Plesk SMTP Service (QMail) acts as an open relay

Discussion in 'Parallels Plesk Panel for Linux - 8.x and Older' started by Redpitt, Sep 25, 2008.

  1. Redpitt

    Redpitt New Member

    Messages:
    6
    Hi all!

    I've verified that after upgrading to Plesk 8.4 (the issue is present in Plesk 8.6 too), the SMTP server acts as an open relay.

    I'm using Plesk 8.4 and Plesk 8.6 on Centos 4.x operating system.
    Plesk upgrades are made via the autoinstaller command-line utility downloaded from Parallels site.

    Users are able to use the mail server with any valid BASE64 login header (containing valid or invalid credentials) or WITHOUT sending these headers at all (toggling off SMTP authentication on their mail user agents).

    I've tried to reconfigure the mail service via the "Server -> Mail" section in the control panel with no success.
    Moreover, I've tried to correct the problem by calling "mailmng" and "mchk" command-line utilities, but that didn't solve the problem.

    It seems to me that there's no way out to solve the security issue through the control panel, so I've decided to publish here a workaround to secure your mail servers waiting for Parallels to identify the problem and study a solution for it.

    1. change directory to "/etc/xinetd.d"
    2. create a file named "smtp_ok"

    copy the following content into that file:

    service smtp
    {
    flags = REUSE NAMEINARGS
    socket_type = stream
    protocol = tcp
    wait = no
    user = qmaild
    server = /usr/sbin/tcpd
    env = SMTPAUTH=1 POPAUTH=1
    server_args = /var/qmail/bin/tcp-env -R /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw
    }


    3. save and close the file
    4. create a file named smtps_ok
    5. copy the following content into that file:

    service smtps
    {
    flags = REUSE NAMEINARGS
    socket_type = stream
    protocol = tcp
    wait = no
    user = qmaild
    server = /usr/sbin/tcpd
    env = SMTPAUTH=1 POPAUTH=1
    server_args = /var/qmail/bin/tcp-env -R /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw
    }


    6. remove the following files: "smtp_psa", "smtps_psa", "submission.psa"
    7. restart xinetd by typing "/etc/init.d/xinetd restart"

    This fix should let you secure your MTA. Now we have to check that it remains secure... for this purpose I've created a shell script and put a new cronjob that runs each minute (you can increase this value, but I suggest it should be less than 5 minutes).

    This is needed because the plesk admin user can modify mail settings via the control panel and recreate the security hole.
    With this script we continuosly check if the control panel modify the SMTP and SMTPS services configuration and restore authentication, disabling unwanted message submission.


    To create this script you have to:

    1. change directory to "/root"
    2. create a file named "check_xinetd.sh"
    3. copy the following content into that file:

    #!/bin/bash

    USER=root
    SHELL=/bin/bash
    HOME=/root

    export USER SHELL HOME

    RELOAD=0

    cd /etc/xinetd.d

    if [ -f /etc/xinetd.d/smtp_psa ]; then
    rm -f /etc/xinetd.d/smtp_psa
    let RELOAD=1
    fi;

    if [ -f /etc/xinetd.d/smtps_psa ]; then
    rm -f /etc/xinetd.d/smtps_psa
    let RELOAD=1
    fi;

    if [ "$RELOAD" == "1" ]; then
    /etc/init.d/xinetd reload
    fi

    exit 0



    4. make the script executable by typing "chmod 0700 check_xinetd.sh"
    5. run "crontab -e"
    6. your preferred editor opens: just put the following line at the end of the crontab file

    0-59 * * * * /root/check_xinetd.sh

    7. save and close the editor... you should see the message "installing new crontab"...

    Good work! Your server is now fully secured...

    Feedbacks welcome!
    Thanks for your attention.

    Redpitt.
  2. Redpitt

    Redpitt New Member

    Messages:
    6
    [SECURITY HOLE] Plesk SMTP Service (QMail) acts as an open relay -- NOTICE

    Just to be more clear... :)

    I've heard that there are security issues when NOT setting "use full mail names in authentication" in the "Server -> Mail" control panel.

    I would like to inform you that our ISP is having problems on all plesk server even if we are correctly using that option.

