Relay is Allowing messages from me to me.

Discussions on webmail and the Professional version.
imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Relay is Allowing messages from me to me.

Post by imagin » Mon Nov 10, 2003 8:27 pm

We use Relay settings... "Authenticated" and "Priveledged IP's".

Yet.. still messages are coming through to me from myself.
Should they not be stopped because they are not valid messages from me?

Thanks for any help.

I'm using Version 1.113.

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Additional Log Info

Post by imagin » Mon Nov 10, 2003 9:58 pm

You will see that according to the logs... IP "67.39.205.142" is sending me mail to myself from myself. I do not allow that IP. Why are they still getting to me?

03-11-10 11:25:27 67.39.205.142 SMTP-IN 10.4.3.19 596 EHLO EHLO+rexburg.com 250-imaginpro.com+[67.39.205.142],+this+server+offers+4+extensions MERTLE3200 128 18
03-11-10 11:25:27 67.39.205.142 SMTP-IN 10.4.3.19 596 MAIL MAIL+FROM:<lynn@rexburg.com> 250+Requested+mail+action+okay,+completed MERTLE3200 43 30
03-11-10 11:25:27 67.39.205.142 SMTP-IN 10.4.3.19 596 RCPT RCPT+TO:<lynn@rexburg.com> 250+Requested+mail+action+okay,+completed MERTLE3200 43 28
03-11-10 11:25:28 67.39.205.142 SMTP-IN 10.4.3.19 596 DATA DATA 354+Start+mail+input;+end+with+<CRLF>.<CRLF> MERTLE3200 46 6
03-11-10 11:25:28 67.39.205.142 SMTP-IN 10.4.3.19 596 DATA DATA 354+Start+mail+input;+end+with+<CRLF>.<CRLF> MERTLE3200 43 2342
03-11-10 11:25:28 67.39.205.142 SMTP-IN 10.4.3.19 596 QUIT QUIT 221+Service+closing+transmission+channel MERTLE3200 42 6

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Wed Nov 12, 2003 12:37 pm

i think relaying only applies to messages outside of your domain. Anyone should be able to connect to your smtp server and send you a message. They should not be able to connect to your smtp server to send a message to someone else on another server.

if you want to totally block access, i think in the smtp server properties there is a tab to allow access to the service. The default setting is allow all. Change it to allow none except for the ones you specify.

i think thats what you want ... assuming you dont want outside users to be able to email you.

MDColson
Posts: 109
Joined: Sat Aug 23, 2003 8:29 pm

Post by MDColson » Thu Nov 13, 2003 3:11 pm

I know this sounds stupid... But it has fixed problems of others...

In your relay settings by ip tab, make sure you have the correct box checked off - there are two.

[x] by default all computers will be denied except

AND

[ ] by default all computers will be allowed except

be sure that the first one (or the one that corresponds to the text i typed) is checked off...


MDColson

David Payer

be sure to block all mail to yourself

Post by David Payer » Thu Nov 13, 2003 3:43 pm

Yes, you can deny yourself all incoming mail. That is a 100% effective way to deal with spam and other problems.

Also, don't tell yourself the address of the server and this way you will never be able to see the spam either.

As a matter of fact, just give the license to someone else and you will never be bothered with email again!

(note: sarcasm)

OF COURSE YOU CAN RECEIVE MAIL TO YOU!@!!! THAT IS THE PURPOSE OF AN EMAIL SERVER.

David Payer

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Okay... I've done the test. This is Serious.

Post by imagin » Thu Nov 13, 2003 4:54 pm

Thanks Guys, It's nice to get some humer once in a while....

But I have done the test myself.
I can sent mail To me From me from any outside connection.

Note: I cannot send it To someone else because it says "This mail server requires authentication" exactly and a good relay block should work.

But THERE IS A MAJOR RELAY BREACH in sending mail to a person from themselves.

I it's not just my account either, I have 20 companies using my services who all are getting mail sent to them from themselves.

Please advise.
Quickly I hope.

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Re: be sure to block all mail to yourself

Post by merk » Thu Nov 13, 2003 11:28 pm

David Payer wrote:Yes, you can deny yourself all incoming mail. That is a 100% effective way to deal with spam and other problems.

Also, don't tell yourself the address of the server and this way you will never be able to see the spam either.

As a matter of fact, just give the license to someone else and you will never be bothered with email again!

(note: sarcasm)

OF COURSE YOU CAN RECEIVE MAIL TO YOU!@!!! THAT IS THE PURPOSE OF AN EMAIL SERVER.

David Payer
hey david ... maybe he's using the mailserver as an internal server only.

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Re: Okay... I've done the test. This is Serious.

Post by merk » Thu Nov 13, 2003 11:32 pm

imagin wrote: But I have done the test myself.
I can sent mail To me From me from any outside connection.

Note: I cannot send it To someone else because it says "This mail server requires authentication" exactly and a good relay block should work.

But THERE IS A MAJOR RELAY BREACH in sending mail to a person from themselves.

I it's not just my account either, I have 20 companies using my services who all are getting mail sent to them from themselves.
can you send an email to yourself if you send FROM another user on the machine? There's a setting somewhere in there that allows email FROM someone if its a valid address on your server.

Just to be clear ... do you want to block ALL outside email? or you just want to prevent outside people from using your mail server to send spam out to other people on the net?

