• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Regarding Qmail Relay and Spam

N

nullsystems

Guest
Earlier today I found that my server had been used to send over 192,000 emails in 4 days.
I couldnt believe my eyes.

So, I decided to take some action:

FIRST STOP YOUR MAIL SERVER !
/etc/init.d/./qmail stop

1. Mail > Settings > White List.
Make sure only 127.0.0.1/32 is allocated. ( revised )

2. Domain > Group Opperations:
Select "Reject" to all failed mail on all domains

3. Mail > Settings:
Relay control to "Authorization Required" and select both SMTP and POP locks

4. /var/qmail/control/
Edit your rcpthosts file to include only domains you wish to allow mail for. ( I may be wrong, this is what ive done, perhaps its incorrect or incomplete, any ideas? I will then edit this piece. ).

4a. Are there any other files in the /var/qmail/control which will allow mail sending, and receiving from only the domains hosted on the server?

5. SSH ( or local ), /var/qmail/bin/
Perform: /qmail-qstat and /qmail-queue

Both these commands will confirm you have a queue of spam, you will be able to easily detect what is being used as spam, most will say (bounce) afterwords with some random addresses you dont recognise.

What you need to do now is clear the queue.

1. Download from: http://www.stuckiniowa.com/how-to-clear-clean-qmail-queue-instantly-blog-78/

2. Run this shell script, after first making sure it is valid and the directories are correctly located using your favorite editor, such as vi, nano etc.

This script should remove the mail queue from your Qmail /var/qmail/ directories.

This script finnished and I ran the /qmail-qstat command from /var/qmail/bin directory. This was the final output:

messages in queue: 0
messages in queue but not yet preprocessed: 0

Success. All spam deleted. Now im waiting to see if the changes I made will make a difference, will keep you updated.

RESTART YOUR MAIL SERVER

Anyone got any notes, messages, changes or helpfull hints?
Have I gone wrong somewhere, is there anything else you could do?

This was in aid to help solve the constant qmail spam and relay problems.
 
I just test the new settings as described above.

1. I sent email to domains hosted on the machine, this worked.

2. I sent an email to an outside widely used free email service ( you can guess which ones )..this failed.

3. I received the email to my admin account on the machine:

Your message did not reach some or all of the intended recipients.

Subject: 1 everything set
Sent: 1/16/2007 4:26 PM

The following recipient(s) cannot be reached:

'[email protected]' on 1/16/2007 4:26 PM
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

What do you think caused this? I have never had this domain in my rcpthosts file, and its worked. I will go thru my list as described above to rectify, will keep you updated.
 
"Make sure only 197.0.0.1/32 is allocated"

I've always set that to 127.0.0.0/32 (And not certain it works...)

Where do you get the 197.0.0.1 IP?
 
How do you mean, where do I get it?

SwSoft technical told me about it, its also on their knowledgebase, plus its the default ip allocation which is required for most standard setups.

And yes, it does work, as long as thats the only one set. It helps with spam control
 
Thanks! That's what I meant. Just wanted to know where you got the idea for that IP.

Since Plesk default install has always had the open relay 127.0.0.1/8 there have been references all over the internet for years on forums suggesting to change it to 127.0.0.1/32 to close the default open relay.

I could not find any reference to 197.0.0.1 on their KnowledgeBase.

Thanks again. I'll give it a try.
 
lol I made a massive typo, your correct...127 ..NOT 197. lol oops
 
OK. That I find on the KB.

BTW, I use the following to clear the qmail queue

/etc/init.d/qmail stop
cd /var/qmail/queue
find intd todo local remote mess info bounce -type f -print |xargs rm
/etc/init.d/qmail start

You could limit that to just bounce, todo bounce, etc, but this list clears all email in the queue.
 
The email queue script is scary. It removes ALL the email from the queue. Even legit ones.
 
The Server>Mail on Plesk 8 Control Panel admin now contains a list of all emails in the queue. You can delete exactly the ones you want.
 
Yes it is scarey, however the point of it IS To remove all in the queue. If you have 190000 spam emails, do you want to filter them or send a mass email afterwards explaining?
 
Originally posted by KeithD
The Server>Mail on Plesk 8 Control Panel admin now contains a list of all emails in the queue. You can delete exactly the ones you want.
Click to expand...

Not if you have 18000. nullsystems, good point but it would be easy to add a grep to the find commmand then delete only those emails that have the spam subject in them. Just a suggestion.
 
Very nice idea. Care to give an example to go along with this thread to complete the process?
 
Warning on the 127.0.0.0/32 - I just did this and it prevented any webmail user from sending mail. So I reset it back to 127.0.0.0/8 - any workarounds I appreciated or I'll post again if I find something.
 
Perhaps add both? Ive not had a problem with sending mail out.
 
Warning on the 127.0.0.0/32

It's supposed to be
Warning on the 127.0.0.1/32
 
Indeed. What would adding the /8 actually do? If I try to, it comes up with a message saying invalid id pairing/mask or something. Wont allow me to actually add it.
 
My experience has been that if the whitelist is set to anything in 127 range other than
127.0.0.1/32
the server is an open relay. I mistyped it as 127.0.0.0/32 and it opened up for relaying (maybe because 127.0.0.0 does not exist?).
 
Thats exactly what I thouht, which I why I put it into the original post. I guess it does exactly what its meant to with the /32. Mines pefect, no relay, no spam ( a lil obviously ) and allows outgoing mail.
 
127.0.0.0/8 vs. 127.0.0.1/32

127.0.0.1 is an address called the loopback, it always points to your local network card. The /32 part is called the netmask, in this case /32 is what is also known as a Host Mask which refers to 127.0.0.1 portion being the only address that is allowed to relay unchecked--e.g. your local network card (your server) is allowed to send SMTP messages anywhere without having to authorize.

127.0.0.0/8 which for some strange reason is the Plesk default, is a broad network. The /8 netmask says that any address starting with 127. is able to relay through your server unchecked. 127.1.9.3 can relay. 127.30.100.2 can relay. etc. Because of this default, Plesk is an open relay out of the box to any one that uses a 127.x.x.x address.

If you had a buddy and you wanted to let his SMTP server relay off yours you could put in his IP address in there as well, say 204.33.22.11/32. The /32 host masks his address to say that only that IP address can relay off your server unchecked.
 
You can easily remove from queue with qmqueue tool,included also in Power Toys. Then you can use filter and remove.
 
You must log in or register to reply here.

Similar threads

I
Question mails that get lost
Replies
7
Views
3K
Inma
I
Cordal
Resolved stop sending spam
Replies
12
Views
1K
Robert Alexander
R
A
Resolved SPF always gives PASS
Replies
13
Views
2K
Kaspar
K
I
Question Mail fail
Replies
0
Views
124
ivanes82
I
I
Issue email that does not arrive
Replies
3
Views
948
Inma
I
Back
Top