RCPT sending by telnet?

killmasta93

Renowned Member
Aug 13, 2017
958
56
68
30
Hi,
I was wondering if someone else has happened before, recently got an odd email which was spam, i was curious how it went by when i saw the headers it seemed that did not go thought filter, after doing these steps it seems that the attacker was using telnet 25 to send the email is there a way to block that?
This is the PMG gateway
Code:
Return-Path: <test@mydomain.com>
X-Original-To: realusername@mydomain.com
Delivered-To: realusername@mydomain.com
Received: from mail.mylocaldomain.com.co (unknown [192.168.3.214])
    (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.mydomain.com (Postfix) with ESMTPS id AC836880403
    for <realusername@mydomain.com>; Wed,  1 Jan 2020 17:23:19 -0500 (COT)
Received: from mail.mylocaldomain.com.co (localhost.localdomain [127.0.0.1])
    by mail.mylocaldomain.com.co (Proxmox) with ESMTP id 3BF1641408
    for <realusername@mydomain.com>; Wed,  1 Jan 2020 17:24:43 -0500 (-05)
Received: from mail (mail.myotheremailserver.com [190.145.xx.xxx])
    by mail.mylocaldomain.com.co (Proxmox) with ESMTP id BEBF54119B
    for <realusername@mydomain.com>; Wed,  1 Jan 2020 17:24:22 -0500 (-05)
Message-Id: <20200101222443.3BF1641408@mail.mylocaldomain.com.co>
Date: Wed,  1 Jan 2020 17:24:43 -0500 (-05)
From: test@mydomain.com

tblashdfasdf


Code:
220-mail.mydomain.com.co mail.mydomain.com

ehlo mail220 mail.mydomain.com.co mail.mydomain.com


250-mail.mydomain.com.co

250-PIPELINING

250-SIZE 50485760

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 SMTPUTF8

mail from:test@mydomain.com

250 2.1.0 Ok

rcpt to:realusername@mydomain.com

250 2.1.5 Ok

DATA

354 End data with <CR><LF>.<CR><LF>

tblashdfasdf

.

250 2.0.0 Ok: queued as BEBF54119B
 
hi,

was curious how it went by when i saw the headers it seemed that did not go thought filter
why do you think that? (Proxmox) is in the headers.

after doing these steps it seems that the attacker was using telnet 25 to send the email is there a way to block that?
you cannot block telnet access to the smtp port. all that telnet does is open a tcp stream and send/receive data (doesn't matter which port)

you can limit access for the internal port to your trusted network
 
Thanks for the reply, correct i know that the port 25 has to be opened with telnet but though rcpt i can fake an email and send to any user without bypassing, on PMG i put trusted network 192.168.3.0/24, i was reading about reject_sender_login_mismatch as i tried it on my postfix server and when i tried the RCPT i got 553 5.7.1 <admin@myemailserver.net> Sender address rejected: not logged in

i tried adding in the main.cf of PMG but wont seem to work, I then tested adding
disable_vrfy_command = yes
just to see if it was getting the changes and it does disable the VRFY

Code:
smtpd_sender_restrictions =
        permit_mynetworks
        reject_sender_login_mismatch
        reject_non_fqdn_sender
        check_client_access     cidr:/etc/postfix/clientaccess
        check_sender_access     regexp:/etc/postfix/senderaccess
        check_recipient_access  regexp:/etc/postfix/rcptaccess
 
reject_sender_login_mismatch
this ACL is used only for authenticated clients (using SMTP-AUTH) - something which PMG does not have by default.

In the whole thread I still don't see where the problem is - 'stopping telnet as client' is not possible, because if someone speaks correct SMTP with the postfix installation the mail will get treated as delivered.

which mail got through but should not have gotten through - how do the logs for this mail look like?
 
For the SMTP-AUTH: i do not have answer (never used yet)

Stopping telnet 25 is not possible. This is based in TCP ports basics: TCP uses "ports" and assign "one port for service". SMTP Servers like Sendmail and Procmail, opens port 25 in "listening mode" for accept queries from "clients" like MS Outlook, Outlook Express and more.

Tip: Telnet software are for use with Telnet protocol (TCP Port 23), but can also be used to access a server in port 110 (POP3), 80 (HTTP), 21 (FTP) and others. This type of access is not illegal or suspicious. It is only a client communicating with a server.
 
@Stoiko Ivanov Thanks for the reply, as for the telnet i know that i cannot block it, but if you guys try the following example from above the mail goes though this is the log


