After my near fail with a potential phone malware infection, the only thing that could top my week was an actual fail! I managed it in style by managing to publicly expose an open mail relay – talk about basics 101! I’ve been traveling pretty extensively over the last 6 months and frequently find myself on connections where port 25 outbound (SMTP) is blocked.
So I’m sitting in an internet cafe in south Peru, on a connection sporting something like 64kbit down and 5kbit up. I’ve just beaten my worst latency record with a ping time of about 5 seconds to 18.104.22.168. I have 4 items sitting in my outbox and I’m wondering if they’re not going because the port is blocked, there’s an issue with my mail server, or whether they’re about to go at any minute but just can’t make it past the huge connection latency. (In case you were wondering, I’m just setting up my excuses!)
Eventually some debugging with netcat and tcpdump lead me to confirm that port 25 is blocked. No problem, it’s my personal mail server after all, I’ll just set up a proxy listener on port 2525. With a one liner to execute simpleproxy, my mails start leaving and all is good. I daemonize simpleproxy for later and go and do something else.
A week later, an email I send out through my personal SMTP server gets bounced back to me as having failed the recipient’s spam policy. What? I start doing some digging and I find that most messages I send out through this server are being bounced back with similar messages. I check my IP against mxtoolbox.com’s block list checker and find out that I’m blacklisted on a number of realtime block lists as a source of spam.
I start reviewing mail server logs and trying to work out how this could have happened – after all I have strict ACLs on outbound mail from that machine, and obviously I’m not running an open relay right? Wrong! Spammers had found my proxy running on port 2525 through automated bulk scanning I assume. As I was running a proxy from port 2525 to 25, any senders that connected in to port 2525 would appear to the mail server software (exim) as having a source address of my own mailserver which was whitelisted to send out unauthenticated as a local server. I was running a wide open relay on port 2525! This should have been obvious but a quick and badly thought out change, and this was the result.
Of course, exim supports listening on multiple ports as one would expect and a quick change in killing simpleproxy and adding the following to my exim configuration:
daemon_smtp_ports = 25 : 2525
And my intended functionality is now active. Lessons to learn:
- No policy or verification on changes – change should not have been implemented
- Innocent changes, unintended consequences – change should not have been implemented
- Testing – change should not have remained past initial security testing
Quick, badly thought out, on-the-fly changes can lead to vulnerabilities. Fortunately, this was a personal mail server and a few RBL removal requests later and all was good. Epic Fail!