Relay is Allowing messages from me to me.

Discussions on webmail and the Professional version.
imagin
Posts: 20
Joined: Thu Jan 09, 2003 6:36 pm

Clarify Once More.

Post by imagin » Sat Nov 15, 2003 12:12 am

Okay...

I want and "internet" server. I have an "internet" server.

I do not want and "Intranet" server.


My Relay settings are...
Allow Relay
To Authenticated Users Only.

This means....
When someone sends a message (anywhere) they must Authenticate first.
Am I not correct in assuming this?

Now....
One would expect that even if someone was sending a message to themselves it should require the Authentication first. (This seems like the simple law of "Relay only to Authenticated Users.")

Am I not correct in assuming this?

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Sat Nov 15, 2003 12:34 am

no you are wrong. How can anyone send you email if they have to login first? You would have to give every person on the internet a username and password in order to send you email.

What relay rules mean is for someone to send a message to the INTERNET, they have to authenticate first. the relay rules are designed to prevent your server from being used to send spam to the outside world. They are not meant to stop you from recieving spam from the outside world. For that you would need to employ some sort of spam filtering.

If you wanted me or anyone else to send you email, how would we do that if we had to authenticate first?

If you are looking for a way to just cut down on the amount of spam you get, then you look at the reverse dns blacklisting tab in the smtp server properties. Or there are plugins you can use to cut down on the spam. I've seen several people mention SMNITA (i think thats it) as a very useful tool. I havent used it yet though.

Guest

Re: Simply Asking

Post by Guest » Sat Nov 15, 2003 1:10 am

imagin wrote:We are simply asking for the feature....

Why are we allowing me to send to me without Authenticating?
Since you want only specific people to send to this server, it is clear you do not want an internet server so take it off the internet. Otherwise, an internet mail server will receive mail for any valid account it serves. If you only want a limited number of people to use this, I think the easiest way is to create a non standard domain in the server, not a fully qualified domain name.

This way, no other mail server can do a look up of your domain. You can preset your limited number of clients to point to that mail server and authenticate with username@companyname or whatever. Since no other SMTP server will find your server with such a "domain" you will not get any mail directed to you.

You will be able to send internet based mail with this but no one will be able to reply to it but you don't want anyone to reply to you anyway because you only want authenticated replies. You will get this if they are logging on with username@companyname (not a domain name.com, etc).

This will give the results you request. Otherwise, if you run this as an Internet based server, you will not get the results you want. So I suggest you run it as an Intranet server instead.

David Payer

David Payer

Re: Clarify Once More.

Post by David Payer » Sat Nov 15, 2003 4:51 am

imagin wrote:Okay...
I want and "internet" server. I have an "internet" server.

I do not want and "Intranet" server.

My Relay settings are...
Allow Relay
To Authenticated Users Only.

This means....
When someone sends a message (anywhere) they must Authenticate first.
Am I not correct in assuming this?
No, you are not. "Relay" means to send OUT through your server. To allow ONLY AUTHENTICATED USERS to relay means you allow only those with credentials to send out through your server.

It means anyone can send to a valid user. ANYONE on the internet can send to that user, anyone. Why? Because you put them on an SMTP server that is accessible to the Internet. If you don't want them to be accessible, run an Intranet server.
Now....
One would expect that even if someone was sending a message to themselves it should require the Authentication first. (This seems like the simple law of "Relay only to Authenticated Users.")

Am I not correct in assuming this?
No, again you are wrong. The purpose of setting up an SMTP server is to send and receive mail. You receive mail for established domains and if you aren't using catchall boxes, you receive mail for specific users. That is the basic function of an SMTP server. If you want people to receive mail from the internet, you put them on a server that is accessible to the internet. OF course, you don't want just anyone to be able to use your smtp server for spam so you put restrictions on it. You can make the restrictions by IP or by authentication. This in NO WAY affects the basic purpose of receiving mail for designated domains and users.

You have misunderstood the purpose of an SMTP server and misinterpreted the meaning of "allow relay for authenticated users".

