Authenticated Users - How?

Junior Member
Posts: 7
Joined: Mon Jun 01, 2015 8:19 pm

Authenticated Users - How?

Postby cboone » Tue Oct 18, 2016 9:43 pm

Against what user database are accounts authenticated? We've been having open relay problems and it's because the sessions are authenticated. I did simple test just entering random username and password and it allowed me to relay. How do I fix this? Thanks!

My test:
----------------------
2016-10-18 12:42:09 3842 0 ------ Requested connection from 10.33.126.48, Country: N/A, SID:1610181242090201
2016-10-18 12:42:09 3842 0 +Filter: "DNSBL Test"
2016-10-18 12:42:09 3842 0 +Filter: "Message Sniffer"
2016-10-18 12:42:09 3842 16 <-- 220 mx-1.vusd.org ESMTP
2016-10-18 12:42:15 3842 5141 --> ehlo
2016-10-18 12:42:15 3842 5156 <-- 250-Welcome 10.33.126.48, pleased to meet you
2016-10-18 12:42:15 3842 5156 <-- 250 AUTH LOGIN
2016-10-18 12:42:20 3842 10516 --> auth login
2016-10-18 12:42:20 3842 10516 <-- 334 VXNlcm5hbWU6
2016-10-18 12:42:22 3842 12703 --> user
2016-10-18 12:42:22 3842 12703 <-- 334 UGFzc3dvcmQ6
2016-10-18 12:42:25 3842 16016 --> password
2016-10-18 12:42:25 3842 16047 <-- 235 OK
2016-10-18 12:42:37 3842 27656 --> mail from:user@vusd.org
2016-10-18 12:42:37 3842 27672 +Filter: "Block bad senders"
2016-10-18 12:42:37 3842 27672 <-- 250 <user@vusd.org>, sender ok
2016-10-18 12:42:53 3842 43656 --> rcpt to:cboone@vusd.us
2016-10-18 12:42:53 3842 43656 +Filter: "Open relay prevention"
2016-10-18 12:42:53 3842 43656 +Filter: "Greylisting by country"
2016-10-18 12:42:53 3842 43656 <-- 250 <cboone@vusd.us>, recipient ok
2016-10-18 12:42:57 3842 47313 --> data
2016-10-18 12:42:57 3842 47313 +Filter: "Greylisting by country"

A 'real' session
-------------------------
2016-10-18 14:13:22 2006 0 ------ Requested connection from 134.236.248.51, Country: United States, SID:1610181413220202
2016-10-18 14:13:22 2006 16 +Filter: "DNSBL Test"
2016-10-18 14:13:22 2006 16 Checking DNSBL [51.248.236.134.zen.spamhaus.org]
2016-10-18 14:13:22 2006 235 Checking DNSBL [51.248.236.134.bl.spamcop.net]
2016-10-18 14:13:22 2006 328 Checking DNSBL [51.248.236.134.b.barracudacentral.org]
2016-10-18 14:13:22 2006 438 +Filter: "Message Sniffer"
2016-10-18 14:13:22 2006 469 <-- 220 mx-1.vusd.org ESMTP
2016-10-18 14:13:23 2006 1250 --> EHLO [134.236.248.51]
2016-10-18 14:13:23 2006 1266 <-- 250-Welcome 134.236.248.51, pleased to meet you
2016-10-18 14:13:23 2006 1266 <-- 250 AUTH LOGIN
2016-10-18 14:13:24 2006 1875 --> AUTH LOGIN
2016-10-18 14:13:24 2006 1875 <-- 334 VXNlcm5hbWU6
2016-10-18 14:13:24 2006 2485 --> amNvbnJhZEB2dXNkLm9yZw==
2016-10-18 14:13:24 2006 2485 <-- 334 UGFzc3dvcmQ6
2016-10-18 14:13:25 2006 3016 --> amlnZ3ltYW4=
2016-10-18 14:13:25 2006 3031 <-- 235 OK
2016-10-18 14:13:26 2006 4672 --> MAIL FROM:<CarlenaNavarroBriggs@vusd.org>
2016-10-18 14:13:26 2006 4672 +Filter: "Block bad senders"
2016-10-18 14:13:26 2006 4672 <-- 250 <CarlenaNavarroBriggs@vusd.org>, sender ok
2016-10-18 14:13:27 2006 5219 --> RCPT TO:<nathalie.ramioulle@cox.net>
2016-10-18 14:13:27 2006 5219 +Filter: "Greylisting by country"
2016-10-18 14:13:27 2006 5235 +Filter: "Open relay prevention"
2016-10-18 14:13:27 2006 5235 +Filter: "Open relay prevention Copy"
2016-10-18 14:13:27 2006 5235 <-- 250 <nathalie.ramioulle@cox.net>, recipient ok
2016-10-18 14:13:28 2006 5844 --> RCPT TO:<carlenedial@cox.net>
2016-10-18 14:13:28 2006 5860 +Filter: "Greylisting by country"

Junior Member
Posts: 47
Joined: Thu Apr 04, 2013 8:16 am

Re: Authenticated Users - How?

