Hmmm..... here's what I've discovered. If the gurus here would like to chime in at this point, that would be great. My concerns:
If I telnet to port 587 or 25 on my machine, I CANNOT send from any spoofed or real address to any address that's not hosted on my server... I get a 550 error. Nor can I send from a valid address hosted on my server to any external address... again, I get a 550 error for both ports. However, if I telnet to port 587 or port 25, and mail from: is a local address, and rcpt to: is a local address, it accepts and delivers the message. It does not seem to require SMTP AUTH on EITHER port. Now, what I REALLY don't understand is, I am using "relay for addresses", and the machine from which I am doing the TELNET'ing is NOT in the allowed addresses list, nor is any of this server's public IPs in the allowed addresses list either. If the FROM and TO address are both local, shouldn't iMail still require SMTP AUTH to deliver that message? Did I change a setting somewhere and screw up my config? As far as the solution I provided for port forwarding, I don't see how it would make any difference if the above behavior is expected. The only problem we're having is the one I posted a day or so ago, regarding our outgoing messages on port 587 being stamped by mxGuard as spam, while sending via port 25 does not cause that problem. (Still haven't received an answer on that one yet...) I'm not seeing Gary's described behavior with our particular setup. marc > -----Original Message----- > From: Don Brown [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 05, 2005 12:01 PM > To: Marc Funaro > Subject: Re: [IMail Forum] port-map running as a service > > > Are you saying that the following is not true, in this case. IOW, > you've tested and there is No Open Relay Vulnerability running this > mapper the way you've configured it? > > "Wednesday, January 26, 2005, 10:19:14 AM, Gary Brumm > <[EMAIL PROTECTED]> wrote: > GB> The problem with these programs (I tried Port Tunnel) is > that all off the > GB> messages that come through the alternate port appear to > originate from > GB> the IMail machine's IP and this makes you an open relay. > This happens > GB> even if the machine's IPs are not in the "allow these IPs list". > GB> Authenticated SMTP still works but is not needed. If > someone has a > BG> solution to this please let me know. > GB> Thanks, > GB> Gary" > > > Wednesday, February 2, 2005, 8:13:27 PM, Marc Funaro > <[EMAIL PROTECTED]> wrote: > MF> In reply to my own post. > > MF> I have successfully configured an application to run as a > service to map > MF> port 587 to port 25. I provide instructions below to > everyone on the list, > MF> in the hopes that it will help someone else. I welcome > MF> corrections/additions/etc. to make this document as accurate > as possible. I > MF> believe it is useful because it allows iMail to accept mail > on a port other > MF> than 25, so that email clients that are connecting with an > ISP that is > MF> blocking port 25 can still utilize your own server for outgoing mail. > > MF> Note this has ONLY been tested on Windows 2003 Server, with > iMail 7.15. > MF> You'll need to obtain the (free) windows 2003 resource kit > tools and the > MF> (free) port mapping software. No guarantees, use at your > own risk, blah > MF> blah blah... > > MF> =============================================== > MF> Get the port mapping software and "install" it: > MF> =============================================== > > MF> Obtain the port-mapping application from http://www.kmint21.com. > > MF> Unzip and put the contents of the download in C:\Program > Files\port-map\ > > > MF> ===================================================== > MF> Run the port mapping software using a command prompt: > MF> ===================================================== > > MF> c:\progra~1\port-map\pm.exe 5587 {imail.box.ip.addy} 25 w h > > MF> A window with status information should open for you. > > MF> (note the "5587" is not a typo for mapping port 587 -- > pm.exe seems to > MF> ignore the first character of the port number you are > mapping to a local > MF> port. Note that the authors of pm.exe may very well fix > this in the future, > MF> and therefore you may need to adjust your parameters in the > future if you > MF> obtain a newer version of pm.exe. The W lets the app write > a log file in > MF> the app's own directory, and the H tells the app to run > "hidden". You may > MF> wish to remove the W parameter after testing is complete, > unless you don't > MF> mind cleaning/removing the log file every now and then.) > > > MF> ========================================== > MF> Test your access to port 587 using telnet: > MF> ========================================== > > MF> At a command prompt, type: > MF> telnet yourmachine.example.com 587 > > MF> You should get a response from your server, and be able to > issue an ehlo > MF> command and get a normal response from your mail server... > just as you would > MF> if you had connected on port 25. > > > MF> ==================================== > MF> Since you're already in a telnet session, you might as well > test to see if > MF> you can send a message to a local email address. > MF> Enter the following telnet commands one at a time: > MF> ==================================== > > MF> ehlo > MF> mail from: {your email address} > MF> rcpt to: {your email address} > MF> data > MF> test using port 587 > MF> . > > > MF> (The dummy message should be queued at this point, and you > should receive > MF> your message fairly immediately). > > > MF> ==================================== > MF> Since you're already in a telnet session, you might as well > test to see if > MF> implementing port 587 mapping has made you an open relay in some way. > MF> Enter the following telnet commands one at a time: > MF> ==================================== > > MF> ehlo > MF> mail