 |
|
|
| |
|
|
Application Note: How to secure your mail system against third-party relay Here are some pointers on how to secure your current mail system against third-party relay. Locate your mailer in the table below, and jump to the suggestions on what to do.
Status: OBSOLETE Systems: Windows/NT INFO: www.altavista.software.digital.com To disable relaying you will need a software update, which used to be available from Compaq. However, now that Compaq has retired the entire AltaVista Mail product line, there may be no option left but to change to a modern product.
Information on how to secure the Appleshare IP Server against mail relaying can be found at the above link.
XtraMail 1.2 and above support an IPALLOW file, which lets you list which IP addresses will be allowed to relay through your server. Information on this is in Articom Technote TN4077.
For OS/400 V4R2 apply PTF SF 53394 (or supercedes). Follow the instructions in the cover letter.
www.stalker.com/CommuniGatePro/AntiSpam.html#Relay
SMTPBeamer appears to have fully sufficient relay controls, documented at www.dataenter.co.at/doc/smtpbeamer_admin_options.htm#Relay. They also support RBL and DUL queries, but not other lists.
The current versions of DIGITAL TCP/IP Services for OpenVMS have relay turned off by default. If it is turned on, it can be disabled by issuing the command: $ucx set config smtp /options=norelay
Instructions on how to disable relaying are in the online manual, netwinsite.com/dmail/manual.htm.
The European Microsoft Windows NT Academic Centre (EMWAC) in Scotland has produced IMS (Internet Mail Server), a free Windows/NT mailer. As of the most recent release (version 0.83), it appears that EMWAC IMS has no provisions to prevent unauthorized relay. SICA Consulting Services (www.sica.com/) has an add-on service that is a possible solution to this problem. First, you need to install SCMSFILTER, a service that that adds filtering capability to IMS. Then, install the antirelay plugin.
EIMS version 3 includes more relay control features than previous versions of EIMS. We do not yet know the specifics. EIMS version 2.0 and above include (possibly inadequate) relay blocking. Here is how to turn it on:
The wording has changed slightly by EIMS 2.2.2; a GIF of the new dialog box is available at www.mail-abuse.org/tsi/graphics/eims_2.2.2_config.gif. The information above also applies to version 1.2.1 and later of the freeware server; versions 1.2 and earlier do not have this capability. Unfortunately, even with these measures in place, it appears that the server will accept mail for relay from anyone who forges a from address of a valid user at your server. That means any spammer could pretend to be postmaster@yourdomain (or any other valid user) and have the ability to use your server as a spam relay. Some testers may not accurately reflect this vulnerability, saying the sever is secured, when it is actually still insecure. If you're having problems trying to secure your copy of EIMS, we recommend that you contact Eudora for assistance.
As delivered, WorldMail Server version 1.0 is vulnerable to relay. There used to be a fix, but nobody can find it anymore. Version 2.0 and above no longer have this problem, and Eudora offers free upgrades at www.eudora.com/worldmail/updaters.html.
One of the strengths of the exim mailer is its mail filtering and processing capabilities. Recent releases have relay disabled, by default. There are several configuration options to control relaying on the basis of host, domain, and network. There is a note, www.exim.org/howto/relay.html, which describes how to setup these features. Exim is also able to use the various MAPS filters to reduce spam directed at your users; more information is available in this howto document, www.exim.org/howto/rbl.html.
The Security tab of the FTGate Properties dialog has a Relay Control section. Select "Deny relaying to any site not listed below". These details were taken from www.floosietek.com/webhelp/FTGateSecurity_Properties.htm; we do not know at this time whether FTGate checks the revese DNS of the connecting machine, or merely the envelope FROM address. If it is the latter, spammers can easily continue to relay by simply forging the FROM.
Gauntlet 4.2 UNIX requires at least SMAP Patchlevel 1. Amend the netperm-table, using the GUI or by hand, to include your valid domains and mail relays. Amend netperm-table by hand to include deny-route-char which stops the use of routing address like: users@victims.com@validrelayed.domain deny-route-char *%* deny-route-char *@* Gauntlet 5.0 and above combine this in the GUI.
GroupWise 5 GroupWise Internet Agent (GWIA) may be partially secured against unauthorized relay. This is not, however, complete relay control, and third parties may still take advantage of your system. Using NWAdmin, go to the details page of the Gateway. Click on the "Access Control" tab, and then the "SMTP Relay" button. Check the "Prevent Message Relaying" radio button, then click OK. There is a workaround to secure the GroupWise SMTP/MIME gateway. Edit the DOMAIN/WPGATE/SMTP/GWSMTP.CFG file (with any text editor) and add the switch "/NOROUTING". Mail relay will now be disabled. If you have the option set to save problem mail, the messages instead will be saved into your problem directory, so be sure to keep an eye on it. In version 5.5, add "/NOROUTING" to the GWIA.CFG file in the SYS:SYSTEM folder. We've been told that these relay control features simply do not work before version 5.5.4, and that even after 5.5.4 quoting the recipient address will bypass all of Groupwise's relay controls. Novell has released a patch which is reported to fix the "quote hack" in 5.5.4 (aka Groupwise 5.5 with Service Pack 4.) This patch will not work on earlier versions of Groupwise, or if SP4 is not installed. It is also available from Novell's website. GroupWise 6 is now the current release. It will prevent relay messages. Using the ConsoleOne admin utility, goto the properties of the GWIA gateway. Click on the "SMTP Relay Setting" from the "Access Control" tab/menu. Under the "SMTP Defaults" box, Check the "Prevent Message Relaying" radio button, then click OK. The GWIA will restart on its own. the GWIA can now be tested for relay by following this Novell TID and using "rcpt to: test@nodomain.com". You should receive a "550 Relaying denied"
Status: Commercial Ipswitch, Inc. Systems: Windows/NT Info: www.ipswitch.com/products/IMail_Server/index.asp We're told that Imail is open relay by default, but can be closed easily. To stop open relay, on the Imail SMTP Security panel, click Relay options:Relay for Addresses and enter your trusted ip addresses and/or subnets. Then, on the Imail SMTP Security panel, UNcheck "Disable SMTP AUTH reporting" and tell all your mail users to use SMTP AUTH in their mail client programs. More information is in Chapter 8 of the IMail 6.0 Manual (PDF, 2099K.), ftp://ftp.ipswitch.com/ipswitch/manuals/imail6.pdf.
