmas to all...
By Proxy based firewalls do you mean that the internal users on
my NATted
LAN do not have a default route to the internet and they need
to connect to
the net using only a proxy (squid etc...), well that is a bit
of a problem
as the squid is there for http only rest every one on the LAN
need to be
able to connect to the external FTP servers the upload and
MySQL servers for
updating things etc thus not a very easy thing to implement.
I have blocked kazaa.com from both the proxy and using BIND
(made a new zone
kazaa.com and put * A 127.0.0.1, record in there,
internally every one
uses the internal DNSes only.) Still users and myself are able
to use kazaa
without the users seeing the kazaa.com's homepage, which no one
every saw,
too busy to download *.* from the WEB...
I have heard on other lists that there is a way to block Kazaa
from network
using some sort of Signature filter with IPTables/Chains etc...
Any ideas will be really appreciated....
Thanks
Ripunjay Bararia
-----Original Message----- From: linuxers-admin@mm.ilug-bom.org.in [mailto:linuxers-admin@mm.ilug-bom.org.in]On Behalf Of Devdas
Bhagat
Sent: Tuesday, December 24, 2002 10:35 PM To: linuxers@mm.ilug-bom.org.in Subject: Re: [ILUG-BOM] How to Stop Kazaa traffic using
IPTables
Kazaa 2 uses dynamic high ports. Use proxy based firewalls to
block
it, no firewall rules. Oh, and have a policy banning Kazaa on
your
network, and then fire anyone who violates it.
Devdas Bhagat
-- _______________________________________________
http://mm.ilug-bom.org.in/mailman/listinfo/linuxers
-- _______________________________________________
Hi Amish,
telnet 10.10.12.21 25 (my private IP) {output is 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)} So can I conclude that the external mails are not being relayed?
No. This means that your 10. series of IPs does not have relaying access. You need to have 10.1.12.:allow,RELAYCLIENT="" in your tcp rules too to allow the 10.1.12.* subnet to relay mail.
And the messages are for external hosts, 20 Dec 2002 03:09:33 GMT #58808 4955 <> remote bounce.1194.39868523@bounce.bnb4.com 19 Dec 2002 17:21:14 GMT #58786 3714 <> remote adp501@friendly984send.com So my server is probably relaying mails, most seem to be bouncing mails.
These are not relayed mails. These mails have come to the system from remote hosts for local recipients and are now bouncing. These messages are from spammers with invalid MX pointers. These mails will remain in queue and eventually bounce to postmaster.
- Mayank
On Thu, Dec 26, 2002 at 09:49:04AM +0530, Mayank Sarup wrote:
- LUG meet on 12 Jan. 2003 @ VJTI
Hi Amish,
telnet 10.10.12.21 25 (my private IP) {output is 553 sorry, that domain isn't in my list of allowed
hosts for local recipients and are now bouncing. These messages are from spammers with invalid MX pointers. These mails will remain in queue and eventually bounce to postmaster.
Thanks, OK, so now how to I reject mails for users who do not exist on my machine? Like if I telnet mx1.mail.yahoo.com and use RCPT TO:linuxers.mm.ilug-bom.org.in@yahoo.com (I assume this email address does not exist on yahoo.com) then it will tell me that user does not exist and not accecpt mail. How do I configure my qmail to do this. For present I have setup a .qmail-default in /var/qmail/aliases to collect all mails.
- Mayank
-- _______________________________________________
Amish,
The default behaviour of qmail is to accept all mail and then bounce if the user is not found. You need the following patch to verify rcpt to's
http://www.xpto.org/~japc/soft/patches/qmail-verifyrcpt.patch. I haven't tried it yet so tell me how it goes :-)
- Mayank
Thanks, OK, so now how to I reject mails for users who do not exist on my machine? Like if I telnet mx1.mail.yahoo.com and
use
RCPT TO:linuxers.mm.ilug-bom.org.in@yahoo.com (I assume this email address does not exist on yahoo.com) then it will tell me that user does not exist and not accecpt mail. How do I configure my qmail to do this. For present I
have
setup a .qmail-default in /var/qmail/aliases to collect all mails.
- Mayank
-- _______________________________________________
-- _______________________________________________
-
Amish Munshi -
Devdas Bhagat -
Mayank Sarup -
Rajesh Deo -
Ripunjay Bararia -
Ripunjay Bararia (ILUG-MUM) -
Trevor Warren