SMTP Open Relay 101 - to turn off or leave on? 1

[michigan]

I recently got an email stating our site was "blackballed" or "blackholed" - because our mail server was set up to support SMTP Open Relay.

Reading up on it, I found many reasons why I shouldn't have this feature turned on, but I would like to know what are the positives (if any) for having SMTP Open Relay turned on?

Also, are there any faults I (or may users) can expect to see if the SMTP Open Relay is turned off? New errors?

Thanks in advance.

 

[sobak]

SMTP relay means that others can use your domain for sending (or bouncing) e-mail off of. I don't know of any reason why you would want it turned on except if you had other domains sending e-mail through your server. I know we have an extranet server that is set to bounce mail from our site but have the clients e-mail address as the return address. GroupWise didn't like this so I had to come up with another solution. On some SMTP servers you can restrict by IP Network address, I don't think you can with GroupWise. I would say unless you are using your server, as a relay then there is no need to turn it off.

Turning it off should have no affect on your users, they send their mail to the Postoffice and it's forward to the SMTP server via the MTA so disabling relaying would not have any affect for your users.
david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[michigan]

Hi david -

Thanks for the prompt reply. That was helpful information for me. For now, I think I'm gonna turn this service off.

 

[sobak]

That’s the safest way; you may find that leaving it open will cause you more problems in the log run. We ran into that problem when I first started, we had a sys admin that was not too worried about security and our site was used to host SPAM a number of times. That was about three years ago and I am still feeling repercussions from that. It’s always a good idea to implement good “net friendly” solutions, keeps you and your company’s reputation in good standing. david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[lgarner]

GW5 seems to act as if it's open even when it's not. Relayed messages aren't delivered though. GW6 behaves "properly" and refuses relaying requests. I think that in the past the only possible reason for keeping it open or using relay exceptions was for users who used POP/SMTP clients. GW6 supports AUTH commands so that's no longer necessary. See

http://www.novell.com/coolsolutions/gwmag/qna/gwia.html#3002486

 

[dpellegrini]

Here is an earlier thread on this issue. Even with relay turned off, the server will relay in one instance. If you would like more detail about this, please contact me directly.
<<
JaseUK (IS/IT--Manageme) Jan 9, 2002
Dear all,

I have disabled relaying in Groupwise 5.5 and understand that the Groupwise SMTP server accepts messages for posting from anyone who connects to it without challenging them and forwards them to the postmaster as undeliverable items. It would seem to me that over time people have come to think of my SMTP server as an open gateway through which messages can be successfully relayed. Obviously they are wrong - but they will never know this as Groupwise does not tell them that they are unsuccessful.

ANYWAY - the point is: We receive now hundreds of messages a day that are nothing to do with us. Groupwise accepts the whole post (attachments and all!!) and this is consuming our bandwidth. Is there anything we can do to stop this short of putting an intermediate SMTP server in the way that challenges servers posting to domains that are not our own??

TIA,
Jason.

Click here to mark this post as a helpful or expert post!


Inappropriate post?
If so, Red Flag it!


Check out the FAQ
area for this forum!


sobak (MIS) Jan 9, 2002
Not if you're using GroupWise 5.x alone. GroupWise 6.x is the first SMTP server from the GroupWise suite to challenge the sender. If it fails then it drops the connection. There are some third party products that will filter but not do anything about your bandwidth problem. If you want to cure your bandwidth problem I believe you would need to install an SMTP server that challenges the sender, or Upgrade to GroupWise 6.x.
david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*


Click here to mark this post as a helpful or expert post!


Inappropriate post?
If so, Red Flag it!


Check out the FAQ
area for this forum!


dpellegrini (MIS) Jan 10, 2002
Interesting finding. I've been doing some testing on our Groupwise 5.5 box. It appears that, yes, it accepts the messages and dumps them into the problem directory, but won't forward them. There is 1 exception to this. If the spammer uses the Groupwise servers IP address or hostname, in the Mail From:<sender> , then it will forward (relay) the messages. This is why ORDB.ORG and others still black list groupwise servers. I hope 6x fixes this problem

Domenick Pellegrini
dpellegrini@yahoo.com

>>

Domenick Pellegrini
dpellegrini@yahoo.com

 

[dpellegrini]

Also,
I have on good authority that there is a fix for this for GW 5.5. I haven't tested it yet myself. But I will update this board on the details as I get them.

Domenick Pellegrini
dpellegrini@yahoo.com

 

[gillis]

We also recently found out ORDB considers our server an &quot;open relay&quot;. Since then at least 2 or 3 of the vendors we deal with no longer accept email from us so I need to fix the situation ASAP.