Code:
Feb 25 08:35:08 mail postfix/qmgr[737]: 6484B1C14BE: removed
Feb 25 08:36:13 mail postfix/smtpd[13389]: lost connection after UNKNOWN from unknown[200.xx.xx.xxx]
Feb 25 08:36:13 mail postfix/smtpd[13389]: disconnect from unknown[200.xx.xx.xxx] ehlo=1 mail=1 rcpt=1 data=1 unknown=0/2 commands=4/6
Feb 25 08:36:22 mail postfix/postscreen[13304]: CONNECT from [200.xx.xx.xxx]:51613 to [192.168.3.101]:25
Feb 25 08:36:24 mail postfix/postscreen[13304]: PASS OLD [200.xx.xx.xxx]:51613
Feb 25 08:36:24 mail postfix/smtpd[13389]: warning: hostname xxxxxxx does not resolve to address 200.xx.xxx.xxx
Feb 25 08:36:24 mail postfix/smtpd[13389]: connect from unknown[200.xx.xx.xxx]
Feb 25 08:36:32 mail postfix/postscreen[13304]: COMMAND TIME LIMIT from [200.xx.xx.xxx]:9869 after HELO
Feb 25 08:36:32 mail postfix/postscreen[13304]: DISCONNECT [200.xx.xx.xxx]:9869
Feb 25 08:36:40 mail pmgpolicy[938]: starting policy database maintainance (greylist, rbl)
Feb 25 08:36:40 mail pmgpolicy[938]: end policy database maintainance (11 ms, 4 ms)
Feb 25 08:36:57 mail postfix/smtpd[13389]: C2FDD1C1496: client=unknown[200.xx.xx.xxx]
Feb 25 08:36:58 mail pmg-smtp-filter[9957]: starting database maintainance
Feb 25 08:36:58 mail pmg-smtp-filter[9957]: end database maintainance (198 ms)
Feb 25 08:37:05 mail postfix/cleanup[13427]: C2FDD1C1496: message-id=<>
Feb 25 08:37:05 mail postfix/qmgr[737]: C2FDD1C1496: from=<fakemail@mydomain.com>, size=204, nrcpt=1 (queue active)
Feb 25 08:37:05 mail pmg-smtp-filter[9963]: 2020/02/25-08:37:05 CONNECT TCP Peer: "[127.0.0.1]:42984" Local: "[127.0.0.1]:10024"
Feb 25 08:37:05 mail pmg-smtp-filter[9963]: 1E08AB5E552301AEAF6: new mail message-id=
Feb 25 08:37:06 mail pmg-smtp-filter[9963]: 1E08AB5E552301AEAF6: SA score=7/5 time=0.910 bayes=undefined autolearn=no autolearn_force=no hits=BODY_EMPTY(0.721),MISSING_DATE(1.396),MISSING_FROM(1),MISSING_HEADERS(1.207),MISSING_MID(0.14),MISSING_SUBJECT(1.767),RDNS_NONE(1.274),RELAYCOUNTRY_GOOD(-0.5),SPF_HELO_NONE(0.001),SPF_NEUTRAL(0.652)
Feb 25 08:37:06 mail pmg-smtp-filter[9963]: 1E08AB5E552301AEAF6: moved mail for <sistemas@mydomain.com> to spam quarantine - 1E08B35E552302A05F0 (rule: Quarantine/Mark Spam (Level 5))
Feb 25 08:37:06 mail pmg-smtp-filter[9963]: 1E08AB5E552301AEAF6: processing time: 1.124 seconds (0.91, 0.021, 0)
Feb 25 08:37:06 mail postfix/lmtp[13429]: C2FDD1C1496: to=<sistemas@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=16, delays=15/0.01/0/1.2, dsn=2.5.0, status=sent (250 2.5.0 OK (1E08AB5E552301AEAF6))
Feb 25 08:37:06 mail postfix/qmgr[737]: C2FDD1C1496: removed

i know that this time it got a 7 which went to spam but should of blocked

Thank you
 
this log uses different IPs than the one from the example above?!

in any case - the only thing that looks problematic about this mail is that it is sent from a host without reverse-pointer - use the 'Reject unknown Clients' and 'Reject unknown Senders' features of the mailproxy configuration
see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration

additionally consider publishing a SPF record for your domain with a hard fail policy (if this is possible) - this should reaise the SA score)
 
Thanks for the reply, correct i did another example, and yes correct i grab another IP which does not have the correct PTR which i guess that why the spam was higher then the previous one, adding the reject unkown clients and reject unkown senders had issue in the past as sometimes email servers from other people dont even have the correct configuration to send mail which is pretty sad.

as for the SPF creating the hard fail policy? would it give a way higher score?

This is my SPF record currently

v=spf1 mx a ip4:200.116.xx.xxx
 
That's sadly the state of e-mail - you can not prevent that someone tries to send you e-mail with a forged sender.

a very hard measure would be to create a rule where all inbound mail from your domain is blocked - however in 99.9% of environments this will not work (because external sources send mail from your domain as well ...)

the spf record would have a hard fail if it ends with -all

however SA for example also does not give too much weight to mails, which come from a wrong IP for a domain with a hard spf policy, because it's not a too good indicator for spam - also note that certain legit mails from your domain (e.g. when you send to a mailinglist, which does not resend mail, but bounce it to all subscribers) might get rejected.

I hope this helps!
 
PMG does not use SASL authentication - it is not meant for end-users to use it as a outbound mail server

if you only send mail from your domain from a few IPs server you can create a rule where all mail from your domain and those IPs is accepted and all other mail from your domain is blocked - however this only works in very few environments (see the point about mailinglists)
 
Thanks for the reply, so if i understood correctly, if i would add my IP of my email server to allow only from my domain to come in?
Or block all domains which is mydomain.com because everything that we send internally does not go though PMG
 
You can try that - however this really only works in very few setups (if one of your e-mail addresses is subscribed to a mailing list and posts to this list)
I think this will lead to many false positives
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!