QMail: Prevent relaying with a percent or exclamation mark
Submitted by Bram Schoenmakers on 26 September, 2007 - 16:59.
After setting up a QMail SMTP server, it seems some spammers found a way to relay through our host. Of course, I installed the rcpthosts file with a list of allowed domains, but somehow they got through.
This website helped a lot in order to locate the problem. The following sessions allowed relaying:
>>> RSET
<<< 250 flushed
>>> MAIL FROM: <rlychk@example.com>
<<< 250 ok
>>> RCPT TO: <"rlytest%h.rbl.jp">
<<< 250 ok
<<< 250 flushed
>>> MAIL FROM: <rlychk@example.com>
<<< 250 ok
>>> RCPT TO: <"rlytest%h.rbl.jp">
<<< 250 ok
and
>>> RSET
<<< 250 flushed
>>> MAIL FROM: <rlychk@example.com>
<<< 250 ok
>>> RCPT TO: <h.rbl.jp!rlytest>
<<< 250 ok
<<< 250 flushed
>>> MAIL FROM: <rlychk@example.com>
<<< 250 ok
>>> RCPT TO: <h.rbl.jp!rlytest>
<<< 250 ok
Luckily, there is a patch available for QMail in order to fix this. These are the instructions for a FreeBSD machine using the Ports system:
- Grab the patch from the qmail.org site.
- Rename it to patch-qmail-smtpd.c
- Put the file in /usr/ports/mail/qmail/files
- The usual:
make && make deinstall && make reinstall && make clean - Restart QMail and the relay holes should be closed now. You can use the website mentioned above to confirm this.
Update 2 October 2007:
Very important: don't enable the SMTP AUTH patch and leave it unconfigured. This can and will be abused by spammers to relay through your server. Either disable the patch altogether or configure the authentication properly.