I thought I made the proper changes in Netware admin. but ORDB retested and we're still &quot;blacklisted&quot;

Would someone mind going over the specific steps needed to close this hole? It would be greatly appreciated.

jgillis

 

[dpellegrini]

The only fix that is recommended by Novell is to upgrade to GW6. But some have had success using sp4 and the fgwia(I don't remember the exact name of the file)3rd party patch. Although there are some that have applied it only to find nothing has changed.

Domenick Pellegrini
dpellegrini@yahoo.com

 

[sobak]

Jgillis,

First what you need to do is...

1. Go into Netware Administrator click on Tools, GroupWise Views.
2. Go into the details page of the Gateway Agent.
3. Click on &quot;Access Control&quot;
4. On the first page click on &quot;SMTP Relay&quot;.
5. Make sure you have a &quot;Prevent message relaying&quot; checked.

If you have anything in the acceptions rule, make sure you follow the logic of them. That is what was killing me first off. I had Allow From mydomain to *. What was happening was if the header came from someone@mydomain.com it would forward no matter where it came from. Modifying it to read.

Allow from mydomain to mydomain blocked the open relay for my particular situation.

After you do the above you can check it using any pop client. Attempt to send e-mail through your server if it goes then you are still not blocked. If all your tests show negative for relaying you can requeue your test from the ORDB web site.

Let me know if this helps you out..


david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[dpellegrini]

This is true, however, if the Mail From address is from the domain of the e-mail server (can be a valid account or not) with quotes in it, then it will relay. It would be best to test via telnet to port 25 to run the tests.

Domenick Pellegrini
dpellegrini@yahoo.com

 

[sobak]

For testing with POP3 you can specify any domain you wish, I could be david@newdomain.com and still attempt to relay outside of mydomain. If I do it's blocked. If I type in postmaster@mydomain.com and attempt to relay I can only relay from Postmaster@mydomain.com to user@mydomain.com with my current rules in place.

I'm not worried about SPAM since my current domain is setup to filter out SPAM. It's the others domains that I'm worried about.

Either way you test it will still show you if you're setup correctly or not. Could be SMTP or POP3 just depends on if you have all the settings in place correctly.

david e
*end users are just like computers, some you can work with...others just need a simple reBOOTing to fix their problems.*

 

[gillis]

Thanks for all the help, but I must be missing something. The relay allowance setting in GWIA access control is turned OFF and there are no exceptions allowed. However, I had ORDB test again and still tagged us as &quot;open&quot;.


Thanks,

jgillis

 

[dpellegrini]

The only office fix from Novell is to upgrade to GW6. But you can try, as others with mixed success, patch the GW5.5 server with SP4, and the fgwia55f patch(you should be able to download it from Novells website.) I've heard the majority of people say it didn't work. Only 1 person I know has had success with it. If you need more information let me know (dpellegrini@yahoo.com). I can also give you the details on why ordb keeps you blacklisted. I've tried manually to relay off of our server. All attempts will dump the relay into the problem directory, except when the attempt is made using the gw domain as the sending domain (username doesn't matter) and the username is in quotes. That's how you got tagged by ordb.

Domenick Pellegrini
dpellegrini@yahoo.com

 

[backupqueen]

We too, have had some messages rejected due to being blacklisted by ORBS. Novell TID(10058618) says this issue can be fixed and references a newer patch (FGWIA55G.EXE). We have not tried it yet. Has anyone else?

Jfernand

 

[Guest_imported]

Well here's the latest. We reinstalled GW SP4. The first time not all of the files updated. Then we installed the fgwia patch. After we did this, we tested the server with ordb.org and we passed. But there was 1 gotya. The following files:
GWENN2.NLM
GWCMC.NLM
GWMTA.NLM
GWPOA.NLM
GWENN15.NLM
GWIA.NLM
GWWEB.NLM

which are found in sys:/system
are all supposed to be updated by SP4
GWENN15.NLM and GWIA.NLM get updated by the fgwia patch. Well we found out that the GWWeb access would not work. Apparently not all of the files in sys:/system updated to the correct upgraded versions. So we had to manually copy those files from sp4 and fgia and move them to the sys:/system directory. Then we had to look at the associated groupwise/netscape web server NCF files to make sure that any calls to these files were to the sys:/system directory. Once fixed everything worked just fine. We retested to make sure that we didn't break the relay fix. We still passed. I hear from a number of sources that the fgwia patch has not work in most cases. We spoke with Novell about this and they are still only officially recommending an upgrade to GW6 in order to fix the relay issue. But give it a go and hope for the best. Good luck.

 

[julius1n]

Hi,

My situation is different. I need to relay from one of my NT server to my groupwise mail for e-commerce. I send e-statements for several credit unions and it seems that we have been tagged as a open relay. This is how I do business. I just need to know if there is a way to make exceptions that actually work when the access control for the relay is turned off. I have domain name and IP and they still get blocked although they are set to be an exception to the closed relay. Can anyone help. I have one credit union that can't get my messages and I am afraid that more will follow.