Neither this program (mailenable) nor any other I am aware of acts in the manner you are suggesting by default. I am sure you can have a custom programmer help you if you want.

I have given you several examples of how you can make the server meet your needs. The key one is to use a non-standard domain.

If you only want authenticated users to send mail to you, then you need to find a way so only your users can use the server. You need to take away some of the Internet functionality for that to happen.

David Payer

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Mon Nov 17, 2003 12:40 am

Okay...this thread has become almost comical...

It's very interesting at how badly a couple of otherwise intelligent individuals can overlook one key element of a poor soul's post.

Now that it appears you guys are trying to make the individual feel bad for asking (what you believe to be) ignorant questions...I'll point out the error in your rather arrogant commentary...

You see...the guy isn't asking for a PRIVATE email server. He's not wanting an INTRANET server. He's not even wanting to block email received. You guys have overlooked one key element...and that is...

ON A SERVER THAT REQUIRES AUTHENTICATION FOR OUTBOUND EMAIL, SOMEONE EXTERNAL (UNAUTHORIZED) SHOULD NOT BE ALLOWED TO "LOG ON" TO HIS SMTP SERVER AND SEND AS THOUGH THEY ARE AUTHORIZED USERS!

What is happening here...obviously...is that someone is somehow "spoofing" the real (authenticated) user...and is using his SMTP server to send email to itself. I am also experiencing this behavior from ME Pro 1.13.

As a brief explanation in bullet form (to make it easy for those easily confused)

- All users on my mailserver MUST authenticate to send mail. Without going through the process, suffice it to say any authorized user within my domains' servers MUST log in to use SMTP outbound email. Period.

- I have an AUTHORIZED user on one of my domains, let's call him "admin@mail.com" for our purposes here.

- This user (admin@mail.com) continues to receive mail that appears to be from HIMSELF (admin@mail.com). This is not so. The user is NOT sending these emails.

- There is no header information in these "bogus" emails...thus...I cannot find a way to disable them, or block them...as it's a legitimate email address in a legitimate domain I serve.

- These emails also contain attachments...it's rather obvious they are carrying harmful payload. As they are deleted once received, they cause no one any real harm.

Ok...perhaps you "all-knowing" guys understand the issue now. I hope so...I don't know how much more it needs to be broken down.

Thus...........as everything in my situation (and I assume the original thread starter's) is set to PREVENT this type of server use...something is allowing this to CONTINUE....even using AUTHENTICATION...even using spam filters...and having a closed relay (to the public).

The bottom line is...there is still a way to exploit ME...even taking all the above-mentioned security steps.

THAT IS THE ISSUE that needs to be solved. It has NOTHING to do with the guy wanting a private server...and I'm fully aware of the basic functionality of a SMTP server. The critical point is the ME EXPLOIT that still exists.

Honestly folks...before insinuating someone is an idiot...read his post...through some sort of objective eyes. Focus on the issue...and don't assume the user is stupid. Geez.

<waiting for a solution for this exploit from someone who KNOWS>

Thanks

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Mon Nov 17, 2003 12:52 am

So for you the exploit is not in that you are getting spam, but that you are getting email with a false ID on it?

technically speaking this isnt an exploit i think, since the server is working the way its supposed to. You are asking basically for the server to provide a level of ID verification. Sounds like a good idea ... and seems like if you use authentication it shouldnt be too hard for the server to require authentication if you are claiming to be a valid user on the server.

I havent looked at some of the filtering plugins that are available for ME yet, but maybe one of them can help filter this out for you.

Another option would be to use something like PGP to sign your emails which would be a very secure method of providing an ID to the emails.

You should have header info in the emails though ... you should at least be able to see the IP address its coming from. If you are lucky enough thats its always coming from the same IP (or a limited range of IP's) you can just block access from those IP's.

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Mon Nov 17, 2003 12:59 am

No...

