At 02:09 PM 2/12/2002 -0500, R. Scott Perry wrote:
I was under the impression that if we used "Relay for local users only" that iMail would do just that and reject any request from a "From" address that was not a local user. Am I wrong? It appears so.If you need to close your open relay (which you do), and you can't force users to use SMTP AUTH, then you will have to identify them based on their IP address range(s), using the "Relay for Addresses" option.
One of our domains somehow got on an "Open Relay" black list at njabl.org and certain destination servers have been blocking messages sent from the domain.
My belief was that anyone trying to send e-mail allegedly from a user account on the server would have to provide a password to send a message. So it shouldn't be possible to hack in with a bogus address and send email, right?
When I started checking into it and running some of my own tests I discovered I could set up a bogus "personality" on my Eudora ([EMAIL PROTECTED]) and send a message to myself at another e-mail address in another domain on the same iMail server. The bloody thing was passed right on through although oscarmeyer is NOT a user on the domain and, in fact, fails authentication. I did this because I could see in the log that this sort of thing is apparently what njabl did in testing us. They sent a message that looked like this (non-essentials removed):
From: [EMAIL PROTECTED] ......
To: [EMAIL PROTECTED]
It got right though.
However, that was before I discovered we had it set to "Relay for local hosts only". I reset it to "relay for local users only" but forgot to restart the SMTP so it looks like it didn't care about remote destinations at that point. But now I can STILL relay from a bogus "local" address to a local user. Maybe I don't care about that really as I don't think I have ever seen spam sent that way. The question I have is the next time they (njabl) test will they fail to get their message through?
Why didn't iMail reject it if this sender was not a local account and failed authentication? It appears that iMail takes a little misstep after determining that although the user is allegedly from a local host has not provided the right password (or account missing) and treats it as a foreign sender and the message as a received message from any old source. It DOES appear it will not relay to an outside address as it flags the destination as an invalid local user indicating to me it will only ACCEPT mail and not relay if the sender is not local. What I have not tried is forging a valid local user name (and I can see in the log where some folks have been trying to sniff out user names on several domains), sending a message to a foreign server and checking to see if it gets through even though user authentication will fail.
But, even if it was a forged local account how can someone send a message through the server without providing the valid user password? Or more properly, why does iMail pass it on?
Regarding requiring SMTP AUTH, this is a place I don't really want to go. Many of our users barely know how to get their e-mail. I can just imagine the nightmare we would have trying to get them to set up the authentication for netscape, Outlook, Outlook Express, Eudora and who knows what else. Listing their IP addresses is out of the question as there are several hundred users some of whom have dial-up lines through ISPs where the same IP address may never come up twice.
Orin R. Wells
AWASCO, Inc.
P. O. Box 5427
Kent, WA 98064-5427
(253) 630-5296
email: [EMAIL PROTECTED]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
