I know of two ways to prevent mail relaying: IP address and authentication.
IP Address: Most common approach. Relaying is only allowed from a predetermined list of source IP addresses. Authentication: If the IP addresses of senders cannot be set in advance, then the server must authenticate the sender before allowing him/her to relay mail. Both approaches do not prevent mail from being sent by anyone exclusively to local recipients of the mail server. If I am sending an email to [EMAIL PROTECTED]; using nslookup I can locate the MX & A records (and IP addresses) for the mail server(s) for domain.com, put them in my smtp server settings (in my email client) and send emails directly to the server hosting recipients' mailboxes. If any entries in the to, cc or bcc fields are destined to other domains, the server should reject the email as this would be mail relaying, otherwise it should accept it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alexander.O'[EMAIL PROTECTED] Sent: Tuesday, April 16, 2002 10:04 am To: [EMAIL PROTECTED] Cc: Chris Keladis; [EMAIL PROTECTED]; [EMAIL PROTECTED]; Bill Royds; 'Paul D. Robertson'; [EMAIL PROTECTED] Subject: RE: Restrict telnet to port 25 via firewall. No one has mentioned restricting the commands on the server like VRFY and HELP etc... If you cant verify a name on the server then the person who is faking emails from your server will have a harder time of sending emails from your server. One of the main problems I have seen with mail servers is that people leave them wide open to be used as a mail relay, one way to help reduce this is to use your ISPs mail servers as the entry and exit point for mail. This way you only need to set your mail server or firewall to allow SMTP connections to your mail server from their mail server thus reducing the chance of having your mail sever being used to send spam mail. Also I strongly advise you turn relaying of on you mail server as this will get rid of a lot of the fake emails being sent from your server, but if you can don the above this should stop the problem anyway. Although no matter what you do, someone could still fake an email to from another mail server but using your domain so still making you the brunt of any backlash that may occur from someone spamming people with your email address. The internet isn't it wonderful :) Rgds Alex _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
