• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk SMTP Service (QMail) acts as an open relay

R

Redpitt

Guest
Hi all!

I've verified that after upgrading to Plesk 8.4 (the issue is present in Plesk 8.6 too), the SMTP server acts as an open relay.

I'm using Plesk 8.4 and Plesk 8.6 on Centos 4.x operating system.
Plesk upgrades are made via the autoinstaller command-line utility downloaded from Parallels site.

Users are able to use the mail server with any valid BASE64 login header (containing valid or invalid credentials) or WITHOUT sending these headers at all (toggling off SMTP authentication on their mail user agents).

I've tried to reconfigure the mail service via the "Server -> Mail" section in the control panel with no success.
Moreover, I've tried to correct the problem by calling "mailmng" and "mchk" command-line utilities, but that didn't solve the problem.

It seems to me that there's no way out to solve the security issue through the control panel, so I've decided to publish here a workaround to secure your mail servers waiting for Parallels to identify the problem and study a solution for it.

1. change directory to "/etc/xinetd.d"
2. create a file named "smtp_ok"

copy the following content into that file:

service smtp
{
flags = REUSE NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = qmaild
server = /usr/sbin/tcpd
env = SMTPAUTH=1 POPAUTH=1
server_args = /var/qmail/bin/tcp-env -R /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw
}

3. save and close the file
4. create a file named smtps_ok
5. copy the following content into that file:

service smtps
{
flags = REUSE NAMEINARGS
socket_type = stream
protocol = tcp
wait = no
user = qmaild
server = /usr/sbin/tcpd
env = SMTPAUTH=1 POPAUTH=1
server_args = /var/qmail/bin/tcp-env -R /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw
}

6. remove the following files: "smtp_psa", "smtps_psa", "submission.psa"
7. restart xinetd by typing "/etc/init.d/xinetd restart"

This fix should let you secure your MTA. Now we have to check that it remains secure... for this purpose I've created a shell script and put a new cronjob that runs each minute (you can increase this value, but I suggest it should be less than 5 minutes).

This is needed because the plesk admin user can modify mail settings via the control panel and recreate the security hole.
With this script we continuosly check if the control panel modify the SMTP and SMTPS services configuration and restore authentication, disabling unwanted message submission.


To create this script you have to:

1. change directory to "/root"
2. create a file named "check_xinetd.sh"
3. copy the following content into that file:

#!/bin/bash

USER=root
SHELL=/bin/bash
HOME=/root

export USER SHELL HOME

RELOAD=0

cd /etc/xinetd.d

if [ -f /etc/xinetd.d/smtp_psa ]; then
rm -f /etc/xinetd.d/smtp_psa
let RELOAD=1
fi;

if [ -f /etc/xinetd.d/smtps_psa ]; then
rm -f /etc/xinetd.d/smtps_psa
let RELOAD=1
fi;

if [ "$RELOAD" == "1" ]; then
/etc/init.d/xinetd reload
fi

exit 0


4. make the script executable by typing "chmod 0700 check_xinetd.sh"
5. run "crontab -e"
6. your preferred editor opens: just put the following line at the end of the crontab file

0-59 * * * * /root/check_xinetd.sh

7. save and close the editor... you should see the message "installing new crontab"...

Good work! Your server is now fully secured...

Feedbacks welcome!
Thanks for your attention.

Redpitt.
 
[SECURITY HOLE] Plesk SMTP Service (QMail) acts as an open relay -- NOTICE

Just to be more clear... :)

I've heard that there are security issues when NOT setting "use full mail names in authentication" in the "Server -> Mail" control panel.

I would like to inform you that our ISP is having problems on all plesk server even if we are correctly using that option.

Thanks again for your attention.
Redpitt.
 
The only difference I see is the addition of "flags = REUSE NAMEINARGS" in the xined config. What does that do, and why does it stop open relaying? My server is not an open relay without that bit, so I'm wondering what is the reasoning behind the change.
 
I post in the forum the wrong (original) file for SMTP service

Hi Andy,

the following is the content of the original file for the SMTP service in /etc/xinetd.d:

service smtp
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
env =
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/true /var/qmail/bin/smtp_auth /var/qmail/bin/cmd5checkpw
}

As you can see, in the "env" variable are missing the "SMTPAUTH=1" and "POPAUTH=1" directives...

