[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: relay possible, what can I do?



> The rlytest at
> http://maps.vix.com/tsi/ar-test.html
> says, that our mailserver is vulnerable, what can I do?

I reply with an extract from the list archive.    :-)
	/Matti Aarnio <mea@nic.funet.fi>
		(who is in dire need for a vacation out of the office..)

Subject: SMTP anti-relay policy problems...
From:	mea@nic.funet.fi
To:	zmailer@nic.funet.fi
Date:	Mon, 27 Jul 1998 20:53:26 +0300 (EET DST)

(while composing this I have been interrupted quite a many times..)

Hello,

  When tested with lattest  http://maps.vix.com/tsi/ar-test.html
  relay-prober, every published version of ZMailer (at ftp.funet.fi)
  is sort of vulnerable.

  The thing is, earlier that system tried to do:

     MAIL FROM:<nobody@TESTINGHOST>
     RCPT TO:<nobody@TESTINGHOST>

  and those have been rejected for a long time, but now they
  do test with:

     MAIL FROM:<nobody@YOUR.HOST.NAME>
     RCPT TO:<nobody@TESTINGHOST>

  This has been allowed thru the system up until late May/early June,
  when I made two changes into the configuration scripts related to
  this issue.

  You may wonder why this has been okay way to relay...  well, 1) I too
  am lazy, and allowing relaying to all clients who claim MAIL FROM to
  be of local domain has been easy way to handle certain wide-spread
  cases...  2) this was not *quite* centrally important variant of the
  problem.

  The fix to correct this problem:

Index: proto/db/smtp-policy.src
diff -u -r1.2 -r1.3
--- proto/db/smtp-policy.src     1998/05/13 14:16:40     1.2
+++ proto/db/smtp-policy.src     1998/05/19 13:58:50     1.3
@@ -266,6 +266,7 @@
 #|
 _our_network           = _full_rights
 _full_rights   rejectnet - relaycustnet + relaycustomer + relaytarget +
+_localnames    rejectnet - relaycustnet - localdomain + relaytarget +
 #
 #sztaki.hu             = _full_rights
 #.sztaki.hu            = _full_rights
Index: utils/policy-builder.sh.in
diff -u -r1.2 -r1.3
--- utils/policy-builder.sh.in        1998/05/14 15:54:49     1.2
+++ utils/policy-builder.sh.in        1998/05/19 13:58:55     1.3
@@ -59,7 +59,7 @@
 
   # Localnames
   cat localnames | \
-  awk '/^#/{next;} NF >= 1 {printf "%s = _full_rights\n",$1;}'
+  awk '/^#/{next;} NF >= 1 {printf "%s = _localnames\n",$1;}'
 
   # smtp-policy.relay
   # (Lists domains and networks that are allowed to use us as relay)



  I have now made some aspects on this issue a bit clearer (I hope)
  by providing (in my CVS) more detailed examples on what you should
  do with the  smtp-policy.src,  and  smtp-policy.relay, plus
  policy-builder.sh(.in) files/programs.

  I am now trying to do cross-checking of compiling in varying
  environments -- other compilers than GCC (Linux/Solaris), then
  (latter tonight) there will be snapshot file at ftp.funet.fi,
  which I hope to be final 2.99.50.

/Matti Aarnio <mea@nic.funet.fi>