Postby alexbromo » Wed Oct 19, 2016 9:34 am

In EW there is a standard filter called "Open Relay Prevention" (Tab: Filters), have you tried to activate it ?

ALex.

Junior Member
Posts: 7
Joined: Mon Jun 01, 2015 8:19 pm

Re: Authenticated Users - How?

Postby cboone » Wed Oct 19, 2016 2:28 pm

Thanks - yes, it's on. EW won't relay until authenticated. But my question is how they are getting authenticated. Against what user database? I can put in a random username and password and it will authenticate me and allow relaying.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Authenticated Users - How?

Postby Alexander Telegin » Wed Oct 19, 2016 6:12 pm

In direct mode eWall forwards auth commands to server and get response in real time. In relay mode it stores auth commands and then send to server. Does your proxy work in relay or direct mode? Despite that auth commands are allowed, has your server finally got the email?

Junior Member
Posts: 7
Joined: Mon Jun 01, 2015 8:19 pm

Re: Authenticated Users - How?

Postby cboone » Wed Oct 19, 2016 6:39 pm

Working in relay mode. So if I understand, EW takes the authentication credentials from the session then attempts to use those credentials on the downstream (routed) server and if it succeeds there then the session is authenticated on EW? If so then perhaps I need to look at what's going on on the downstream server, which happens to be an exchange edge transport server.

Everything seems to be working OK, except for the fact that I'm getting many thousands of junk messages to relay from invalidly 'authenticated' sources like the one shown in the my first posting.

Developer
User avatar
Posts: 4431
Joined: Tue Apr 20, 2004 3:43 pm

Re: Authenticated Users - How?

Postby Alexander Telegin » Wed Oct 19, 2016 9:32 pm

If authentication credentials are invalid, the mail server should reject it. Need to check the server logs.

Junior Member
Posts: 7
Joined: Mon Jun 01, 2015 8:19 pm

Re: Authenticated Users - How?

Postby cboone » Wed Oct 19, 2016 11:50 pm

Thanks for your help. Just for my clarity, in the example below, sender was 'CarlenaNavarroBriggs@vusd.org' (our domain, but not a valid mailbox) and recipient was 'nathalie.ramioulle@cox.net' and others - credentials passed were 'jconrad@vusd.org' and password 'jiggyman' (which are bogus). What server would have authenticated this session to allow the relay? In the EW routing settings, all accepted domains are pointed to one server (exch-ets-2.vusd.org), and there are no mail servers listed in the options -> listeners. Is there a way to prevent relaying regardless of authentication? Our implementation of EW is only for inbound mail.

2016-10-18 14:13:22 2006 0 ------ Requested connection from 134.236.248.51, Country: United States, SID:1610181413220202
2016-10-18 14:13:22 2006 16 +Filter: "DNSBL Test"
2016-10-18 14:13:22 2006 16 Checking DNSBL [51.248.236.134.zen.spamhaus.org]
2016-10-18 14:13:22 2006 235 Checking DNSBL [51.248.236.134.bl.spamcop.net]
2016-10-18 14:13:22 2006 328 Checking DNSBL [51.248.236.134.b.barracudacentral.org]
2016-10-18 14:13:22 2006 438 +Filter: "Message Sniffer"
2016-10-18 14:13:22 2006 469 <-- 220 mx-1.vusd.org ESMTP
2016-10-18 14:13:23 2006 1250 --> EHLO [134.236.248.51]
2016-10-18 14:13:23 2006 1266 <-- 250-Welcome 134.236.248.51, pleased to meet you
2016-10-18 14:13:23 2006 1266 <-- 250 AUTH LOGIN
2016-10-18 14:13:24 2006 1875 --> AUTH LOGIN
2016-10-18 14:13:24 2006 1875 <-- 334 VXNlcm5hbWU6
2016-10-18 14:13:24 2006 2485 --> amNvbnJhZEB2dXNkLm9yZw==
2016-10-18 14:13:24 2006 2485 <-- 334 UGFzc3dvcmQ6
2016-10-18 14:13:25 2006 3016 --> amlnZ3ltYW4=
2016-10-18 14:13:25 2006 3031 <-- 235 OK
2016-10-18 14:13:26 2006 4672 --> MAIL FROM:<CarlenaNavarroBriggs@vusd.org>
2016-10-18 14:13:26 2006 4672 +Filter: "Block bad senders"
2016-10-18 14:13:26 2006 4672 <-- 250 <CarlenaNavarroBriggs@vusd.org>, sender ok
2016-10-18 14:13:27 2006 5219 --> RCPT TO:<nathalie.ramioulle@cox.net>
2016-10-18 14:13:27 2006 5219 +Filter: "Greylisting by country"
2016-10-18 14:13:27 2006 5235 +Filter: "Open relay prevention"
2016-10-18 14:13:27 2006 5235 <-- 250 <nathalie.ramioulle@cox.net>, recipient ok
2016-10-18 14:13:28 2006 5844 --> RCPT TO:<carlenedial@cox.net>
2016-10-18 14:13:28 2006 5860 +Filter: "Greylisting by country"
2016-10-18 14:13:28 2006 5860 +Filter: "Open relay prevention"
2016-10-18 14:13:28 2006 5860 <-- 250 <carlenedial@cox.net>, recipient ok
*** <several other recipients here, removed for brevity> ***
2016-10-18 14:13:58 2006 36094 --> DATA
2016-10-18 14:13:58 2006 36094 +Filter: "Greylisting by country"
2016-10-18 14:13:58 2006 36094 <-- 354 Ready
2016-10-18 14:13:58 2006 36547 Message size: 2.69 KB
2016-10-18 14:13:58 2006 36547 Subject: Re:
2016-10-18 14:13:58 2006 36547 +Filter: "Email counter by IP"
2016-10-18 14:13:58 2006 36547 +Filter: "SURBL Test"
2016-10-18 14:13:58 2006 36547 +Filter: "Block young websites"
2016-10-18 14:13:58 2006 36563 +Filter: "Message Sniffer"
2016-10-18 14:13:58 2006 36563 +Filter: "Attachment filter"
2016-10-18 14:13:58 2006 36563 +Filter: "Archive filter"
2016-10-18 14:13:58 2006 36578 <-- 250 Message queued
2016-10-18 14:14:58 2006 96610 Disconnect

