How to secure SMTP open relay 1

[Clarkster]

Would somone be good enough to explain theoretically how to prevent an SMTP server from being used as a relay. Does the SMTP protocol specify an address? When is the name@domain.ABC looked up to determine the destination address. Is this the destination address that is then placed in the TCP/UDP (or whatever) packet? etc, etc. Thanks in advance for your reply

 

[sobak]

Under most SMTP servers you should have a setting that states if the server is going to be used as a relay or if it is only going to relay it's own domain. I use GroupWise Internet Agent for our SMTP gateway. In the access control I can set it for relay or just to handle my own domain. Closing it down for relay prevents users from using it to send SPAM off your server. This not only makes people angry but can also get your domain black-listed as a known open relay host. When the SMTP server looks up an address, it usually goes to the DNS server that it is programed to look for. The Host name user@domain.ABC is resolved to an IP Address. The IP Address is then placed in the packet. I don't know of any program that utilized a fully qualified domain name to send it's traffic. Most of the host names are boken down to it's IP Address and then the packets are reassembled at the host system. I've used other SMTP servers in the past and know that all of them had a setting to only relay their own domain and deny access to any others.

Hope this helps you out.

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[Clarkster]

Thanks for the reply. I am using an older version of the Novell SMTP/MIME gateway. It is well documented that the /norelay switch does not work. The only sure remedy is to switch to a newer version (such as the one you are using). In the interim however, I was hoping that I could configure Linux IP chains to analyze SMTP packets and reject those that the MAIL TO: does not resolve to the same IP as the TCP/UDP destination address. I think this is the same logic that is employed in mail servers with a no-relay switch. I just need confirmation of this and some suggestions as to how IP Chains could duplicate the logic.

 

[sobak]

Unfortunately I am far from being an expert when it comes to Linux or Unix for that matter. Glad that my information helped you david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[StarTAC]

well, if u are going to use Linux/UNIX, u shouldn't even need to block the domain at the firewall level, that is, using IPChains.... u can do that right from the Mail Transfer Agent [MTA] ...

the most popular UNIX MTA is called Sendmail... there are several others.. but sendmail is really the best, and most heavily documented....

with sendmail from version 8.8 and onward... [the most recent Linux distributions come with at least Sendmail ver 8.11.0] u can specify and ACL type record in a file called access... this file defines IP addresses and domain names that are allowed to use the SMTP server as a RELAY host... u can also use this file to define domains u know send alot of SPAM, and block them off...using the 550 SMTP function....

in addition, u can also define which hosts can have access to your SMTP server, whether to send or be sent to.. usually, this is left open, otherwise u would block connections from all other servers trying to deliver mail...

bottom line.. u have much more flexibility, security and power with Linux or UNIX..

good luck