The email being sent in this scenario is NOT from an authorized user. The exploit exists because the "anonymous" originator of these emails is able to use the SMTP server as an AUTHORIZED user...which shouldn't be possible...given the security measures we have in place.

The only way this would NOT be an exploit is if this anonymous user happened to have stolen passwords for the accounts affected. If this were the case, we'd catch the activity in our logs (as it would log the authenticated access/transmissions) and adjust passwords accordingly (by changing them). This is not the case. It's an exploit...as best I can tell.

I'm glad we're now focusing on the actual issue the thread starter had to begin with.

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Mon Nov 17, 2003 1:07 am

i might be wrong, but i dont think its an exploit only because the person is not sending out to the net, they are sending to your server. Authenticating as far as i know is designed just to prevent unauthorized users from sending out email to other servers, its not meant to stop email from coming in. Thats my understanding of how it works.

authenticating applies only to outgoing email, not incoming.

Adding the feature in so that it requires authentication if you are claiming to be a local user might be a nice feature to have though. Although it would only work if you are using your server as your smtp server. It wouldnt work if you were using say earthlink's mail server as your outbound smpt server (in your local email client).

I'd suggest you post that in the suggestion forums ... and might also want to post it in the 3rd party forum since maybe there's an application out there that'll do what you want. But i wouldnt expect ME to 'fix' this anytime soon since i dont think its a bug technically.

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Mon Nov 17, 2003 1:19 am

merk wrote:i might be wrong, but i dont think its an exploit only because the person is not sending out to the net, they are sending to your server. Authenticating as far as i know is designed just to prevent unauthorized users from sending out email to other servers, its not meant to stop email from coming in. Thats my understanding of how it works.

authenticating applies only to outgoing email, not incoming.

Adding the feature in so that it requires authentication if you are claiming to be a local user might be a nice feature to have though. Although it would only work if you are using your server as your smtp server. It wouldnt work if you were using say earthlink's mail server as your outbound smpt server (in your local email client).

I'd suggest you post that in the suggestion forums ... and might also want to post it in the 3rd party forum since maybe there's an application out there that'll do what you want. But i wouldnt expect ME to 'fix' this anytime soon since i dont think its a bug technically.

Dude...honestly...what's so hard about this? OF COURSE AUTHENTICATING APPLIES TO OUTGOING EMAIL...

The user is AUTHENTICATING (or exploiting) to send email OUT from the server...........TO THE SERVER........as the same account is sending email (an action that REQUIRES AUTHENTICATION) to itself.....(an action that DOES NOT require authentication).

I do not have local address relaying activated...nor have I ever used it. The email is being sent from the server...to the server via a valid account...

There is nothing 3rd party about this...all actions occur within ME itself...again.....someone is using an exploit...or they have stolen passwords (not likely)....and there is NO header information in these bogus emails...period.

Next suggestion?

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Mon Nov 17, 2003 1:26 am

Not a bug? Give me a break.

Consider this scenario....

Once upon a time...a dude named Merk set up a mail server to require SMTP authentication for outbound email. He then set up an account called "merk@clueless.com"...under the domain name "clueless.com".

One day...as merk was checking his email...he noticed he was receiving mail from himself. He opened his inbox...and guess what? He had mail from "merk@clueless.com". WOW. As Merk knew he didn't send this email to himself...he became puzzled. Off he went to ME's forum in search of assistance.

Merk checked his logs, checked his security settings, checked his relay settings. All appeared as tight as can be. Local relaying was turned off. Merk checked his server against 3rd party relay testing tools...the also confirmed his SMTP servers were CLOSED RELAYS to the public. He knew his settings were correct. Still puzzled...our friend Merk checked his Windows server settings and logs...in hopes of finding something unusual that would explain these strange emails. Nothing was found. There were no security breaches to be found...in his operating system, or in his ME logs.

Still puzzled about how this could happen...Merk ended up here...in these forums...waiting for some type of help that might provide a solution for eliminating these ME exploits.