    Thanks again for your attention.
    Redpitt.
  3. exi1ed0ne

    exi1ed0ne New Member

    Messages:
    39
    The only difference I see is the addition of "flags = REUSE NAMEINARGS" in the xined config. What does that do, and why does it stop open relaying? My server is not an open relay without that bit, so I'm wondering what is the reasoning behind the change.
  4. Redpitt

    Redpitt New Member

    Messages:
    6
    I post in the forum the wrong (original) file for SMTP service

    Hi Andy,

    the following is the content of the original file for the SMTP service in /etc/xinetd.d:

    service smtp
    {
    socket_type = stream
    protocol = tcp
    wait = no
    disable = no
    user = root
    instances = UNLIMITED
    env =
    server = /var/qmail/bin/tcp-env
    server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/true /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw
    }


    As you can see, in the "env" variable are missing the "SMTPAUTH=1" and "POPAUTH=1" directives...

    Moreover, in the file I've modified and posted yesterday, I run the SMTP service as user qmaild, instead of root (that is more secure).

    I repeat... the issue I reported is happening on Centos 4.x with Plesk 8.4 and 8.6.

    Maybe the same versions of Plesk are working on other OSes!!!

    Thanks for your reply!

    Pietro.
  5. WaDavid

    WaDavid New Member

    Messages:
    51
    We run more than on Plesk server on Centos 4.x, in fact we have 5 of these left. We used to keep them on Plesk 8.2.1 but then upgraded to plesk 8.6 and they still have the auth required:

    [root@control2 test]# cat /etc/xinetd.d/smtp_psa
    service smtp
    {
    socket_type = stream
    protocol = tcp
    wait = no
    disable = no
    user = root
    instances = UNLIMITED
    env = SMTPAUTH=1 POPLOCK_TIME=20
    server = /var/qmail/bin/tcp-env
    server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
    }

    We make use of Centralized mail servers via expand however, so the qmail on each webserver is only used for sending mail out from the websites/webscripts and it still requires auth unless if the sender is from localhost.

    You sure its not maybe something else that went wrong, ie a bad setting in the psa sql db somewhere?
  6. Redpitt

    Redpitt New Member

    Messages:
    6
    [SECURITY HOLE] Plesk SMTP Service (QMail) acts as an open relay

    Hello and thanks for your reply...

    When I change e-mail settings via the control panel Server -> Mail feature, the PSA DB gets updated accordingly.

    However xinetd config (even if files modification timestamp changes) remains unsecured.
    We are not using Plesk Expand, but standalone mail servers!

    Thanks again.
    Redpitt.
  7. exi1ed0ne

    exi1ed0ne New Member

    Messages:
    39
    Hmmm. I'm not seeing this behavior with CentOS 4.X on Plesk 8.6.1 from my servers - SMTPAUTH is there, but POPLOCK is not - we don't allow pop-before-smtp. Could this be a permissions issue? You'd have to change a lot of stuff to get it to run as qmaild.
  8. WaDavid

    WaDavid New Member

    Messages:
    51
    Well here is something else interesting. We have another server installed since plesk 8.0 days and still 8.2.1 and it has quite a bit of a different config:

    However it still is not an open relay, for example as a test:

  9. Andy_N

    Andy_N New Member

    Messages:
    5
    Plesk 8.3.0 and qmail: SMTP auth not working

    I'm not happy to "resume" a very old post, but the problem is still here!

    I have a Plesk 8.3.0 panel with some domains and I have set "authorization is required: SMTP" in "Relay options" ("Server" tab). I have set one mailbox and everything works, but if I try to access to the server via telnet as shown on first post I can get inside and send a mail to any of the active mail account with any data AND WITH NO PASSWORD.

    I've tried to rename "smtp_psa" and the other files stated to "... .XXX" and created new ones "smtp_ok" and so on... then restarted xinetd.d, but this doesn't fix anything.

    How can I force authentication for smtp?

    Thank you!
  10. Andy_N

    Andy_N New Member

    Messages:
    5
    (up) it seems a not recognized bug

    I have the license bought via my hosting provider and it says it seems the normal behaviour! I don't think it's normal to behave as an open rely if I set authentication for SMTP... isn't there any way to solve this?

    I'd like to "lock" access of SMTP so if a connection is set password is always required...

Share This Page