I was under the impression that if we used "Relay for local users only" that iMail would do just that and reject any request from a "From" address that was not a local user.ok, here we go for the 10,000th time....
That's correct, but the MAIL FROM: is forgeable, so relay for local users or local hosts is an open relay, as we're repeated 1000's of times on this list for years.
One of our domains somehow got on an "Open Relay" black list at njabl.org and certain destination servers have been blocking messages sent from the domain.
no surprise
My belief was that anyone trying to send e-mail allegedly from a user account on the server would have to provide a password to send a message.
no, they only have say the MAIL FROM: is local user or host.
So it shouldn't be possible to hack in with a bogus address and send email, right?
wrong
When I started checking into it and running some of my own tests I discovered I could set up a bogus "personality" on my Eudora ([EMAIL PROTECTED]) and send a message to myself at another e-mail address in another domain on the same iMail server.
that's not "relay" (to non-local domains), that's delivery to local domains
However, that was before I discovered we had it set to "Relay for local hosts only". I reset it to "relay for local users only" but forgot to restart the SMTP so it looks like it didn't care about remote destinations at that point. But now I can STILL relay from a bogus "local" address to a local user. Maybe I don't care about that really as I don't think I have ever seen spam sent that way. The question I have is the next time they (njabl) test will they fail to get their message through?
yes. set SMTP security to "no relay" or "relay for addresses"
But, even if it was a forged local account how can someone send a message through the server without providing the valid user password? Or more properly, why does iMail pass it on?
if the mail from is a local user/host, Imail needs no authentication.
This list has been through your situation 1000's of times. Please check the archives.Regarding requiring SMTP AUTH, this is a place I don't really want to go.
Len
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
