The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Newer Topic  |  Older Topic 
 smtp - qmail
Author: Aaron 
Date:   04-12-02 14:07

Hi

I run qmail with vpopmail and tcpserver. Yesterday I started to get three or more of these proccesses contently /var/qmail/bin/qmail-smtpd, and I noticed that it's eating up my incoming bandwidth. I think it was a user that was trying to use there website and my smtp to relay files some how. I closed there account, and shut down the mail server. I deleted the que and started it back up. All was good for a while, then the proccesses came back. I check the qmail logs which don't show no activity. It's like some one is sending packets through to my smtp to use my bandwidth.

I did a

netstat -a which shows

tcp4 0 56 myserver.smtp 64.94.178.15.14673 ESTABLISHED
tcp4 0 49 myserver.smtp 64.94.178.15.14574 FIN_WAIT_1
tcp4 0 49 myserver.smtp 64.94.178.15.14573 FIN_WAIT_1

I did a trace on IP 64.94.178.15 with no results. It's like it not in use.

If anyone has any Idea's, please reply.

Best Regards

Aaron

Reply To This Message
 
 Re: smtp - qmail
Author: Aaron 
Date:   04-12-02 14:24

Hi

I have just the basic Fire wall setup:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65000 allow ip from any to any
65535 deny ip from any to any

What rule command could I type in to block tcp to 64.94.178.15.

Thanx for any advise .

Aaron

Reply To This Message
 
 Re: smtp - qmail
Author: .daniel.schrock 
Date:   04-12-02 14:39

64000 deny ip from 64.94.178.15 to any

Reply To This Message
 
 Re: smtp - qmail
Author: bb 
Date:   04-12-02 15:27

just wondering about deny all type rules like this?

i usually place rules of this sort near the top of my ruleset which is better or does it not matter much?

Reply To This Message
 
 Re: smtp - qmail
Author: fianna 
Date:   04-12-02 17:52

i dont use qmail, i use sendmail... but, it sounds like an open relay problem... how many virtual domain names are you hosting.? are you relaying for those domains and just those users... or are you relaying for everyone and their mother... if you give me the exact domain host.domain.com i can test it for ya, you also might wanna go over your security logs... i've seen this before what happens is they flood your mail server with all types of email and the email address that doesnt exist are the ones that f' you up... cause your mail server is constantly looking for that address for a time defaulted or set by you... which is a long a$$ time in mail land...

Reply To This Message
 
 Re: smtp - qmail
Author: .daniel.schrock 
Date:   04-12-02 21:28

it depends on what you are using... if i remember correctly, ipfw doesn't continue after it finds a matching rule. so a deny all at the top will match everything and you will be stuck with out access.

ipf (and pf) will continue parsing the rules, looking for a more specific match, unles you give it the 'quick' option, which tells it to ignore everything else...this is the rule to follow.

but even ipf and pf differ slightly in this... in ipf, block all is at the bottom of the ruleset... in pf, block all is the first rule after scrub and nat rules


IMO, ipf should be replaced with pf on Freebsd as well.

Reply To This Message
 
 Re: smtp - qmail
Author: Aaron 
Date:   05-12-02 00:06

Thanks for your help daniel :)

Reply To This Message
 
 Re: smtp - qmail
Author: Aaron 
Date:   05-12-02 00:14

Well it wasn't an open relay, but I'm not sure what they were tring to do. While I was waiting for replies from here I Filnally got a trace off the ip, and found the owner of the company. I called them, and within an hour the bandwidth incoming smtp stoped. I have 120 hosting customers on that box, you I can at least sleep tonight :)

I have to putz more with firewalls more. I could of stoped it right off the bat if I knew more about them. Well I did know about the command daniel showed me above, but it's been so long sence I messed arround with that, I forgot the rule. I will right that down for future needs.

Question.

#64000 deny ip from 64.94.178.15 to any

At the command prompt is there any thing before 64000 to start off the command. Sorry but I'm a noob when it comes to filewalls.

AAron

Reply To This Message
 
 Re: smtp - qmail
Author: fianna 
Date:   06-12-02 16:49

what up aaron... i dont usually do it command line i have my firewall in ipfw.rules but u can just edit rc.firewall and then use command /etc/netstart... i have a question for dan... when your writing your firewalls, which i have been doing for a while so i dont consider myself dumb in this area... but why is it that the defaults for deny are put on the bottom.? wouldnt you think it better to put them on top. I don't do this but I'm wondering about the reason why... glad to hear its not open relay...
fianna

Reply To This Message
 
 Re: smtp - qmail
Author: bb 
Date:   06-12-02 21:19

i meant a deny all ip packets for a certain ip or ip range obviously

and i do place those types of rules at the top

been meaning to try another type of firewall besides ipfw but i havent yet

Reply To This Message
 Forum List  |  Threaded View   Newer Topic  |  Older Topic 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org