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Clarify....

Post by imagin » Fri Nov 14, 2003 1:11 am

We use the mail server with "user authentication" so we can send mail from anywhere, but block spammers from using our server.

This has effectively stopped spammers from sending mail through our server to other people, BUT.... Now they have resulted in just sending Spam mail to us from our own address. So WE still get plenty of junk mail.

They CANNOT RELAY, but the CAN send mail To us as long as the email address is from us. (without needing authentication).

Does this help?

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Note:

Post by imagin » Fri Nov 14, 2003 1:15 am

"Allow Relay for Local Sender Addresses" is Not checked.

But I'm wondering if it is allowing anyway. Possibly the setting in the registry is still thinking it's active - even though it shows it's not.

Just a thought.

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Fri Nov 14, 2003 3:17 am

it shouldnt matter if they are sending email to you using your address or not. as long as they are sending email TO a valid address on your server, it should go through. Relaying isnt meant to stop that. Its only meant to stop your server from 'relaying' email to other outside mailservers.

requireing authentication only stops email being sent to the outside world from unknown users. it does not stop email being sent to you.

So assuming you want to use this mail server as a public mail server ... meaning people on the net can email you, and you can email them back, then you have to allow people to send you email. You cant require everyone on the internet to authenticate to send you email.

The only way you can stop the spam you are getting (possibly) is by using one of the spam filters. Relaying will not stop it.

With your current settings:

TO: you
FROM: you

TO: you
FROM: anyone

both of those emails should go through.

TO: anyone
FROM: you (authenticated)

that also should go through

TO: anyone
FROM: you (not authenticated)

TO: anyone
FROM: anyone

neither of those two should go through.

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Thoughts...

Post by imagin » Fri Nov 14, 2003 2:35 pm

Merk,
Thank you for your responses.

I see how it is working... However, I come from a long background a mail servers.

All of them that I have used "Require authentication to send to anyone".

Even if I am sending to myself, it should require authentication (unless IP overide).

I have very powerful spam filters in place developed by myself, but I can't stop message coming to myself from myself because I have to assume (filter wise) that they are valid if they come from me.

This is why the mail server should require the authentication of anything sent to anyone.

Example...

TO: you
FROM: you (authenticated - because I should be the sender)

TO: anyone
FROM: you (authenticated - because I should be the sender)

TO: you
FROM: anyone (not authenticated)

all of those emails should go through.


TO: you
FROM: you (non authenticated)

TO: anyone
FROM: you (not authenticated)

TO: anyone
FROM: anyone (non authenticated)

none of those should go through.

David Payer

Re: Thoughts...

Post by David Payer » Fri Nov 14, 2003 3:34 pm

imagin wrote:Merk,
Thank you for your responses.

I see how it is working... However, I come from a long background a mail servers.

All of them that I have used "Require authentication to send to anyone".

Even if I am sending to myself, it should require authentication (unless IP overide).
.
This is not an accurate description of the "require authentication" system for publicly accessible mail servers. That is, if you want someone to send mail to you from the internet. You may or may not want that. If someone sends you mail from the internet, and it is not authenticated, it will be delivered to you.

The standard usage of the term "require authentication" is for the transmission of mail, not the receipt of mail. On standard internet based servers, it is expected that you will get mail from anywhere and it will not be authenticated. You can set it up that to SEND mail it must be authenticated. That is the generaly accepted meaning of "require authentication". I too have been running smtp/pop servers since 1995.

If you want to ONLY get mail from people INSIDE your organization, I suggest running your mail server on a non standard port (not port 25) and this way others will not be able to spoof you.

BTW, there is an RFC proposal out that will determine what IPs are authorized to send for a certain domain. (RMX records). Once this was in place and your domain used RMX records, you could determine what IPs were authorized to send mail on behalf of that domain being used.

Until such a system is accepted, you have to choose: do I want a publicly available server that will receive from any SMTP server in the world OR do I want a private mail system that cannot be spoofed. If you want the latter, either turn off the SMTP service and simply use webmail OR us a non standard port for your server OR use a non standard domain name for mail (set up a post office without the real domain name: no .com, .net, org etc). This way, no internet based server will be able to send to you but you can set up your server in the client properties and use your bogus domain for your intranet based mail. ie me@company not me@company.com etc.

It appears you want an intranet server, not an internet based server.

David Payer

imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Simply Asking

Post by imagin » Fri Nov 14, 2003 4:11 pm

We are simply asking for the feature....

"Do Not allow Relay for Local Sender Addresses unless they have Authenticated before they send."

Simply...
"me@mymail.com" should not send to "me@mymail.com" unless I have "Authenticated".

Already it works like this...
"me@mymail.com" cannot send to "john@hismail.com" unless I have "Authenticated".

Why are we allowing me to send to me without Authenticating?

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Fri Nov 14, 2003 10:47 pm

they are allowing you to send without authenticating because thats the whole point of a mail server. as david said, you want an intranet server. You dont want (from what you describe) a server where anyone on the internet can send you email. You want a private server where only you and the other people in your domain can send you email.

The only way i can think of doing that would be to authorize only certain IP's to connect to the server. Or as david said, change the port to something else besides 25. In any of your email clients you should be able to specify what port to use. That should pretty effectively stop anyone from the outside sending you email.

I suppose a 3rd option would be to only use the webmail interface.

Post Reply