WHM/Cpanel Exim issue - how to better secure a partially open relay
Posted by MnMNmN, 02-14-2008, 10:04 PM Hi all, I have a WHM/CPanel server. I have done some tests recently which shows that I maybe running an open relay server. I think I have all options in WHM correct. I have tested this myself (via telnet and the required commands) and what i have found is this: If the FROM email is coming from any other domain than my own I get the normal error about not authenticated etc etc. If I put in any user with my domain in the FROM filed then the server happly accepts and sends any message. I really dont know how to close this down so that ANY user (regardles if on local domain or not) are asked to authenticate before being able to SMTP out. I hope someone can help me before the spammers find me Thanks guys.
Posted by activelobby4u, 02-15-2008, 03:02 AM once you authenticate initially, you would be able to spoof/accept mails until you logout.... I m not sure what is happening with you, but since you should have authenticated once for sending the mail, this should not pose a problem .
Posted by whmcsguru, 02-15-2008, 04:58 AM This isn't a relay, the user is actually authenticating to the system before mail is being sent out. How CPanel's system works: User A tries to send mail. If User A has received (or sent) mail successfully in the past 1/2 hour (not a stretch), they're considered to have successfully logged into the server, and they are allowed to pass mail through the server. If User A has NOT received (or sent) mail successfully in the past 1/2 hour, they are considered to NOT have successfully logged into the server, and they see the error message you're describing. The logins and ip addresses are stored in a file which cpanel then goes through to see who's logged in, who hasn't, and compares it when necessary. By no means is this a 'relay', as cpanel by default does not allow mail relaying. Now, if you want to turn this option off (requiring users to login every time they interact with the mail server), then you can turn off the antirelayd (WHM -> Service Configuration -> Service Manager) which SHOULD stop this beast, but it is not necessary to do so, as CPanel does not provide 'open relays'.
Posted by bitserve, 02-15-2008, 12:20 PM Linux-tech person, I don't see how specifying an SMTP envelope sender address at one's domain constitutes POP/IMAP before SMTP authentication, but maybe you're saying that mnmnmn did the relay test wrong? Perhaps you can clarify?
Posted by whmcsguru, 02-15-2008, 01:15 PM Or they did them with incorrect assumptions. Cpanel, at default DOES NOT provide an open relay, partial, full, whatever, it's not done. I've tested this god knows how many times over the past 5 years, and every time, it does not provide an 'open relay'. In fact, it does everything to stop this activity. The user made some pretty incorrect assumptions here, however: Firstly, Mail sent through the server should only be sent from domains on that server. of course, you're going to get errors if you're trying to just blindly send mail from anydomain on that server, it's what's supposed to happen. Logged in, or not, it's what is supposed to happen Secondly, If the mail sent 'through the server' is sent FROM an ip which has previously authenticated (ie: pop before auth), then this is considered safe, and the user is NOT required to authenticate again. This is pretty common here, and is not indicative in any way of a relay. particular checks are made by Exim (not cpanel) to make sure that particular things should be done If mail should be handled for that domain (in or out), it passes on to check #2 . If not, then it dies with the error mentioned. In check #2, we verify authentication. This is where pop before auth comes in. If the user has successfully logged in in the past half hour from that ip/host (pop) then they're considered authenticated (auth), and the system will bypass SMTP requirements for authentication. This isn't 'open relay', it's how Cpanel (and directadmin, and others I'm sure, just those two come to mind) handle authentication. Somewhere, you've successfully authenticated in the past half hour with your domain, so the IP address is allowed to send mail without requiring authentication. Again, pop before auth, this is exactly how it works.
Posted by bitserve, 02-15-2008, 01:58 PM Interesting. I didn't know that cpanel configured ensim to check the sender domain to see if it was a domain it hosted.
Posted by Tim Greer, 02-15-2008, 02:24 PM I'm assuming you just had (within the last 30 minutes) checked POP/IMAP and it created an SMTP session, if you were able to telnet to the SMTP port and relay email as long as it was from a domain on the server. Don't check email for an hour or so and then try to relay again, you should find it will fail, unless you've modified your configuration to somehow allow relaying.
Posted by MnMNmN, 02-19-2008, 11:39 PM Sorry gyus I have been away for a few days with no internet connection. Ok what i will do (since I only got back so i am sure nobody from my IP address authenticated in the last 5 days or so) is try again from my PC and see what happens. Thanks for your suggestions so far. I will report back the results of my latest tests.
Posted by MnMNmN, 02-21-2008, 12:23 AM Hi guys, I am back with me test results. Just as suggested sending mail DID NOT go through. It spat out the authentication error. Thanks for your help guys.
Posted by dhigby, 09-18-2008, 07:36 AM Oh, that explains it! I ran an open relay test on the internet and it said that my server may be an open relay. But knowing what was explained in this thread now, it was open to this ip address, because my email client *had* authenticated in the past 30 minutes.
Posted by hosting_we3cares, 09-18-2008, 08:12 AM In Cpanel/Exim server, you can see a daemon "antirelayd". When you see the script /usr/sbin/antirelayd, you can understand that the POP/IMAP client IPs which are logged in /var/log/maillog are collected by antirelayd daemon and added in /etc/relayhosts file. Every IP's entry in /etc/relayhosts is valid for the next 30 minutes. So once your email client authenticates, the client machine IP will be logged in /var/log/maillog, which will be then added in /etc/relayhosts by antirelayd. Hence there won't be any authentication from email client side for the next 30 minutes. Hope you understand better.. < > Last edited by bear; 09-27-2008 at 12:18 PM.