id: smtp-open-relay info: name: Linux SMTP Open Relay Misconfigured author: songyaeji severity: high description: | Sendmail and Postfix were checked for proper restrictions against unauthorized relay attempts. Improper configurations allowed attackers to abuse the server for spam or denial-of-service (DoS) attacks. reference: - https://isms.kisa.or.kr tags: linux,local,kisa,audit,compliance self-contained: true code: - engine: - bash source: | if ps -ef | grep -v grep | grep -q sendmail; then if grep -q 'R\$.\* \$#error \$@ 5.7.1 \$: "550 Relaying denied"' /etc/mail/sendmail.cf 2>/dev/null \ || (test -f /etc/mail/access.db && echo "[INFO] Sendmail access.db exists (relay likely restricted)"); then echo "[SAFE] Sendmail relay restriction is configured." else echo "[VULNERABLE] Sendmail relay restriction is missing." fi else echo "[INFO] Sendmail is not active." fi - engine: - bash source: | if systemctl is-active postfix | grep -q running; then mynetworks=$(grep -E '^\s*mynetworks\s*=' /etc/postfix/main.cf 2>/dev/null) relay_restrict=$(grep -E '^\s*smtpd_relay_restrictions\s*=.*permit_mynetworks' /etc/postfix/main.cf 2>/dev/null) reject_unauth=$(grep -E '^\s*smtpd_relay_restrictions\s*=.*reject_unauth_destination' /etc/postfix/main.cf 2>/dev/null) if [[ -z "$mynetworks" || -z "$relay_restrict" || -z "$reject_unauth" ]]; then echo "[VULNERABLE] Postfix relay restrictions are missing or misconfigured." else echo "[SAFE] Postfix relay restrictions are properly configured." fi else echo "[INFO] Postfix is not active." fi matchers: - type: word name: sendmail part: code_1_response words: - "[VULNERABLE]" - type: word name: postfix part: code_2_response words: - "[VULNERABLE]" # digest: 490a00463044022007bbf2c607700ae13d4c405a692792e71588ae5ba345fdaf3607a3857d7407c6022078e9830186951fe00d87c820cb91bd2cde6a00a10675cdf22267e85a4a5ccf60:922c64590222798bb761d5b6d8e72950