Ok...............got it now? This isn't 3rd party stuff dude...and it shouldn't require additional feature requests...it's simply asking for existing features to FUNCTION PROPERLY. Either that...or perhaps we've found a new exploit...as these emails are not coming from local users...and they do not contain tracking info...........period.

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Mon Nov 17, 2003 2:22 am

Like i said ... i dont think authentication applies to incoming email. You might wish it did ... and i agree that might be useful. Email being sent TO a local user is not outgoing email ... its not going out anywhere. Thats incoming.

from ME knowledgebase regarding authenticated relaying:

This means that people who try to send mail out through your server need to enter a username and password

==

i suppose if out means in, then yes its a bug. But out means out :)

authentication just isnt meant to work the way you are expecting it to work. I dont think it works that way on any mail server.

The only way you are going to get the functionality you want is by looking at a 3rd party app since authentication isnt meant to work this way.

You can email ME support and ask them how authentication is supposed to work.

Oh, as for not seeing the header info in the spam emails: in the security tab of the smtp server properties there's a checkbox to hide the IP address from the email headers. maybe you have that checked.
Last edited by merk on Mon Nov 17, 2003 1:31 pm, edited 1 time in total.

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Mon Nov 17, 2003 2:36 am

for the love of god............the email is being sent from a REMOTE location................where? I have no idea.

That would be like me using your account, merk@clueless.com, from a remote location...........authenticating (or exploiting) against your SMTP server........and delivering that mail to your inbox.

The origin of the email is NOT local to the smtp server...but is being auth'ed against...............

It is OUTGOING......as the remote user needs to auth to send it OUT from his LOCATION.......otherwise...it would never be sent or received. His using the OUTBOUND auth process is the EXPLOIT.

And.......no.....I don't have "hide IP's" checked.

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Mon Nov 17, 2003 3:19 am

RBogan wrote: That would be like me using your account, merk@clueless.com, from a remote location...........authenticating (or exploiting) against your SMTP server........and delivering that mail to your inbox.

The origin of the email is NOT local to the smtp server...but is being auth'ed against...............

It is OUTGOING......as the remote user needs to auth to send it OUT from his LOCATION.......otherwise...it would never be sent or received. His using the OUTBOUND auth process is the EXPLOIT.
its not outgoing as far as your mail server is concerned. Its incoming for the mailserver. again, i'm not saying what you are describing isnt a problem. Authentication isnt meant to work that way. Its not meant to ensure the identity of the sender(in real-world human terms), its only meant to prevent someone from sending mail out from your server to another server by making sure they have an account on the sevrer.

Since the email is incoming as far as your mail server is concerned, then its not requiring authentication at all, which is why this isnt an exploit or bug of authentication.

If in the scenario you describe the email is outgoing, when is email ever incoming? it would all be outgoing.

RBogan
Posts: 73
Joined: Mon Jul 07, 2003 5:26 am

Post by RBogan » Mon Nov 17, 2003 4:27 am

merk wrote: Its not meant to ensure the identity of the sender(in real-world human terms), its only meant to prevent someone from sending mail out from your server to another server by making sure they have an account on the sevrer.
Do you see that word I highlighted for you? OUT...

What I've been trying to tell you is...someone is using my server to SEND MAIL OUT to various users...making it look like it's coming FROM various users...

Got it now? If all mail were INCOMING...no one could use the server to SEND OUT...period.

merk
Posts: 412
Joined: Sun Oct 12, 2003 2:50 pm

Post by merk » Mon Nov 17, 2003 7:37 am

you never said they were sending mail out (out = outside of your server) you said they were sending email as:

TO: validuser@yourdomain
FROM: validuser@yourdomain

If the above is true, then again, they are not required to authenticate because the server is only looking at where the email is destined to go. if its final destination is your server, then no authentication is required.

if however:

TO: validuser@anotherdomain
FROM: validuser@yourdomain

if they are doing that, and using your email server to actually send it, then yes something is wrong with your authentication, or someone snagged a valid login.

but if you look at your original post, you were only complaining about people getting email from, themselves. And that does not fall under authentication.

Post Reply