Hello
MF> If I telnet to port 587 or 25 on my machine, I CANNOT send from any spoofed
MF> or real address to any address that's not hosted on my server... I get a 550
MF> error.
As exprected. Your server does not relay for anybody.
But anybody can send mail to an existing local User. You need never
any auth to send mal to a local reciepient. If you would need an
authentication, no external mailserver would be able to send email to
the adresses on your server.
MF> Nor can I send from a valid address hosted on my server to any external
MF> address... again, I get a 550 error for both ports.
Yes. If you set the IP of your server in the relay mail for list, it
will be possible. But be aware that if you use a redirector service on
the same maschine, EVERY mail to port 587 will be allowed! (Even
Spammers email) - so DON't DO THIS!
MF> However, if I telnet to port 587 or port 25, and mail from: is a local
MF> address, and rcpt to: is a local address, it accepts and delivers the
MF> message. It does not seem to require SMTP AUTH on EITHER port.
Yes. Local delivery is always allowed. Only relaying (sending to
adresses which are not local and which must be forwarded to another
smtp server) is forbidden.
MF> Now, what I REALLY don't understand is, I am using "relay for addresses",
MF> and the machine from which I am doing the TELNET'ing is NOT in the allowed
MF> addresses list, nor is any of this server's public IPs in the allowed
MF> addresses list either. If the FROM and TO address are both local, shouldn't
MF> iMail still require SMTP AUTH to deliver that message? Did I change a
MF> setting somewhere and screw up my config?
No. No Auth for local adresses (see above...)
So everything schould be OK. - so far...
The important test is: if you telnet to the server from any machine
and send a mail to an NON LOCAL adress (e.g. this list) is it allowed?
If YES you have an open relay and have to correct your settings.
If NO (and this means 5xx regardless if your mail from/helo is local
or not) then everything is OK.
>The only
>problem we're having is the one I posted a day or so ago, regarding our
>outgoing messages on port 587 being stamped by mxGuard as spam, while
>sending via port 25 does not cause that problem. (Still haven't received an
>answer on that one yet...) I'm not seeing Gary's described behavior with
>our particular setup.
Check the mail logs! I assume that your mailserver will mark the
mail as spam because the helo ond the IP adresses won't fit an port
587. Your redirector changes the source IP of the mail connection if
you go to 587. It wil be either the adress from the redirector machine
or if you use a router the routers internal adress.
So have a look at the HELO/EHLO command and the IP Adress for
connections comming in on 25 and 587. I think they will not match on
port 587!
If the spam check makes a DNS reverse lookup for the connections
IP-Adress, it will get a diferent IP as it gets if it resolves the
domain name given with the helo command. This is an indicator for spam
(e.g dialup users will have not the correct rDNS for the given Mail
Domain...)
I think it will be very dificult to fix this....
Have a nice weekend
Matti
>> -----Original Message-----
>> From: Don Brown [mailto:[EMAIL PROTECTED]
>> Sent: Saturday, February 05, 2005 12:01 PM
>> To: Marc Funaro
>> Subject: Re: [IMail Forum] port-map running as a service
>>
>>
>> Are you saying that the following is not true, in this case. IOW,
>> you've tested and there is No Open Relay Vulnerability running this
>> mapper the way you've configured it?
>>
>> "Wednesday, January 26, 2005, 10:19:14 AM, Gary Brumm
>> <[EMAIL PROTECTED]> wrote:
>> GB> The problem with these programs (I tried Port Tunnel) is
>> that all off the
>> GB> messages that come through the alternate port appear to
>> originate from
>> GB> the IMail machine's IP and this makes you an open relay.
>> This happens
>> GB> even if the machine's IPs are not in the "allow these IPs list".
>> GB> Authenticated SMTP still works but is not needed. If
>> someone has a
>> BG> solution to this please let me know.
>> GB> Thanks,
>> GB> Gary"
>>
>>
>> Wednesday, February 2, 2005, 8:13:27 PM, Marc Funaro
>> <[EMAIL PROTECTED]> wrote:
>> MF> In reply to my own post.
>>
>> MF> I have successfully configured an application to run as a
>> service to map
>> MF> port 587 to port 25. I provide instructions below to
>> everyone on the list,
>> MF> in the hopes that it will help someone else. I welcome
>> MF> corrections/additions/etc. to make this document as accurate
>> as possible. I
>> MF> believe it is useful because it allows iMail to accept mail
>> on a port other
>> MF> than 25, so that email clients that are connecting with an
>> ISP that is
>> MF> blocking port 25 can still utilize your own server for outgoing mail.
>>
>> MF> Note this has ONLY been tested on Windows 2003 Server, with
>> iMail 7.15.
>> MF> You'll need to obtain the (free) windows 2003 resource kit
>> tools and the
>> MF> (free) port mapping software. No guarantees, use at your
>> own risk, blah
>> MF> blah blah...
>>
>> MF> ===============================================
>> MF> Get the port mapping software and "install" it:
>> MF> ===============================================
>>
>> MF> Obtain the port-mapping application from http://www.kmint21.com.
>>
>> MF> Unzip and put the contents of the download in C:\Program
>> Files\port-map\
>>
>>
>> MF> =====================================================
>> MF> Run the port mapping software using a command prompt:
>> MF> =====================================================
>>
>> MF> c:\progra~1\port-map\pm.exe 5587 {imail.box.ip.addy} 25 w h
>>
>> MF> A window with status information should open for you.
>>
>> MF> (note the "5587" is not a typo for mapping port 587 --
>> pm.exe seems to
>> MF> ignore the first character of the port number you are
>> mapping to a local
>> MF> port. Note that the authors of pm.exe may very well fix
>> this in the future,
>> MF> and therefore you may need to adjust your parameters in the
>> future if you
>> MF> obtain a newer version of pm.exe. The W lets the app write
>> a log file in
>> MF> the app's own directory, and the H tells the app to run
>> "hidden". You may
>> MF> wish to remove the W parameter after testing is complete,
>> unless you don't
>> MF> mind cleaning/removing the log file every now and then.)
>>
>>
>> MF> ==========================================
>> MF> Test your access to port 587 using telnet:
>> MF> ==========================================
>>
>> MF> At a command prompt, type:
>> MF> telnet yourmachine.example.com 587
>>
>> MF> You should get a response from your server, and be able to
>> issue an ehlo
>> MF> command and get a normal response from your mail server...
>> just as you would
>> MF> if you had connected on port 25.
>>
>>
>> MF> ====================================
>> MF> Since you're already in a telnet session, you might as well
>> test to see if
>> MF> you can send a message to a local email address.
>> MF> Enter the following telnet commands one at a time:
>> MF> ====================================
>>
>> MF> ehlo
>> MF> mail from: {your email address}
>> MF> rcpt to: {your email address}
>> MF> data
>> MF> test using port 587
>> MF> .
>>
>>
>> MF> (The dummy message should be queued at this point, and you
>> should receive
>> MF> your message fairly immediately).
>>
>>
>> MF> ====================================
>> MF> Since you're already in a telnet session, you might as well
>> test to see if
>> MF> implementing port 587 mapping has made you an open relay in some way.
>> MF> Enter the following telnet commands one at a time:
>> MF> ====================================
>>
>> MF> ehlo
>> MF> mail from: [EMAIL PROTECTED]
>> MF> rcpt to: [EMAIL PROTECTED]
>>
>> MF> (after submitting the "rcpt to" command you should get a 550
>> error. If it
>> MF> says "ok" and awaits DATA, then you are an open relay.
>> Check to make sure
>> MF> your own iMail server's IP addresses are not in the "relay
>> for addresses"
>> MF> list.)
>>
>>
>> MF> =====================
>> MF> IF YOU GOT THIS FAR:
>> MF> =====================
>>
>> MF> --You are able to run the pm.exe software and properly map
>> port 587 to port
>> MF> 25 using the command line.
>>
>> MF> --You are able to send yourself a message using telnet on port 587.
>>
>> MF> --You are NOT able to send a message from a non-local
>> address to another
>> MF> non-local address using port 587.
>>
>> MF> --If you specified the W command line switch, you should see
>> a log file in
>> MF> the same directory as pm.exe, in which you can review the
>> telnet connections
>> MF> you tried above.
>>
>> MF> You will now probably want to set up your machine so that
>> pm.exe runs "as a
>> MF> service" so that you don't have to remember to log in and
>> enter the command
>> MF> line to start the app/redirector every time you start the
>> machine... I
>> MF> therefore provide:
>>
>>
>> MF> ====================================================
>> MF> Instructions for running the pm.exe app as a service
>> MF> ====================================================
>>
>> MF> Stop the app that you launched using the command line
>> instructions above.
>>
>> MF> Go to www.microsoft.com/downloads and enter Windows 2003
>> Resource Kit Tools
>> MF> in the keyword search. Download the Windows 2003 Resource Kit Tools
>> MF> executeable, and run it to install the apps... This will
>> install a bunch of
>> MF> little apps, including the two you need: instsrv.exe and srvany.exe.
>>
>>
>> MF> ==============================
>> MF> Install a new "blank" service:
>> MF> ==============================
>>
>> MF> In a command prompt:
>> MF> CD to C:\Program Files\Windows Resource Kits\Tools
>>
>> MF> Then type:
>> MF> instsrv Port587Map "c:\Program Files\Windows Resource
>> Kits\Tools\srvany.exe"
>>
>>
>> MF> =====================================
>> MF> RESPONSE FROM THIS COMMAND SHOULD BE:
>> MF> =====================================
>>
>> MF> "The service was successfuly added!
>>
>> MF> Make sure that you go into the Control Panel and use
>> MF> the Services applet to change the Account Name and
>> MF> Password that this newly installed service will use
>> MF> for its Security Context."
>>
>>
>> MF> Now you have a "blank" service installed (you can confirm
>> this by looking at
>> MF> the Windows 2003 SERVICES applet). Now you need to
>> configure the service
>> MF> so that it actually does something:
>>
>>
>> MF> =======================================
>> MF> To configure the service using RegEdit:
>> MF> =======================================
>>
>> MF> Click the Start button, and then click Run.
>>
>> MF> In the Open box, type regedit, and click OK.
>>
>> MF> Add a new subkey named Parameters in the following registry location:
>> MF> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
>>
>> MF> Right-click the newly created service name, point to New,
>> and then click
>> MF> Key.
>>
>> MF> In the console pane, for the name of the new key, type Parameters.
>>
>> MF> To specify the target application, right-click the
>> Parameters subkey, point
>> MF> to New, and then click String Value.
>>
>> MF> Type the name of the new entry as Application.
>>
>> MF> Right-click Application and then click Modify.
>>
>> MF> In the Edit String window, in Value Data, type the full path to the
>> MF> application, including the application name and extension.
>> For the port-map
>> MF> application, you'd type:
>> MF> c:\progra~1\port-map\pm.exe
>>
>>
>> MF>
>> =================================================================
>> ===========
>> MF> Now tell it what parameters to use when running the pm.exe
>> app as a service:
>> MF>
>> =================================================================
>> ===========
>>
>> MF> Right-click the Parameters subkey, point to New, and then
>> click String
>> MF> Value.
>>
>> MF> Type the name of the new entry as AppParameters.
>>
>> MF> Right-click AppParameters and then click Modify.
>>
>> MF> In the Edit String window, in Value Data, type the parameters for the
>> MF> application.
>> MF> For our purposes, use:
>> MF> 5587 {imail.box.ip.addy) 25 w h
>>
>> MF> Add a "Description" key to the root service key (folder),
>> and enter "Maps
>> MF> port 587 (SMTP AUTH) to port 25 for additional SMTP support" as the
>> MF> description. (Or whatever the blazes you want. This is a
>> nice "extra"...
>> MF> it provides description text in the Windows 2003 SERVICES
>> applet, so that
>> MF> if you forget you added the service you won't think you've
>> been hacked or
>> MF> something.)
>>
>>
>> MF> ============================
>> MF> RUN IT, TEST IT, ANNOUNCE IT
>> MF> ============================
>>
>> MF> Close the registry editor, open the services applet, find
>> your new service,
>> MF> and start it. It should start with no difficulties, and if
>> you open Task
>> MF> Manager, you should see pm.exe as a running process. At
>> this point, you
>> MF> should re-run the telnet tests to make sure all is well, and
>> maybe even
>> MF> reboot the machine to make sure that the service starts
>> when the machine
>> MF> boots. If so, you're all ready to start telling your email
>> users that they
>> MF> can configure their mail clients to send on port 587 (SMTP
>> AUTH) to bypass
>> MF> any ISP blocking of port 25.
>>
>>
>> MF> HTH,
>>
>> MF> Marc
>>
>>
>> MF> To Unsubscribe:
>> http://www.ipswitch.com/support/mailing-lists.html
>> MF> List Archive:
>> MF> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
>> MF> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
>>
>>
>>
>> ----
>> Don Brown - Dallas, Texas USA Internet Concepts, Inc.
>> [EMAIL PROTECTED] http://www.inetconcepts.net
>> (972) 788-2364 Fax: (972) 788-5049
>> ----
>>
>>
MF> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
MF> List Archive:
MF> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
MF> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
--
Mit freundlichen Gr�ssen
Matti Haack
mailto:[EMAIL PROTECTED]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
