How fix error "server is open relay"

D

Dartem

New Member
Dec 14, 2023
7
0
1
Hi. Please help me.

I install PMG as default and set default relay is my ip address mail server, domain of my mail server, networks, and relay port. I enable TLS. My emails work good, but smtp check service send me "server is open relay". I try test sending mail from domains different of my relay domain (in mail proxy config) and they accepted/delivered. How I fix this? How I can close open relay?
 
Last edited:
please share the logs of such a mail that goes through, but should not go through.

keep in mind that PMG will accept mail for all destinations when the connection comes from a trusted network
 
IMG_20231214_200033_112.jpg

image_2023-12-14_19-58-06.png

These emails should not have been sent. Because these are completely different domains and addresses. So why do they pass?

Thus, anyone can forward an email through my pmg. I've already been spammed with one copy. It's good that I had a bachelor's degree.
 
Last edited:
please share the logs - as text - either open the lines in the Tracking center - or take the logs from `journalctl` - see `man journalctl`
also share the contents of /etc/pmg/mynetworks
 
IMG_20231214_203446_810.jpg

2023-12-14T17:31:55.075274+00:00 daa-proxmox-mail-gateway postfix/smtpd[1431]: connect from localhost[127.0.0.1]
2023-12-14T17:31:55.827170+00:00 daa-proxmox-mail-gateway postfix/smtpd[1431]: C9EB21E0E4C: client=localhost[127.0.0.1]
2023-12-14T17:31:56.317573+00:00 daa-proxmox-mail-gateway postfix/cleanup[1435]: C9EB21E0E4C: message-id=<20231214173155.C9EB21E0E4C@pmg.energonom.com>
2023-12-14T17:31:56.344683+00:00 daa-proxmox-mail-gateway postfix/qmgr[649]: C9EB21E0E4C: from=<dorohovy2012@gmail.com>, size=722, nrcpt=1 (queue active)
2023-12-14T17:31:56.395082+00:00 daa-proxmox-mail-gateway pmg-smtp-filter[744]: 1E0FAB657B3C0C5F800: new mail message-id=<20231214173155.C9EB21E0E4C@pmg.energonom.com>#012
2023-12-14T17:31:56.637111+00:00 daa-proxmox-mail-gateway postfix/smtpd[1431]: disconnect from localhost[127.0.0.1] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2023-12-14T17:31:56.766923+00:00 daa-proxmox-mail-gateway pmg-smtp-filter[744]: 1E0FAB657B3C0C5F800: SA score=1/5 time=0.356 bayes=undefined autolearn=disabled hits=ALL_TRUSTED(-1),DKIM_ADSP_CUSTOM_MED(0.001),FORGED_GMAIL_RCVD(1),FREEMAIL_ENVFROM_END_DIGIT(0.25),FREEMAIL_FROM(0.001),INVALID_DATE(0.432),INVALID_DATE_TZ_ABSURD(0.632),KAM_DMARC_STATUS(0.01),T_SCC_BODY_TEXT_LINE(-0.01)
2023-12-14T17:31:56.768726+00:00 daa-proxmox-mail-gateway postfix/smtpd[1463]: connect from localhost[127.0.0.1]
2023-12-14T17:31:56.769425+00:00 daa-proxmox-mail-gateway postfix/smtpd[1463]: BBCB41E0FAC: client=localhost[127.0.0.1], orig_client=localhost[127.0.0.1]
2023-12-14T17:31:56.811165+00:00 daa-proxmox-mail-gateway postfix/cleanup[1435]: BBCB41E0FAC: message-id=<20231214173155.C9EB21E0E4C@pmg.energonom.com>
2023-12-14T17:31:56.835739+00:00 daa-proxmox-mail-gateway postfix/qmgr[649]: BBCB41E0FAC: from=<dorohovy2012@gmail.com>, size=1661, nrcpt=1 (queue active)
2023-12-14T17:31:56.835961+00:00 daa-proxmox-mail-gateway postfix/smtpd[1463]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2023-12-14T17:31:56.836218+00:00 daa-proxmox-mail-gateway pmg-smtp-filter[744]: 1E0FAB657B3C0C5F800: accept mail to <doroh0v@mail.ru> (BBCB41E0FAC) (rule: default-accept)
2023-12-14T17:31:56.847292+00:00 daa-proxmox-mail-gateway pmg-smtp-filter[744]: 1E0FAB657B3C0C5F800: processing time: 0.445 seconds (0.356, 0.015, 0)
2023-12-14T17:31:56.847483+00:00 daa-proxmox-mail-gateway postfix/lmtp[1458]: C9EB21E0E4C: to=<doroh0v@mail.ru>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.76/0/0.05/0.46, dsn=2.5.0, status=sent (250 2.5.0 OK (1E0FAB657B3C0C5F800))
2023-12-14T17:31:56.847516+00:00 daa-proxmox-mail-gateway postfix/qmgr[649]: C9EB21E0E4C: removed
2023-12-14T17:31:56.967033+00:00 daa-proxmox-mail-gateway postfix/smtp[1464]: Trusted TLS connection established to mxs.mail.ru[217.69.139.150]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
2023-12-14T17:31:57.580175+00:00 daa-proxmox-mail-gateway postfix/smtp[1464]: BBCB41E0FAC: to=<doroh0v@mail.ru>, relay=mxs.mail.ru[217.69.139.150]:25, delay=0.81, delays=0.07/0/0.21/0.54, dsn=2.0.0, status=sent (250 OK id=1rDpYz-001IJK-0O)
2023-12-14T17:31:57.580383+00:00 daa-proxmox-mail-gateway postfix/qmgr[649]: BBCB41E0FAC: removed
 
these log are lacking the initial connect from the outside - or else they originated on your PMG - how did you send this mail?
if you did not send it - check if your PMG has been compromised?
 
Dartem said:
This email was sent through the service to check for an open relay.
Click to expand...
I tried this - but it seems not to adhere to smtp-protocol standards:
Code: 
R: 220-proxmox-new.maurer-it.com ESMTP Proxmox
S: HELO appriver.com
R: 250 pmg.test.com
S: MAIL FROM: <sender@gmail.com>
R: 250 2.1.0 Ok
S: RCPT TO: <receiver@test.domaint>
R: 550 5.5.1 Protocol error
 
Have you tried to forward the email through my server?

My pmg configuration is standard. I voiced it. I can dump the config.
 
Dartem said:
Have you tried to forward the email through my server?
Click to expand...
no - I don't know where your server is - I just tried to see what this testing tool does - and it seems to not work according to SMTP-standards

If possible try this test again - and post the complete logs from 5 minutes before you try to after the error is shown to you....
 
Screenshot_2023-12-14-22-58-48-649_com.yandex.browser.jpgScreenshot_2023-12-14-22-58-42-254_com.yandex.browser.jpg

Any test shows that my server is an open relay. How can I fix this? Is there a parameter in the config that forcibly disables this? How exactly do I find out if the relay is open or not?
 
Dartem said:
Any test shows that my server is an open relay. How can I fix this? Is there a parameter in the config that forcibly disables this? How exactly do I find out if the relay is open or not?
Click to expand...
This is really odd - to do so in PMG you would need to modify the postfix configuration (and even there postfix will warn in most common misconfigurations) - or add 0.0.0.0/0 to the trusted networks (and then this would only work on the internal port)

one thing that could be the culprit:
* is your PMG maybe behind a firewall/NAT device, which also rewrites the source-address - so that the connections look like they're coming from your internal network?

EDIT: also please post the complete logs of this test you showed above as text in code tags
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom