Re: [SM-USERS] Squirrelmail + postfix + spam

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Sun, 30 Aug 2009 00:18:09 -0700 (PDT), Ivan S
<whi...@ya...> wrote:

>Hi all, 
>
>In my office we are using SM for external user to connect to our 
>exchange server. we're using squirrelmail 1.4.9a and postfix-2.3.4. we 
>are having issue these few days where spammer can send email through 
>this webmail using other domain to send to internet. below is the log 
>from maillog: 
>

1.4.9a is nearly 3 years old, and has known security issues.  You
should upgrade.

>Aug 30 05:05:06 webmail postfix/smtpd[1470]: connect from localhost.localdomain[127.0.0.1]
>Aug 30 05:05:06 webmail postfix/smtpd[1470]: 5621323FA7: client=localhost.localdomain[127.0.0.1]
>Aug 30 05:05:06 webmail postfix/cleanup[1473]: 5621323FA7:
>message-id=<7a2d144cd865d8824ecac6ef0cc92afb.squirrel@mydomain>
>Aug 30 05:05:06 webmail postfix/qmgr[1155]: 5621323FA7: from=<in...@em...>, size=1501, nrcpt=201 (queue active)
>Aug 30 05:05:07 webmail postfix/smtpd[1470]: disconnect from localhost.localdomain[127.0.0.1]
>Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7:
>to=<chr...@ho...>,
>relay=192.168.0.10[192.168.0.
>10]:25, delay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9FC34C8065)
>Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7:
>to=<ch...@ho...>, relay=192.168.0.10[192.168.0.10]:25,
>del
>ay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9FC34C8065)
>Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7:
>to=<chr...@ho...>,
>relay=192.168.0.10[192.168.0.10]:25
>, delay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9FC34C8065)
>Aug 30 05:05:07 webmail postfix/smtp[1475]: 5621323FA7:
>to=<chr...@ho...>,
>relay=192.168.0.10[192.168.0.10]:
>25, delay=1.2, delays=0.77/0.21/0.02/0.17, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9FC34C8065)
>

>and so on (there were around 200 email).I dont know whether this is 
>squirrelmail or postfix issue. my question is, how come someone use this 
>webmail without authenticate their self and sending email to internet? 
>(users authenticate with active directory) 
>

SquirrelMail doesn't allow relaying without authentication.  Can you
see any IMAP logins around the same time?
-- 
Jonathan Angliss
<jo...@sq...>