from: [EMAIL PROTECTED] > MF> rcpt to: [EMAIL PROTECTED] > > MF> (after submitting the "rcpt to" command you should get a 550 > error. If it > MF> says "ok" and awaits DATA, then you are an open relay. > Check to make sure > MF> your own iMail server's IP addresses are not in the "relay > for addresses" > MF> list.) > > > MF> ===================== > MF> IF YOU GOT THIS FAR: > MF> ===================== > > MF> --You are able to run the pm.exe software and properly map > port 587 to port > MF> 25 using the command line. > > MF> --You are able to send yourself a message using telnet on port 587. > > MF> --You are NOT able to send a message from a non-local > address to another > MF> non-local address using port 587. > > MF> --If you specified the W command line switch, you should see > a log file in > MF> the same directory as pm.exe, in which you can review the > telnet connections > MF> you tried above. > > MF> You will now probably want to set up your machine so that > pm.exe runs "as a > MF> service" so that you don't have to remember to log in and > enter the command > MF> line to start the app/redirector every time you start the > machine... I > MF> therefore provide: > > > MF> ==================================================== > MF> Instructions for running the pm.exe app as a service > MF> ==================================================== > > MF> Stop the app that you launched using the command line > instructions above. > > MF> Go to www.microsoft.com/downloads and enter Windows 2003 > Resource Kit Tools > MF> in the keyword search. Download the Windows 2003 Resource Kit Tools > MF> executeable, and run it to install the apps... This will > install a bunch of > MF> little apps, including the two you need: instsrv.exe and srvany.exe. > > > MF> ============================== > MF> Install a new "blank" service: > MF> ============================== > > MF> In a command prompt: > MF> CD to C:\Program Files\Windows Resource Kits\Tools > > MF> Then type: > MF> instsrv Port587Map "c:\Program Files\Windows Resource > Kits\Tools\srvany.exe" > > > MF> ===================================== > MF> RESPONSE FROM THIS COMMAND SHOULD BE: > MF> ===================================== > > MF> "The service was successfuly added! > > MF> Make sure that you go into the Control Panel and use > MF> the Services applet to change the Account Name and > MF> Password that this newly installed service will use > MF> for its Security Context." > > > MF> Now you have a "blank" service installed (you can confirm > this by looking at > MF> the Windows 2003 SERVICES applet). Now you need to > configure the service > MF> so that it actually does something: > > > MF> ======================================= > MF> To configure the service using RegEdit: > MF> ======================================= > > MF> Click the Start button, and then click Run. > > MF> In the Open box, type regedit, and click OK. > > MF> Add a new subkey named Parameters in the following registry location: > MF> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ > > MF> Right-click the newly created service name, point to New, > and then click > MF> Key. > > MF> In the console pane, for the name of the new key, type Parameters. > > MF> To specify the target application, right-click the > Parameters subkey, point > MF> to New, and then click String Value. > > MF> Type the name of the new entry as Application. > > MF> Right-click Application and then click Modify. > > MF> In the Edit String window, in Value Data, type the full path to the > MF> application, including the application name and extension. > For the port-map > MF> application, you'd type: > MF> c:\progra~1\port-map\pm.exe > > > MF> > ================================================================= > =========== > MF> Now tell it what parameters to use when running the pm.exe > app as a service: > MF> > ================================================================= > =========== > > MF> Right-click the Parameters subkey, point to New, and then > click String > MF> Value. > > MF> Type the name of the new entry as AppParameters. > > MF> Right-click AppParameters and then click Modify. > > MF> In the Edit String window, in Value Data, type the parameters for the > MF> application. > MF> For our purposes, use: > MF> 5587 {imail.box.ip.addy) 25 w h > > MF> Add a "Description" key to the root service key (folder), > and enter "Maps > MF> port 587 (SMTP AUTH) to port 25 for additional SMTP support" as the > MF> description. (Or whatever the blazes you want. This is a > nice "extra"... > MF> it provides description text in the Windows 2003 SERVICES > applet, so that > MF> if you forget you added the service you won't think you've > been hacked or > MF> something.) > > > MF> ============================ > MF> RUN IT, TEST IT, ANNOUNCE IT > MF> ============================ > > MF> Close the registry editor, open the services applet, find > your new service, > MF> and start it. It should start with no difficulties, and if > you open Task > MF> Manager, you should see pm.exe as a running process. At > this point, you > MF> should re-run the telnet tests to make sure all is well, and > maybe even > MF> reboot the machine to make sure that the service starts > when the machine > MF> boots. If so, you're all ready to start telling your email > users that they > MF> can configure their mail clients to send on port 587 (SMTP > AUTH) to bypass > MF> any ISP blocking of port 25. > > > MF> HTH, > > MF> Marc > > > MF> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > MF> List Archive: > MF> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > MF> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > ---- > Don Brown - Dallas, Texas USA Internet Concepts, Inc. > [EMAIL PROTECTED] http://www.inetconcepts.net > (972) 788-2364 Fax: (972) 788-5049 > ---- > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
