[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: relay possible, what can I do?
> The rlytest at
> http://maps.vix.com/tsi/ar-test.html
> says, that our mailserver is vulnerable, what can I do?
I reply with an extract from the list archive. :-)
/Matti Aarnio <mea@nic.funet.fi>
(who is in dire need for a vacation out of the office..)
Subject: SMTP anti-relay policy problems...
From: mea@nic.funet.fi
To: zmailer@nic.funet.fi
Date: Mon, 27 Jul 1998 20:53:26 +0300 (EET DST)
(while composing this I have been interrupted quite a many times..)
Hello,
When tested with lattest http://maps.vix.com/tsi/ar-test.html
relay-prober, every published version of ZMailer (at ftp.funet.fi)
is sort of vulnerable.
The thing is, earlier that system tried to do:
MAIL FROM:<nobody@TESTINGHOST>
RCPT TO:<nobody@TESTINGHOST>
and those have been rejected for a long time, but now they
do test with:
MAIL FROM:<nobody@YOUR.HOST.NAME>
RCPT TO:<nobody@TESTINGHOST>
This has been allowed thru the system up until late May/early June,
when I made two changes into the configuration scripts related to
this issue.
You may wonder why this has been okay way to relay... well, 1) I too
am lazy, and allowing relaying to all clients who claim MAIL FROM to
be of local domain has been easy way to handle certain wide-spread
cases... 2) this was not *quite* centrally important variant of the
problem.
The fix to correct this problem:
Index: proto/db/smtp-policy.src
diff -u -r1.2 -r1.3
--- proto/db/smtp-policy.src 1998/05/13 14:16:40 1.2
+++ proto/db/smtp-policy.src 1998/05/19 13:58:50 1.3
@@ -266,6 +266,7 @@
#|
_our_network = _full_rights
_full_rights rejectnet - relaycustnet + relaycustomer + relaytarget +
+_localnames rejectnet - relaycustnet - localdomain + relaytarget +
#
#sztaki.hu = _full_rights
#.sztaki.hu = _full_rights
Index: utils/policy-builder.sh.in
diff -u -r1.2 -r1.3
--- utils/policy-builder.sh.in 1998/05/14 15:54:49 1.2
+++ utils/policy-builder.sh.in 1998/05/19 13:58:55 1.3
@@ -59,7 +59,7 @@
# Localnames
cat localnames | \
- awk '/^#/{next;} NF >= 1 {printf "%s = _full_rights\n",$1;}'
+ awk '/^#/{next;} NF >= 1 {printf "%s = _localnames\n",$1;}'
# smtp-policy.relay
# (Lists domains and networks that are allowed to use us as relay)
I have now made some aspects on this issue a bit clearer (I hope)
by providing (in my CVS) more detailed examples on what you should
do with the smtp-policy.src, and smtp-policy.relay, plus
policy-builder.sh(.in) files/programs.
I am now trying to do cross-checking of compiling in varying
environments -- other compilers than GCC (Linux/Solaris), then
(latter tonight) there will be snapshot file at ftp.funet.fi,
which I hope to be final 2.99.50.
/Matti Aarnio <mea@nic.funet.fi>