Score:0

Not sure, if my Courier server is an open relay

gw flag
Mat

Nessus finds my mailserver to be an open relay:

Here is a trace of the traffic that demonstrates the issue :

  S : 220 my.mailserver.at ESMTP
  C : HELO example.edu
  S : 250 my.mailserver.at Ok.
  C : MAIL FROM: <[email protected]>
  S : 250 Ok.
  C : RCPT TO: <[email protected]>
  S : 250 Ok.
  C : DATA
  S : 354 Ok.

but I don't find the setting where I could close it. The output can be reproduced with telnet, so I presume that's a valid vulerability.

ESMTPAUTH is enabled, so I figured, according to the documentation, relaying should only be permitted for authenticated users (so mails can be sent).

On the other hand, https://mxtoolbox.com checks ›OK – Not an open relay‹, http://www.aupads.org/ tells me (according to answers like the ones shown above), the server has accepted a mail for relaying but may or may not actually do it.

I skimmed through courierd esmtpd esmtpd-ssl and imapd-ssl config files, but would not find what setting(s) I have to adjust.

What am I missing? What can I provide to help track that down?

Add: That's the entire report for that vulnerability: Nessus: MTA Open Mail Relaying Allowed

joeqwerty avatar
cv flag
Your sample trace doesn't demonstrate the issue because example.edu is an example domain, not your domain. It's impossible to know from your trace whether or not your server is an open relay. Can you, without authenticating, send an email via your server to a domain that your server is not authoritative for?
Mat avatar
gw flag
Mat
Thx! That's not my sample issue, but the log from Nessus's test. As I read it, they connect to my server with these messages and (seemingly?) succeed. When I try to send a mail without authentication to a foreign domain, I get ›512, Relaying denied‹ (which is reassuring). However, Nessus's diagnose worries me, because I don't want to run a risk of becoming blacklisted.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.