Dear All, I have just implemented ProxyARP with my Mail server behind shorewall. It appears to be working OK as I can both send and receive mails, and this server is available to both the NET and my LAN using the same public IP. The only port open to the net from shorewall is https (443) I have attempted to reach both the Mailserver and the firewall with nmap and failed. But I have been seeing this in my Mail server logs for the past 24 hours since I did this ProxyARP thing. "Connection attempt to service SMTP from IP address 127.0.0.1 rejected." My question is this; Is someone attempting some form of exploit via https on my mail server? How did this person go past shorewall? Has anyone any idea what is going on? Are there other ways of testing that ProxyARP and shorewall are working as designed? Thanks for your assistance. Ama _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
127.0.0.1 is your localhost... -----Original Message----- From: Ama Kalu [mailto:ama.kalu@cwlgroup.net] Sent: Thursday, December 04, 2003 8:29 AM To: shorewall-users@lists.shorewall.net Subject: [Shorewall-users] ProxyArp Implementation check Dear All, I have just implemented ProxyARP with my Mail server behind shorewall. It appears to be working OK as I can both send and receive mails, and this server is available to both the NET and my LAN using the same public IP. The only port open to the net from shorewall is https (443) I have attempted to reach both the Mailserver and the firewall with nmap and failed. But I have been seeing this in my Mail server logs for the past 24 hours since I did this ProxyARP thing. "Connection attempt to service SMTP from IP address 127.0.0.1 rejected." My question is this; Is someone attempting some form of exploit via https on my mail server? How did this person go past shorewall? Has anyone any idea what is going on? Are there other ways of testing that ProxyARP and shorewall are working as designed? Thanks for your assistance. Ama _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Sounds like a sendmail configuration setting on your mail server. The default sendmail configuration is to listen to the localhost. Check your sendmail.cf file for this: # SMTP daemon options O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA And change the "Addr" to the correct IP address or remove this option completely. Graeme> -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On > Behalf Of Ama Kalu > Sent: Thursday, December 04, 2003 9:29 AM > To: shorewall-users@lists.shorewall.net > Subject: [Shorewall-users] ProxyArp Implementation check > > Dear All, > > I have just implemented ProxyARP with my Mail server behind > shorewall. > > It appears to be working OK as I can both send and receive mails, and > this server is available to both the NET and my LAN using the same > public IP. > > The only port open to the net from shorewall is https (443) > > I have attempted to reach both the Mailserver and the > firewall with nmap > and failed. > > But I have been seeing this in my Mail server logs for the > past 24 hours > since I did this ProxyARP thing. > > "Connection attempt to service SMTP from IP address 127.0.0.1 > rejected." > > My question is this; > > Is someone attempting some form of exploit via https on my > mail server? > How did this person go past shorewall? Has anyone any idea > what is going > on? > > Are there other ways of testing that ProxyARP and shorewall > are working > as designed? > > Thanks for your assistance. > > Ama > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Hi, I know 127.0.0.1 is local host. But why would the mail server would will deny itself smtp service? Ama>-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net[mailto:shorewall-users->bounces@lists.shorewall.net] On Behalf Of Troy Arnold >Sent: Thursday, December 04, 2003 3:39 PM >To: ''Mailing List for Experienced Shorewall Users'' >Subject: RE: [Shorewall-users] ProxyArp Implementation check > >127.0.0.1 is your localhost... > >-----Original Message----- >From: Ama Kalu [mailto:ama.kalu@cwlgroup.net] >Sent: Thursday, December 04, 2003 8:29 AM >To: shorewall-users@lists.shorewall.net >Subject: [Shorewall-users] ProxyArp Implementation check > >Dear All, > >I have just implemented ProxyARP with my Mail server behind shorewall. > >It appears to be working OK as I can both send and receive mails, and >this server is available to both the NET and my LAN using the same >public IP. > >The only port open to the net from shorewall is https (443) > >I have attempted to reach both the Mailserver and the firewall withnmap>and failed. > >But I have been seeing this in my Mail server logs for the past 24hours>since I did this ProxyARP thing. > >"Connection attempt to service SMTP from IP address 127.0.0.1rejected."> >My question is this; > >Is someone attempting some form of exploit via https on my mail server? >How did this person go past shorewall? Has anyone any idea what isgoing>on? > >Are there other ways of testing that ProxyARP and shorewall are working >as designed? > >Thanks for your assistance. > >Ama >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Graeme, This is not sendmail. This is Kerio Mail server 5 running on Windows XP Ama>-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net[mailto:shorewall-users->bounces@lists.shorewall.net] On Behalf Of Graeme Boyle >Sent: Thursday, December 04, 2003 3:50 PM >To: ''Mailing List for Experienced Shorewall Users'' >Subject: RE: [Shorewall-users] ProxyArp Implementation check > >Sounds like a sendmail configuration setting on your mail server. The >default sendmail configuration is to listen to the localhost. Checkyour>sendmail.cf file for this: > ># SMTP daemon options > >O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA > >And change the "Addr" to the correct IP address or remove this option >completely. > >Graeme > >> -----Original Message----- >> From: shorewall-users-bounces@lists.shorewall.net >> [mailto:shorewall-users-bounces@lists.shorewall.net] On >> Behalf Of Ama Kalu >> Sent: Thursday, December 04, 2003 9:29 AM >> To: shorewall-users@lists.shorewall.net >> Subject: [Shorewall-users] ProxyArp Implementation check >> >> Dear All, >> >> I have just implemented ProxyARP with my Mail server behind >> shorewall. >> >> It appears to be working OK as I can both send and receive mails, and >> this server is available to both the NET and my LAN using the same >> public IP. >> >> The only port open to the net from shorewall is https (443) >> >> I have attempted to reach both the Mailserver and the >> firewall with nmap >> and failed. >> >> But I have been seeing this in my Mail server logs for the >> past 24 hours >> since I did this ProxyARP thing. >> >> "Connection attempt to service SMTP from IP address 127.0.0.1 >> rejected." >> >> My question is this; >> >> Is someone attempting some form of exploit via https on my >> mail server? >> How did this person go past shorewall? Has anyone any idea >> what is going >> on? >> >> Are there other ways of testing that ProxyARP and shorewall >> are working >> as designed? >> >> Thanks for your assistance. >> >> Ama >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Ama, Unfortunately, I do not know the Kerio Mail software. Perhaps someone else could assist or you could contact them for assistance. Graeme> -----Original Message----- > From: Ama Kalu [mailto:ama.kalu@cwlgroup.net] > Sent: Thursday, December 04, 2003 11:21 AM > To: g.boyle3@verizon.net; ''Mailing List for Experienced > Shorewall Users'' > Subject: RE: [Shorewall-users] ProxyArp Implementation check > > Graeme, > > This is not sendmail. This is Kerio Mail server 5 running on > Windows XP > > Ama > > >-----Original Message----- > >From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users- > >bounces@lists.shorewall.net] On Behalf Of Graeme Boyle > >Sent: Thursday, December 04, 2003 3:50 PM > >To: ''Mailing List for Experienced Shorewall Users'' > >Subject: RE: [Shorewall-users] ProxyArp Implementation check > > > >Sounds like a sendmail configuration setting on your mail server. The > >default sendmail configuration is to listen to the localhost. Check > your > >sendmail.cf file for this: > > > ># SMTP daemon options > > > >O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA > > > >And change the "Addr" to the correct IP address or remove this option > >completely. > > > >Graeme > > > >> -----Original Message----- > >> From: shorewall-users-bounces@lists.shorewall.net > >> [mailto:shorewall-users-bounces@lists.shorewall.net] On > >> Behalf Of Ama Kalu > >> Sent: Thursday, December 04, 2003 9:29 AM > >> To: shorewall-users@lists.shorewall.net > >> Subject: [Shorewall-users] ProxyArp Implementation check > >> > >> Dear All, > >> > >> I have just implemented ProxyARP with my Mail server behind > >> shorewall. > >> > >> It appears to be working OK as I can both send and receive > mails, and > >> this server is available to both the NET and my LAN using the same > >> public IP. > >> > >> The only port open to the net from shorewall is https (443) > >> > >> I have attempted to reach both the Mailserver and the > >> firewall with nmap > >> and failed. > >> > >> But I have been seeing this in my Mail server logs for the > >> past 24 hours > >> since I did this ProxyARP thing. > >> > >> "Connection attempt to service SMTP from IP address 127.0.0.1 > >> rejected." > >> > >> My question is this; > >> > >> Is someone attempting some form of exploit via https on my > >> mail server? > >> How did this person go past shorewall? Has anyone any idea > >> what is going > >> on? > >> > >> Are there other ways of testing that ProxyARP and shorewall > >> are working > >> as designed? > >> > >> Thanks for your assistance. > >> > >> Ama > >> _______________________________________________ > >> Shorewall-users mailing list > >> Post: Shorewall-users@lists.shorewall.net > >> Subscribe/Unsubscribe: > >> https://lists.shorewall.net/mailman/listinfo/shorewall-users > >> Support: http://www.shorewall.net/support.htm > >> FAQ: http://www.shorewall.net/FAQ.htm > >> > > > >_______________________________________________ > >Shorewall-users mailing list > >Post: Shorewall-users@lists.shorewall.net > >Subscribe/Unsubscribe: > >https://lists.shorewall.net/mailman/listinfo/shorewall-users > >Support: http://www.shorewall.net/support.htm > >FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Hiya, At 11:31 AM 12/4/2003, you wrote:>Hi, > >I know 127.0.0.1 is local host. > >But why would the mail server would will deny itself smtp service? > >AmaYou don''t have the default firewall turned on that XP machine .. Do You ??? Francesca "No Problems Only Solutions" Francesca C. Smith Lady Linux Internet Services fsmith@ladylinux.com _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 08:18, Ama Kalu wrote:> Hi, > > I know 127.0.0.1 is local host. > > But why would the mail server would will deny itself smtp service?Don''t know about your MTA but Postfix can certainly be (mis)configured to do that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Hi, The XP firewall is not turned on. The point of my post is not that I cant send mails. The mail server is working flawlessly. I can send and receive mails. What process is attempting to send mails through the smtp service it hopes is on 127.0.0.1. I do no suppose the mail server will block itself. I am wondering if there is some form of smtp exploit that can be done over https. I dont know how this works but I figure If you can exchange a secure certificate with a https site, and one way or another that certificate is forged to be executable, you may well end up installing a back door to send mails from via 127.0.0.1 which most mail servers will treat as localhost and part of the localdomain, thereby bypassing the entire firewall system. Ama> Hiya, > > At 11:31 AM 12/4/2003, you wrote: > >Hi, > > > >I know 127.0.0.1 is local host. > > > >But why would the mail server would will deny itself smtp service? > > > >Ama > > > You don''t have the default firewall turned on that XP machine .. Do You ??? > > Francesca > > > "No Problems Only Solutions" > Francesca C. Smith > Lady Linux Internet Services > fsmith@ladylinux.com > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm