yes, that means the client will not attempt to send username/password. however, IF you have one of the relay for xxx options turned on, and the user is not a member of that group, for instance address, the user will not be able to send/rcv. so, when you have relay for xx turned on, and you don't know someones IP, you tell that client to configure the mail client to send username/pass, in outlook this is done by clicking the checkbox for, " my server requires authentication, what happens then is when outlok connects to the mail server, the first thing it does is says hi mail server, my name is Don and i can prove that by giving you this password which is xxxxx can i please have my mail, imail server responds with, ok don, the password you just gave me matches the password i have on file so i will consider you a local user for the remainder of this session, here's your mail. maybe i can give a generalisation (is that right) of how my system is setup Imail Server 7.04hf1 smtp security= Relay Mail for "Addresses" which contains, my internal class 'c' block and a couple of other blocks which i know connect to my server for smtp. Client: Outlook 2k on Win2k pro: under the tools menu, then Accounts then properties then the servers tab. all the way at the bottom i checked the box beside "My Server requires Authentication"
now, while i am internal, it doesn't really matter if this option is checked or not, because my ip address is IN the address list, however since i use a laptop, when i go home my address is static but not listed in the relay for addresses list, so if i have the authentication box unchecked, the server says no sorry, you don't belong here, but when i have it checked, the sequence is the same as above where outlook is telling the server who i am and proving it by sending the associated password, so when that happens the server considers me local. this is according to the imail server logs. hope this helps out any of you doing the same Don -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of IMail Admin at BC Web Sent: Wednesday, November 14, 2001 7:48 PM To: [EMAIL PROTECTED] Subject: Re: [IMail Forum] SMTP Relay. What can we do better. Hey Todd, Very clear explanation. Now the question becomes: is SMTP AUTH really on all the time? In Outlook Express, there's an option, "server requires authentication for ourgoing (SMTP) mail," on the Server tab of the Account Properties dialog box. If this is unchecked, doesn't that mean the client will connect without SMTP AUTH? Thanks, Ben ----- Original Message ----- From: "Todd Holt" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 14, 2001 6:20 PM Subject: RE: [IMail Forum] SMTP Relay. What can we do better. > There are 2 solutions here that work independently, but in concert. > > 1. SMTP AUTH works all of the time. As far as I know, it cannot be turned > off. It is independent of the relay setting. It is independent of the IP > address. And the address can change anytime. All it needs is a connection > to port 25 of the IMail server. The client will send credentials to the > server for authentication on each SMTP session opened (basically, each time > a message is sent). > > 2. The relay setting: If you use "No Relay", you can still have clients send > SMTP messages by using SMTP AUTH (remember, it can't be turned off). Using > "Relay for Addresses" is essentially a whitelist of IP addresses that can > send SMTP messages throught the server (relay) without requiring > authentication. Typically, these are machines that run automated processes > that generate email (i.e. not typically your domain controller). These are > also addresses that typically reside "inside" the firewall. This keeps them > from being spoofed. If you choose, you can specify a public IP address > (like a client's server, or perhaps their firewall public address if they > are using NAT), but it may be possible to spoof this address (b/c you have > no control of what goes on out in the big, bad world). > > Summary: By using "Relay for Addresses", you allow a unknown number of > clients with unknown IPs to relay after being authenticated and you allow a > known number (keep this list as small as possible) of machines to relay > without authenticating. Be sure that you trust any machine on the address > list!!! > > Hope this helps. > > Todd > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of IMail Admin at > BC Web > Sent: Wednesday, November 14, 2001 5:04 PM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] SMTP Relay. What can we do better. > > > There are a couple of these messages that bring up a good point that I'm > unsure of: when you use "relay for address," how do you handle clients when > you don't know their IP address? That is, is there a way to make "relay for > address" work for clients that may come through any arbitrary ISP and have > any (unknown) IP address? > > Ben Bednarz > > ----- Original Message ----- > From: "John Tolmachoff" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, November 14, 2001 1:42 PM > Subject: RE: [IMail Forum] SMTP Relay. What can we do better. > > > Although not the best way, I am currently using Relay for local host > only, with Declude Hijack running in back ground. It has solved problems > we have had in the past. > > We are unable to use relay for address because some of our clients are > on DSL which uses DHCP. And some of these users are MAC. > > Unless someone has a better idea. > > John Tolmachoff, Network Engineer > > 211 E. Imperial Hwy., Suite 106 > Fullerton, CA 92835 > 714-578-7999, ext. 104 > [EMAIL PROTECTED] > [EMAIL PROTECTED] > www.reliancesoft.com > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of R. Scott Perry > Sent: Wednesday, November 14, 2001 10:04 AM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] SMTP Relay. What can we do better. > > > >Last week, a person was able to relay 300,000 emails through our Imail > >server. Our current relay is setup for USERS only. > > So you were allowing him to send spam. > > >The person was able to relay mail through our system by changing his > computer > >name to a domain name in IMail, and creating an email account on his > computer > >the same as an email account in one of our Imail domains. > > No, it's not nearly that difficult. In their spamware, when asked "What > > address do you want listed as the sender of the E-mail", they just > entered > "[EMAIL PROTECTED]". No changing of computer names, no creating > E-mail > accounts, no hacking involved. > > >Since IMail was setup for RELAY FOR USERS ONLY, everything worked > correctly. > > That's correct. "Relay for users" means that you will let anyone relay > if > they have an account on your server, or are willing to use an E-mail > address on your server. > > >Even if we had setup IMail relay for HOSTS ONLY, the same thing would > have > >occurred. > > Quite true. "Relay for hosts" means that anyone can relay mail through > your server if they have an account on your server, or are willing to > use a > made-up E-mail address on your server. > > > We tried the NO RELAY option, but unfortunately, since the accept.txt > > > file does not work for NO > >RELAY, none of our emails from WhatsUP Gold could be sent, and some of > our > >third party applications like FrontPage etc... cannot use SMTP > >Authentication. > > With "No Mail Relay", you don't use accept.txt -- it means that everyone > > has to use SMTP AUTH. > > "Relay for Addresses" does what you are looking for (although you don't > use > the accept.txt file, you use the button next to "Relay for Addresses" to > > list the "safe" IP addresses. > > >It would be nice if the ACCEPT.TXT file would worked for NO RELAY but > it > >doesn't. > > No. "No mail relay" really means "Only relay for people using SMTP > AUTH". If IMail let certain users bypass it, then it would be "Relay > for > Addresses" (which it already has). > > >I'm a little upset about this because it was pretty simple for this > person > >to do this ... > > The problem is that IMail doesn't make it clear that several of their > anti-relay options don't prevent spammers from using your mail server. > The > "Relay for Users" option isn't designed to stop spammers. > > -Scott > --- > Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for > IMail. http://www.declude.com > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
