Hrm. Just found out my SMTP server (smail at the time, now exim) was open to relaying when I found to my unpleasant surprise a bunch of bounces from spam in my postmaster box.
This seems to be the problem. I had the MTA configured correctly to not relay, but since I have the MTA running on a separate machine in a perimeter network behind the firewall, and since I was using redir to redirect SMTP to it through the firewall from outside, the MTA was doing all its checking against the IP address of the firewall, not the outside source. I.e., it thinks the SMTP connection is coming from the firewall. I managed to plug the hole in exim by explicitly not listing the firewall as a host allowed to relay, but this seems like a poor solution since I would imagine things like RBL filtering and even basic spoofing would be similarly undetectable by the MTA. It also makes me wonder what other services would suffer. I do use tcpd to wrap the redir command, so at least some protection is there, but if daemons on the perimeter box (which supplies www, ftp, and smtp) always think packets are coming from the firewall then they can't perform protocol-specific validation that depends on the origin IP address. Any thoughts on the matter from you smart folks? I have some general questions: 1) should I be using a forward-only SMTP server at the firewall, rather than port forwarding? 2) should I be using something other than redir for port forwarding? 3) are there any other holes I'm missing due to this setup? I unlimbered the latest version of SAINT and pounded everything, and have plugged several other things while I'm at it. Fun, I suppose, but more than a little unsettling. Interestingly enough, SAINT quit complaining about SMTP relaying when I switched to exim, but the `telnet mail-abuse.org` verifier still complained until I turned off relaying for the firewall. -- Paul Reavis [EMAIL PROTECTED] Design Lead Partner Software, Inc. http://www.partnersoft.com
