[wplug] figuring out where mail sent from your box came from

[Bill Moran]

Russ Schneider <russ at sugapablo.com> wrote:

> On Fri, 18 Nov 2005 smk at fyi.net wrote:
> 
> > Do you have a web server running? It sounds like it could be a formmail or
> > like script that somebody is using as an open relay.  In that case, I
> > would check with your web servers access logs.  The postfix logs should
> > help you pin down a time.
> 
> I thought about this, and this is what I'm trying to figure out.
> 
> I do have this as a webserver (apache) and have postfix running on it.  
> Mainly so web applications can send mail (so I do need to be able to send 
> mail from the box to the outside world.
> 
> I had port 25 open incoming, but just blocked that until I can clamp this 
> down more.
> 
> As for an open relay, I thought I had prevented this with the following 
> line in the main.cf file:
> 
> relay_domains = sugapablo.net, www.sugapablo.net, sony.sugapablo.net
>
> and out of these three, I didn't have any uncommented, so I'm not sure 
> what it was defaulting to:
> 
> #mynetworks_style = class
> #mynetworks_style = subnet
> #mynetworks_style = host

Host makes the most sense, and I believe it's the default.

However, none of these will be used unless your restrictions are set up
to use them.  What do config options of the form *_restrictions = say
in your configuration.

It's fairly easy to accidentally set up your restrictions so it doesn't
do what you think.  Once you've got it set up, you should always use
some sort of external test to ensure that it's actually working as you
want.

You'll need to check the logs to ensure that there aren't any web forms
being abused.  It's fairly easy to misprogram a web form and allow people
to relay mail via your web server.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com