Why is my server a Open Relay?

[SaltyPlombir]

Hello there,

I setup the mailcow according to the docs. Everything works like supposed to except that my server is an open relay and I am getting abused by spam bots. I didn't change a thing at the config just the FQDN.
I setup the DNS like Mailcow requested. I did not check the 'Relay domain' or 'Relay all recipients' option, since I couldn't figure out what they do.

But now I am getting spamed. My CPU usage is constant at 80-100% and my Postfix log looks like this:

And this about 30 times per second.

I have no clue what the problem is.

Thank you for your help

[mkuron]

Do you have custom firewall rules on that machine or misconfigured IPv6? If any traffic flows through the Docker userland proxy, the server thinks everything is local and trustworthy, see #758.

All the messages in your log are outgoing. Can you find the place in the log where these messages were delivered to your server to be relayed?

[andryyy]

Hi, are you running mailcow behind nat?

…

Am 06.03.2018 um 21:27 schrieb Alexander Jansen ***@***.***>: Hello there, I setup the mailcow according to the docs. Everything works like supposed to except that my server is an open relay and I am getting abused by spam bots. I didn't change a thing at the config just the FQDN. I setup the DNS like Mailcow requested. I did not check the 'Relay domain' or 'Relay all recipients' option, since I couldn't figure out what they do. But now I am getting spamed. My CPU usage is constant at 80-100% and my Postfix log looks like this: And this about 30 times per second. I have no clue what the problem is. Thank you for your help — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[BenSchweikert]

I had similar problems. Was able to solve it with a postfix adaption to:

smtpd_recipient_restrictions = permit_sasl_authenticated, reject_invalid_helo_hostname, reject_unauth_destination, permit_mynetworks, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_unknown_reverse_client_hostname

[andryyy]

This should not be a problem in any configuration. mailcow is not an open relay after installation.

[SaltyPlombir]

Do you have custom firewall rules on that machine or misconfigured IPv6? If any traffic flows through the Docker userland proxy, the server thinks everything is local and trustworthy, see #758.

@mkuron Thanks for that tip. Apparently my Docker was misconfigured. For an other project i set "iptables": false in /etc/docker/daemon.json.
I removed that entry and my Server stopped being a open relay.

Thanks for your help guys

[Keridos]

Please open up again, this should not be an issue, you cannot force users to use a certain GLOBAL docker config. A config option to blacklist certain IPs from being treated as an open relay is possible within the postfix config files and could be implemented in the mailcow UI.

Setting the docker iptables to true will most likely break my firewall I definitely need for other projects.

[andryyy]

That's not a problem at all. Just set it to false and configure it yourself manuallly.

The part where you configure it yourself is obviously up to you.

It is absolutely fine to not use iptables in docker, if you know exactly what you are doing.

If your setup is not NATing correctly due to your iptables ruleset, a mail server would be useless anyway. Everyone connects from your routers IP. That's useless. Spam filtering would be very bad.

You could add static IPs to the containers and then create a ruleset, that's valid over restarts.

[lu-zero]

Do you have a chapter in the documentation about this problem?

[bobobo1618]

Why doesn't Mailcow configure postfix with smtpd_relay_restrictions = permit_sasl_authenticated,permit_auth_destination,reject by default? That should eliminate the open relay problem, no?

I also just ran into this problem and relayed several thousand spam emails. It never occurred to me that a container meant to be simple could be configured so insecurely.

[stevenmunro]

This is serious. I just found out today that anyone could had sent email through my mailcow server without authentication. Luckily I found it first, only because I'm trying to send AlertMails from iLO4. Open relay checks online say there is no open relay, but if you know a domain name being hosted in mailcow, you could send anything to anyone using telnet.

I followed the mailcow installation process and this is on Debian 11. By default I have this huge security hole.

Fixed it with answer from @bobobo1618

smtpd_relay_restrictions = permit_sasl_authenticated,permit_auth_destination,reject

in /opt/mailcow-dockerized/data/conf/postfix/extra.cf and docker-compose restart postfix-mailcow

Contents of /etc/docker/daemon.json is
{"ipv6":true,"fixed-cidr-v6":"fd00:dead:beef:c0::/80","experimental":true,"ip6tables":true}

All the iptables rules were created by mailcow, as well of the contents above to the docker daemon file. So I think we should try and work out why mailcow default installation is insecure.

[teian]

THANKS!!! This fixed my setup holy moly. Absolutely not understandable why the mailcow team is not applying this by default...

[patschi]

I'm not aware about any need. Your comment has been the first post since Sep 2023, that it is apparently a open relay because of this. Also, the daemon.json is already adjusted like this since 1-2 years or so.

If you're concerned this issue still exists, please open a new discussion.