See below for information on InterMail Post.Office Edition (formerly simply "Post.Office".) InterMail Mx and Kx editions also appear to have relay control features, but documentation is only available with a support contract.
Version 2.12 and above:
The Help file states, "SMTPD will reject remote Internet recipients for incoming mail. This is to prevent remote sites from trying to spoof messages by re-routing them back out through the gateway." This product also supports filtering through the various MAPS lists.
The Isode Message Switch has a number of capabilities to prevent mail abuse, including unauthorized relay. They have published an application note, www.isode.com/support/ic-8411.html, describing how to configure these features. In summary, you will want to setup up two different SMTP channels, a local-smtp channel for hosts that should be granted relay access (e.g. those on your local network), and an external-smtp channel for all other traffic. Then, an auth.channel table entry is made to block direct relay from external-smtp to external-smtp. This will prevent unauthorized hosts from relaying mail through the server, unless it passes through some other processing operation, such as list expansion.
Inside the Access Filtering dialog (Properties/Mail Server Properties/Server Properties/Security/Server Access Filtering), you can create or edit various filter types. It appears that at the moment, the only relay control IT House supports is "Allow relays for local domains only." This will allow anybody whose From: address matches one of the domains you're hosting to relay; spammers are known to forge that to take advantage of such relays. The filters also let you deny specific IP addresses from making any SMTP or POP connections, but that won't help until you know where the spammers are coming from -- and they tend to move around a lot. At the moment, our suggestion would be to either place another mail server as a firewall in front of IT House, or change to different server software entirely.
After much searching, somebody finally discovered that there is a way to secure cc:Mail. Unfortunately, it requires turning of POP and IMAP support entirely. Lotus's document describing how this works is here. For cc:Mail SMTP v8.5, a built in spam prevention configuration is available via the configuration applet located in the Control Panel entitled "Link to SMTP." Click on HOST INFO, ADVANCED, and FILTER to define the spam filter. The default option is to ACCEPT and RELAY all mail not matching any filters. Instead, change this to ACCEPT. This will prevent ccMail SMTP from being used as a mail relay by anyone (including, most likely, your own users.) In addition, you can define specific filters to immediately block any particular email addresses, domain names, etc from being sent from on this screen.
To disable relaying, put the line in notes.iniSMTPMTA_REJECT_RELAYS=1 Two more notes.ini settings which may help: SMTPMTA_DENIED_DOMAINS A full list of ini file settings can be found at support.lotus.com/sims2.nsf/802ee480bdd32d0b852566fa005acf8d/31c2a8087f9e6c938525669c0053debe?OpenDocument, and some of the other anti-spam settings that Notes supports are described in www.keysolutions.com/NotesFAQ/whatlotus.html. Unfortunately, these measures may not be entirely adequate. Even after these fixes are applied, it appears that some configurations of Lotus Notes/Domino will continue to relay for unauthorized third-parties, if the recipient's email address is specified in quote marks. For those of you who are SMTP savvy, that means, during the SMTP transaction, specifying the recipient address like this: rcpt to:<"recipient@example.com"> . If you're having difficulty securing this type of server, we recommend that you contact Lotus for assistance. Update: with Lotus Notes 4.6.1 and higher Notes 4 releases (not Notes 5), you need to add the following to the notes.ini file: SMTPMTA_REJECT_RELAYS=1 SMTP_OCH_REJECT_SMTP_ORIGINATED_MESSAGES=1 SMTPMTA_RELAY_FORWARDS=1
Status: Commercial (Lotus) Systems: Windows Iris (the internal developers of Notes/Domino at Lotus) wrote a series of articles on anti-spam measures for Notes.net; the second article covers relay controls. The example graphic they've included (as of March 2000) shows a scenario where you allow relay for the entire Internet, except for IP addresses between 205.0.0.0 and 205.255.255.255. We'd consider this backwards; a much safer way to go about it is to find out what IP addresses you specifically want to allow, put those into the "Allow messages only from the following..." field, and deny everything else. Luckily, the product does appear to support this more effective method. Unfortunately, these measures may not be entirely adequate. Even after these fixes are applied, it appears that some configurations of Lotus Notes/Domino will continue to relay for unauthorized third-parties, if the recipient's email address is specified in quote marks. For those of you who are SMTP savvy, that means, during the SMTP transaction, specifying the recipient address like this: rcpt to:<"recipient@example.com"> . If you're having difficulty securing this type of server, we recommend that you contact Lotus for assistance.
To disable relaying in v1.1a (and, presumably, later) go to Relay Control, Check the "enable" box and enter in the IP#/Netmask for the machines you wish to allow. Some versions may have problems with matching; LSOFT says: "the newer builds clear the bits of the IP address that are zeroed in the mask".
If Lyris is unprotected by a firewall (which is how many people handle it), you have only two other choices for closing the relay. Choice number one is to configure Lyris to use another host for all outbound email and close relaying on that host. The other choice is to turn the server off.
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||