• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

SMTP server requires no authentication, huge issue!

f6n5i4qweuf

New Pleskian
Hi everybody

Today I found an incredible huge security issue with my Plesk 11.5.30 and postfix installation. I received a bunch of spam messages from my domain today and so I tested my SMTP server:

Code:
Connected to localhost.
Escape character is '^]'.
220 domain.here ESMTP Postfix (Debian/GNU)
helo domain.here
250 domain.here
mail from: [email protected]
250 2.1.0 Ok
rcpt to: ***@gmail.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
oh my god why does this work?
.
250 2.0.0 Ok: queued as 2F25C18218B3
quit
221 2.0.0 Bye

A couple of seconds later, I received this message in gmail. Completely stunned I checked the settings but they seem to be okay:

mail.png

To me this means, everybody who installs plesk and postfix automatically has a server that will be sending spam as soon as it's discovered. For me it took 8 days before it started sending spam.
Please help me and everybody else with this issue to resolve it. I just can not believe that this is default setting for plesk. UNBELIEVABLE!

Thank you!
 
Just remove loopback (or just all) addresses from the "White List" tab on "Server-Wide Mail Settings" page. It wouldn't save you from spam though (because there's also sendmail), you need to find its source instead.
 
Just to amplify on what Nikolay is saying.....

For your test, you connected locally. 127.0.1 (localhost) is whitelisted by default to allow mail to be sent without authentication. This is normal, expected, and not a security issue. However, if you feel you would prefer this not to be allowed, you can remove the 127. address from the whitelist tab as Nikolay suggests. Be aware that some mail functions are likely to break if you do this.

This leads to the question of what exactly happened in your case. It isn't clear from your post what is actually happening. If could be a malicious script installed on the server or it could be absolutely anything else - can you post more details please? It seems odd that a spammer would send mail from your domain to you at some other email address that he could not possibly know about, so I'm guessing there's more to this than meets the eye.
 
Back
Top