Misconfigured router causes open SMTP relay


2012/03/10



My customer was not happy. He had been shutdown by his ISP for spamming - apparently his internal mail server was guilty of sending some tens of thousands of messages in a very short period of time.

My first suspicion in such cases is always an infected internal machine. However, the customer immediately said that the source was external - somebody was using his mail server as a relay. I therefore asked him to confirm that his relay settings were correct.

Kerio Connect relay settings

Those settings were correct, but perhaps someone had guessed passwords? I asked him if he had users with silly passwords like "mary123". He confessed that he did. I asked him to turn on "User Authentication" in the Debug Log.

Turn on extended debugging by right clicking in the Debug log and choosing "Messages" as shown here.

Kerio Connect debug settings

Kerio Connect debug authentication settings

After doing that, the Debug log would show external authentication that would appear like this:

[08/Mar/2012 15:03:33][31012] {auth} Basic: second step, user
tony&aplawrence.com authenticated
 

However, no external authentication was seen. I therefore returned to my original thought of an infected internal machine, so I asked how he knew that these emails were originating from outside of his network.

"Well, I can see it in the Mail log, of course", he replied.

Indeed, the standard Mail log entry will show the sending host. For example, here's an entry from my Kerio mail server logs.

[10/Mar/2012 08:14:14] Recv: Queue-ID: 4f5b53a5-0000349a, Service: SMTP,
From: <noreply&nw.nwsltechwebresources.com>, To: <tony&aplawrence.com>,
Size: 36880, Sender-Host: 204.92.22.226
 

The mail server responsible for that message is at 204.92.22.226.

I asked where the spammer was coming from, and was surprised when my customer said that he didn't know. I pressed harder and was told that all he was seeing in the logs was the internal ip address of the router. So, rather than showing an address like 204.92.22.226, the logs were showing the Sender-Host as 192.168.2.1 (the internal IP of the router).

That won't work

I have seen misconfigured and broken routers configured to present an internal IP address instead of an external address before, but I was surprised to hear that from this particular customer as he's been running this mail server for some time. The answer turned out to be that he had just installed a new ZyXEL router the week before. It had taken the spammers only a few days to find that hole, but they certainly had found it!

I don't know whether the ZyXEL does that by default or if someone misconfigured it, but that causes all sorts of problems for a mail server. Blacklists can't work without knowing the source IP and either can limits based on IP addresses or DNS lookups.

Kerio Connect IP based limits

That would be bad enough, but this also means that by default, anything coming from outside would be seen as though it was coming from the local lan. Clients connecting from the local lan are always allowed to relay, so effectively the router configuration turned their mail server into an open relay!

Temporary Fix

Kerio Connect IP group

As a quick stopgap, I had him change the definition of his local lan to exclude the router's internal IP. That would at least stop the open relay hole, though he will still need to correct the router configuration to send through the connecting host's public IP to be able to use IP and DNS based spam controls.

It's probably not a bad idea to leave the "Local Clients" definition as excluding the router. In fact, where possible, that definition should also exclude other machines that shouldn't be sending mail. For example, a file and print server or a domain server probably are NOT used for composing mail, so why not exclude them also? Printer IP's might also be excluded (though some scanner/printers are configured to use a mail server). This may seem like overkill, but it will also help point out unexpected usage.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Router configured to present an internal IP address instead of an external address


1 comment



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Sat Mar 10 20:31:33 2012: 10726   NickBarron

gravatar


Ah interesting!

Lovely little trick that of the Zyxell, its not default behave for the higher models that I have seen. (Zyxell USG I think)

Strange little quirk. I will look to amend the definition of local though for some of our clients with internal mail servers.

Thanks Tony, good to see a few posts on here recently.

Nick

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

privacy policy