Junior Member
Posts: 7
Joined: Mon Jun 01, 2015 8:19 pm

Re: Authenticated Users - How?

Postby cboone » Mon Oct 24, 2016 5:19 pm

Here's another. So what server is saying this is a valid authenticated connection and allowing it to relay?

----

2016-10-24 05:36:18 3956 0 ------ Requested connection from 173.201.216.72, Country: United States, SID:1610240536180200
2016-10-24 05:36:18 3956 0 +Filter: "DNSBL Test"
2016-10-24 05:36:18 3956 0 Checking DNSBL [72.216.201.173.zen.spamhaus.org]
2016-10-24 05:36:18 3956 203 Checking DNSBL [72.216.201.173.bl.spamcop.net]
2016-10-24 05:36:18 3956 297 Checking DNSBL [72.216.201.173.b.barracudacentral.org]
2016-10-24 05:36:18 3956 391 +Filter: "Message Sniffer"
2016-10-24 05:36:18 3956 438 <-- 220 mx-1.vusd.org ESMTP
2016-10-24 05:36:18 3956 469 --> EHLO decoratorrugwarehouse.com
2016-10-24 05:36:18 3956 469 <-- 250-Welcome 173.201.216.72, pleased to meet you
2016-10-24 05:36:18 3956 469 <-- 250 AUTH LOGIN
2016-10-24 05:36:18 3956 500 --> AUTH LOGIN
2016-10-24 05:36:18 3956 500 <-- 334 VXNlcm5hbWU6
2016-10-24 05:36:18 3956 531 --> eWFzc2Vyc2hhaGFhdEBteXNwYWNlaW0uY29t
2016-10-24 05:36:18 3956 531 <-- 334 UGFzc3dvcmQ6
2016-10-24 05:36:18 3956 563 --> eWFzc2Vyc2hhaGFhdA==
2016-10-24 05:36:18 3956 563 <-- 235 OK
2016-10-24 05:36:18 3956 594 --> MAIL FROM:<yassershahaat@myspaceim.com>
2016-10-24 05:36:18 3956 594 +Filter: "Block bad senders"
2016-10-24 05:36:18 3956 594 <-- 250 <yassershahaat@myspaceim.com>, sender ok
2016-10-24 05:36:18 3956 625 --> RCPT TO:<user_13@public-hosting-service.ru>
2016-10-24 05:36:18 3956 625 +Filter: "Open relay prevention"
2016-10-24 05:36:18 3956 625 +Filter: "Greylisting by country"
2016-10-24 05:36:18 3956 641 <-- 250 <user_13@public-hosting-service.ru>, recipient ok
2016-10-24 05:36:18 3956 656 --> DATA
2016-10-24 05:36:18 3956 672 +Filter: "Greylisting by country"
2016-10-24 05:36:18 3956 672 <-- 354 Ready
2016-10-24 05:36:18 3956 766 Message size: 1.07 KB
2016-10-24 05:36:18 3956 766 Subject: hey there! txt me to #%%PHONE%%
2016-10-24 05:36:19 3956 781 +Filter: "Email counter by IP"
2016-10-24 05:36:19 3956 781 +Filter: "SURBL Test"
2016-10-24 05:36:19 3956 781 +Filter: "Block young websites"
2016-10-24 05:36:19 3956 781 +Filter: "Message Sniffer"
2016-10-24 05:36:19 3956 781 +Filter: "Attachment filter"
2016-10-24 05:36:19 3956 781 +Filter: "Archive filter"
2016-10-24 05:36:19 3956 797 <-- 250 Message queued
2016-10-24 05:36:19 3956 828 --> quit
2016-10-24 05:36:19 3956 828 <-- 221 Bye
2016-10-24 05:36:19 3956 875 Disconnect

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests