This is all what I thought... it just threw me when I could send from a local address TO a local address...
Any reason why a person would add their OWN mail server IP addresses to the Relay For Addresses list? > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Matti Haack > Sent: Saturday, February 05, 2005 1:26 PM > To: Marc Funaro > Subject: Re: [IMail Forum] port-map running as a service > > > Hello > > MF> If I telnet to port 587 or 25 on my machine, I CANNOT send > from any spoofed > MF> or real address to any address that's not hosted on my > server... I get a 550 > MF> error. > As exprected. Your server does not relay for anybody. > But anybody can send mail to an existing local User. You need never > any auth to send mal to a local reciepient. If you would need an > authentication, no external mailserver would be able to send email to > the adresses on your server. > > MF> Nor can I send from a valid address hosted on my server to > any external > MF> address... again, I get a 550 error for both ports. > Yes. If you set the IP of your server in the relay mail for list, it > will be possible. But be aware that if you use a redirector service on > the same maschine, EVERY mail to port 587 will be allowed! (Even > Spammers email) - so DON't DO THIS! > > > MF> However, if I telnet to port 587 or port 25, and mail from: > is a local > MF> address, and rcpt to: is a local address, it accepts and delivers the > MF> message. It does not seem to require SMTP AUTH on EITHER port. > Yes. Local delivery is always allowed. Only relaying (sending to > adresses which are not local and which must be forwarded to another > smtp server) is forbidden. > > MF> Now, what I REALLY don't understand is, I am using "relay > for addresses", > MF> and the machine from which I am doing the TELNET'ing is NOT > in the allowed > MF> addresses list, nor is any of this server's public IPs in the allowed > MF> addresses list either. If the FROM and TO address are both > local, shouldn't > MF> iMail still require SMTP AUTH to deliver that message? Did > I change a > MF> setting somewhere and screw up my config? > No. No Auth for local adresses (see above...) > > So everything schould be OK. - so far... > The important test is: if you telnet to the server from any machine > and send a mail to an NON LOCAL adress (e.g. this list) is it allowed? > If YES you have an open relay and have to correct your settings. > If NO (and this means 5xx regardless if your mail from/helo is local > or not) then everything is OK. > > >The only > >problem we're having is the one I posted a day or so ago, regarding our > >outgoing messages on port 587 being stamped by mxGuard as spam, while > >sending via port 25 does not cause that problem. (Still > haven't received an > >answer on that one yet...) I'm not seeing Gary's described > behavior with > >our particular setup. > Check the mail logs! I assume that your mailserver will mark the > mail as spam because the helo ond the IP adresses won't fit an port > 587. Your redirector changes the source IP of the mail connection if > you go to 587. It wil be either the adress from the redirector machine > or if you use a router the routers internal adress. > So have a look at the HELO/EHLO command and the IP Adress for > connections comming in on 25 and 587. I think they will not match on > port 587! > If the spam check makes a DNS reverse lookup for the connections > IP-Adress, it will get a diferent IP as it gets if it resolves the > domain name given with the helo command. This is an indicator for spam > (e.g dialup users will have not the correct rDNS for the given Mail > Domain...) > > I think it will be very dificult to fix this.... > > Have a nice weekend > Matti > > > > > > > > > >> -----Original Message----- > >> From: Don Brown [mailto:[EMAIL PROTECTED] > >> Sent: Saturday, February 05, 2005 12:01 PM > >> To: Marc Funaro > >> Subject: Re: [IMail Forum] port-map running as a service > >> > >> > >> Are you saying that the following is not true, in this case. IOW, > >> you've tested and there is No Open Relay Vulnerability running this > >> mapper the way you've configured it? > >> > >> "Wednesday, January 26, 2005, 10:19:14 AM, Gary Brumm > >> <[EMAIL PROTECTED]> wrote: > >> GB> The problem with these programs (I tried Port Tunnel) is > >> that all off the > >> GB> messages that come through the alternate port appear to > >> originate from > >> GB> the IMail machine's IP and this makes you an open relay. > >> This happens > >> GB> even if the machine's IPs are not in the "allow these > IPs list". > >> GB> Authenticated SMTP still works but is not needed. If > >> someone has a > >> BG> solution to this please let me know. > >> GB> Thanks, > >> GB> Gary" > >> > >> > >> Wednesday, February 2, 2005, 8:13:27 PM, Marc Funaro > >> <[EMAIL PROTECTED]> wrote: > >> MF> In reply to my own post. > >> > >> MF> I have successfully configured an application to run as a > >> service to map > >> MF> port 587 to port 25. I provide instructions below to > >> everyone on the list, > >> MF> in the hopes that it will help someone else. I welcome > >> MF> corrections/additions/etc. to make this document as accurate > >> as possible. I > >> MF> believe it is useful because it allows iMail to accept mail > >> on a port other > >> MF> than 25, so that email clients that are connecting with an > >> ISP that is > >> MF> blocking port 25 can still utilize your own server for > outgoing mail. > >> > >> MF> Note this has ONLY been tested on Windows 2003 Server, with > >> iMail 7.15. > >> MF> You'll need to obtain the (free) windows 2003 resource kit > >> tools and the > >> MF> (free) port mapping software. No guarantees, use at your > >> own risk, blah > >> MF> blah blah... > >> > >> MF> =============================================== > >> MF> Get the port mapping software and "install" it: > >> MF> =============================================== > >> > >> MF> Obtain the port-mapping application from http://www.kmint21.com. > >> > >> MF> Unzip and put the contents of the download in C:\Program > >> Files\port-map\ > >> > >> > >> MF> ===================================================== > >> MF> Run the port mapping software using a command prompt: > >> MF> ===================================================== > >> > >> MF> c:\progra~1\port-map\pm.exe 5587 {imail.box.ip.addy} 25 w h > >> > >> MF> A window with status information should open for you. > >> > >> MF> (note the "5587" is not a typo for mapping port 587 -- > >> pm.exe seems to > >> MF> ignore the first character of the port number you are > >> mapping to a local > >> MF> port. Note that the authors of pm.exe may very well fix > >> this in the future, > >> MF> and therefore you may need to adjust your parameters in the > >> future if you > >> MF> obtain a newer version of pm.exe. The W lets the app write > >> a log file in > >> MF> the app's own directory, and the H tells the app to run > >> "hidden". You may > >> MF> wish to remove the W parameter after testing is complete, > >> unless you don't > >> MF> mind cleaning/removing the log file every now and then.) > >> > >> > >> MF> ========================================== > >> MF> Test your access to port 587 using telnet: > >> MF> ========================================== > >> > >> MF> At a command prompt, type: > >> MF> telnet yourmachine.example.com 587 > >> > >> MF> You should get a response from your server, and be able to > >> issue an ehlo > >> MF> command and get a normal response from your mail server... > >> just as you would > >> MF> if you had connected on port 25. > >> > >> > >> MF> ==================================== > >> MF> Since you're already in a telnet session, you might as well > >> test to see if > >> MF> you can send a message to a local email address. > >> MF> Enter the following telnet commands one at a time: > >> MF> ==================================== > >> > >> MF> ehlo > >> MF> mail from: {your email address} > >> MF> rcpt to: {your email address} > >> MF> data > >> MF> test using port 587 > >> MF> . > >> > >> > >> MF> (The dummy message should be queued at this point, and you > >> should receive > >> MF> your message fairly immediately). > >> > >> > >> MF> ==================================== > >> MF> Since you're already in a telnet session, you might as well > >> test to see if > >> MF> implementing port 587 mapping has made you an open relay > in some way. > >> MF> Enter the following telnet commands one at a time: > >> MF> ==================================== > >> > >> MF> ehlo > >> MF> mail from: [EMAIL PROTECTED] > >> MF> rcpt to: [EMAIL PROTECTED] > >> > >> MF> (after submitting the "rcpt to" command you should get a 550 > >> error. If it > >> MF> says "ok" and awaits DATA, then you are an open relay. > >> Check to make sure > >> MF> your own iMail server's IP addresses are not in the "relay > >> for addresses" > >> MF> list.) > >> > >> > >> MF> ===================== > >> MF> IF YOU GOT THIS FAR: > >> MF> ===================== > >> > >> MF> --You are able to run the pm.exe software and properly map > >> port 587 to port > >> MF> 25 using the command line. > >> > >> MF> --You are able to send yourself a message using telnet > on port 587. > >> > >> MF> --You are NOT able to send a message from a non-local > >> address to another > >> MF> non-local address using port 587. > >> > >> MF> --If you specified the W command line switch, you should see > >> a log file in > >> MF> the same directory as pm.exe, in which you can review the > >> telnet connections > >> MF> you tried above. > >> > >> MF> You will now probably want to set up your machine so that > >> pm.exe runs "as a > >> MF> service" so that you don't have to remember to log in and > >> enter the command > >> MF> line to start the app/redirector every time you start the > >> machine... I > >> MF> therefore provide: > >> > >> > >> MF> ==================================================== > >> MF> Instructions for running the pm.exe app as a service > >> MF> ==================================================== > >> > >> MF> Stop the app that you launched using the command line > >> instructions above. > >> > >> MF> Go to www.microsoft.com/downloads and enter Windows 2003 > >> Resource Kit Tools > >> MF> in the keyword search. Download the Windows 2003 > Resource Kit Tools > >> MF> executeable, and run it to install the apps... This will > >> install a bunch of > >> MF> little apps, including the two you need: instsrv.exe > and srvany.exe. > >> > >> > >> MF> ============================== > >> MF> Install a new "blank" service: > >> MF> ============================== > >> > >> MF> In a command prompt: > >> MF> CD to C:\Program Files\Windows Resource Kits\Tools > >> > >> MF> Then type: > >> MF> instsrv Port587Map "c:\Program Files\Windows Resource > >> Kits\Tools\srvany.exe" > >> > >> > >> MF> ===================================== > >> MF> RESPONSE FROM THIS COMMAND SHOULD BE: > >> MF> ===================================== > >> > >> MF> "The service was successfuly added! > >> > >> MF> Make sure that you go into the Control Panel and use > >> MF> the Services applet to change the Account Name and > >> MF> Password that this newly installed service will use > >> MF> for its Security Context." > >> > >> > >> MF> Now you have a "blank" service installed (you can confirm > >> this by looking at > >> MF> the Windows 2003 SERVICES applet). Now you need to > >> configure the service > >> MF> so that it actually does something: > >> > >> > >> MF> ======================================= > >> MF> To configure the service using RegEdit: > >> MF> ======================================= > >> > >> MF> Click the Start button, and then click Run. > >> > >> MF> In the Open box, type regedit, and click OK. > >> > >> MF> Add a new subkey named Parameters in the following > registry location: > >> MF> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ > >> > >> MF> Right-click the newly created service name, point to New, > >> and then click > >> MF> Key. > >> > >> MF> In the console pane, for the name of the new key, type > Parameters. > >> > >> MF> To specify the target application, right-click the > >> Parameters subkey, point > >> MF> to New, and then click String Value. > >> > >> MF> Type the name of the new entry as Application. > >> > >> MF> Right-click Application and then click Modify. > >> > >> MF> In the Edit String window, in Value Data, type the full > path to the > >> MF> application, including the application name and extension. > >> For the port-map > >> MF> application, you'd type: > >> MF> c:\progra~1\port-map\pm.exe > >> > >> > >> MF> > >> ================================================================= > >> =========== > >> MF> Now tell it what parameters to use when running the pm.exe > >> app as a service: > >> MF> > >> ================================================================= > >> =========== > >> > >> MF> Right-click the Parameters subkey, point to New, and then > >> click String > >> MF> Value. > >> > >> MF> Type the name of the new entry as AppParameters. > >> > >> MF> Right-click AppParameters and then click Modify. > >> > >> MF> In the Edit String window, in Value Data, type the > parameters for the > >> MF> application. > >> MF> For our purposes, use: > >> MF> 5587 {imail.box.ip.addy) 25 w h > >> > >> MF> Add a "Description" key to the root service key (folder), > >> and enter "Maps > >> MF> port 587 (SMTP AUTH) to port 25 for additional SMTP > support" as the > >> MF> description. (Or whatever the blazes you want. This is a > >> nice "extra"... > >> MF> it provides description text in the Windows 2003 SERVICES > >> applet, so that > >> MF> if you forget you added the service you won't think you've > >> been hacked or > >> MF> something.) > >> > >> > >> MF> ============================ > >> MF> RUN IT, TEST IT, ANNOUNCE IT > >> MF> ============================ > >> > >> MF> Close the registry editor, open the services applet, find > >> your new service, > >> MF> and start it. It should start with no difficulties, and if > >> you open Task > >> MF> Manager, you should see pm.exe as a running process. At > >> this point, you > >> MF> should re-run the telnet tests to make sure all is well, and > >> maybe even > >> MF> reboot the machine to make sure that the service starts > >> when the machine > >> MF> boots. If so, you're all ready to start telling your email > >> users that they > >> MF> can configure their mail clients to send on port 587 (SMTP > >> AUTH) to bypass > >> MF> any ISP blocking of port 25. > >> > >> > >> MF> HTH, > >> > >> MF> Marc > >> > >> > >> MF> To Unsubscribe: > >> http://www.ipswitch.com/support/mailing-lists.html > >> MF> List Archive: > >> MF> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >> MF> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > >> > >> > >> > >> ---- > >> Don Brown - Dallas, Texas USA Internet Concepts, Inc. > >> [EMAIL PROTECTED] http://www.inetconcepts.net > >> (972) 788-2364 Fax: (972) 788-5049 > >> ---- > >> > >> > > > MF> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > MF> List Archive: > MF> http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > MF> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > -- > Mit freundlichen Gr�ssen > Matti Haack > mailto:[EMAIL PROTECTED] > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