Moreover, in the file I've modified and posted yesterday, I run the SMTP service as user qmaild, instead of root (that is more secure).

I repeat... the issue I reported is happening on Centos 4.x with Plesk 8.4 and 8.6.

Maybe the same versions of Plesk are working on other OSes!!!

Thanks for your reply!

Pietro.
 
We run more than on Plesk server on Centos 4.x, in fact we have 5 of these left. We used to keep them on Plesk 8.2.1 but then upgraded to plesk 8.6 and they still have the auth required:

[root@control2 test]# cat /etc/xinetd.d/smtp_psa
service smtp
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
env = SMTPAUTH=1 POPLOCK_TIME=20
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

We make use of Centralized mail servers via expand however, so the qmail on each webserver is only used for sending mail out from the websites/webscripts and it still requires auth unless if the sender is from localhost.

You sure its not maybe something else that went wrong, ie a bad setting in the psa sql db somewhere?
 
[SECURITY HOLE] Plesk SMTP Service (QMail) acts as an open relay

Hello and thanks for your reply...

When I change e-mail settings via the control panel Server -> Mail feature, the PSA DB gets updated accordingly.

However xinetd config (even if files modification timestamp changes) remains unsecured.
We are not using Plesk Expand, but standalone mail servers!

Thanks again.
Redpitt.
 
Hmmm. I'm not seeing this behavior with CentOS 4.X on Plesk 8.6.1 from my servers - SMTPAUTH is there, but POPLOCK is not - we don't allow pop-before-smtp. Could this be a permissions issue? You'd have to change a lot of stuff to get it to run as qmaild.
 
Well here is something else interesting. We have another server installed since plesk 8.0 days and still 8.2.1 and it has quite a bit of a different config:

[root@plesk1 ~]# cat /etc/xinetd.d/smtp_psa

service smtp
{
socket_type = stream
protocol = tcp
wait = no
disable = no
user = root
instances = UNLIMITED
server = /var/qmail/bin/tcp-env
server_args = -Rt0 /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
per_source = 40
}
Click to expand...

However it still is not an open relay, for example as a test:

david@wadavid ~ $ telnet pleskserver 25
Trying 196...
Connected to pleskserver
Escape character is '^]'.
220 pleskerver ESMTP
helo mytest.com
250 pleskerver
mail from: <[email protected]>
250 ok
rcpt to: <[email protected]>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
quit
221 pleskerver
Connection closed by foreign host.
Click to expand...
 
Plesk 8.3.0 and qmail: SMTP auth not working

I'm not happy to "resume" a very old post, but the problem is still here!

I have a Plesk 8.3.0 panel with some domains and I have set "authorization is required: SMTP" in "Relay options" ("Server" tab). I have set one mailbox and everything works, but if I try to access to the server via telnet as shown on first post I can get inside and send a mail to any of the active mail account with any data AND WITH NO PASSWORD.

I've tried to rename "smtp_psa" and the other files stated to "... .XXX" and created new ones "smtp_ok" and so on... then restarted xinetd.d, but this doesn't fix anything.

How can I force authentication for smtp?

Thank you!
 
(up) it seems a not recognized bug

I have the license bought via my hosting provider and it says it seems the normal behaviour! I don't think it's normal to behave as an open rely if I set authentication for SMTP... isn't there any way to solve this?

I'd like to "lock" access of SMTP so if a connection is set password is always required...
 
You must log in or register to reply here.

Similar threads

T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
2K
Tessxr
T
Ehud
Question Is Plesk Email SRS fully configured, or it requires an extension?
Replies
0
Views
2K
Ehud
Ehud
U
Resolved Bind9 works on debian 10 server and shows as not installed in plesk. And issue with Postfix/Dovecot
Replies
3
Views
1K
Maarten
M
L
Resolved Problem receiving mails and with Roundcube since Debian and Plesk upgrade
Replies
5
Views
2K
LaurentR2D2
L
duy13
[AntiDDoS] for Plesk Panel with vDDoS Proxy Protection
Replies
0
Views
3K
duy13
duy13
Back
Top