RE: open relay

["Carl Chipman" <cchipman@xxxxxxxxxxxx>]

Actually, the version of Post.Office I have (3.1.2) can never be
secured.  If you go to the http://www.dnsbl.njabl.org/ and run the relay
test, unless you have the "only allow these ip addresses" to use it, it
will succeed in a fashion like this:

------------------------------------------------------------------------
--------From MAILER-DAEMON@xxxxxxxxxxxxxxxxxxxxxxxx  Thu Aug 29 15:40:30
2002
Return-Path: <MAILER-DAEMON@xxxxxxxxxxxxxxxxxxxxxxxx>
Received: from mail.nomadics.com (pca-232-240.stwr.brightok.net
[205.162.232.240])
        by rt.njabl.org (8.11.6/8.11.6) with ESMTP id g7TJeUi26630
        for <relaytest@xxxxxxxxxxxx>; Thu, 29 Aug 2002 15:40:30 -0400
Date: Thu, 29 Aug 2002 15:40:30 -0400
Received: from rt.njabl.org ([209.208.0.15]) by mail.nomadics.com
          (Post.Office MTA v3.1.2 release (PO205-101c)
          ID# 0-45962U100L2S100) with SMTP id AAA217
          for <relaytest@xxxxxxxxxxxx>; Thu, 29 Aug 2002 14:43:07 -0500
From: relaytestsend@xxxxxxxxxxxx
To: relaytest@xxxxxxxxxxxx
Message-id: <1030650023.26575.0@xxxxxxxxxxxx>
X-RT-Subject: relaytest: 205.162.232.240
X-RT-From:
relaytestsend@*************************************************2********
****20***0********0*****2**00*2**00*************2******2002*******0***0*
00
X-RT-To: relaytest@xxxxxxxxxxxx
Subject: relaytest: 205.162.232.240

This is an automated test message for the purpose of finding and
adding open relays to our dnsbl.  If you have any questions, see
http://njabl.org/



------------------------------------------------------------------------
--------From MAILER-DAEMON@xxxxxxxxxxxxxxxxxxxxxxxx  Fri Aug 23 17:30:52
2002
Return-Path: <MAILER-DAEMON@xxxxxxxxxxxxxxxxxxxxxxxx>
Received: from mail.nomadics.com (pca-232-240.stwr.brightok.net
[205.162.232.240])
        by rt.njabl.org (8.11.6/8.11.6) with ESMTP id g7NLUqi17219
        for <relaytest@xxxxxxxxxxxx>; Fri, 23 Aug 2002 17:30:52 -0400
Date: Fri, 23 Aug 2002 17:30:52 -0400
Received: from rt.njabl.org ([209.208.0.15]) by mail.nomadics.com
          (Post.Office MTA v3.1.2 release (PO205-101c)
          ID# 0-45962U100L2S100) with SMTP id AAA256
          for <relaytest@xxxxxxxxxxxx>; Fri, 23 Aug 2002 16:33:32 -0500
From: relaytestsend@xxxxxxxxxxxx
To: relaytest@xxxxxxxxxxxx
Message-id: <1030138245.17118.0@xxxxxxxxxxxx>
X-RT-Subject: relaytest: 205.162.232.240
X-RT-From:
relaytestsend@*************************************************2********
****20***0********0*****2**00*2**00*************2******2002********2**0*
00
X-RT-To: relaytest@xxxxxxxxxxxx
Subject: relaytest: 205.162.232.240




Carl Chipman
Nomadics, Inc.
cchipman@xxxxxxxxxxxx
http://www.nomadics.com


-----Original Message-----
From: Charles Ying [mailto:cying@xxxxxxxxxxxx] 
Sent: Wednesday, January 29, 2003 3:52 AM
To: post_office@xxxxxxxxxxxxxxx
Subject: Re: open relay

Eric is right. It took me a while to realize the power of this unique 
feature of Post.Office to allow SMTP based on sender's Return Address 
domain. It is also a dangerous feature as Bob Minor has learned the 
hard way. Say your Post.Office's IP address is listed as MX for 
domain1.com, ... domain9.com. You should NEVER have any of these 
domain names listed in the External Relay Restriction section (or 
local domain box checked). Because obviously, any spammer spoofing 
your domain name (like sending mail posing as postmaster@xxxxxxxxxxx 
will try to relay the spam using the MX record for domain1.com, such 
as mail.domain1.com).

HOWEVER, assume you have 2 machines running Post.Office and the other 
machine's IP is nowhere to be found in the DNS zone file for 
domain1.com ... domain9.com, and you DO enter the list domain1.com... 
domain9.com into the field in the second Post.Office machine 
(allowing these domains to relay mail). Now all of your users using 
domain1.com .... domain9.com can simply set the second Post.Office 
machine as their SMTP server in their Outlook or Eudora and voila, 
they can smtp without having to POP first or do SMTP Auth.

I have a palm cell phone on Sprint running Palm version of Eudora. 
The problem is after picking up email and writing a reply, my phone 
has terminated the link to my POP server. When I hit send, my palm 
connects to Sprint and gets a new DHCP IP address and try to use SMTP 
to send and my Post.Office server refuses to allow me to send because 
my Palm phone had not done a POP first. Of course, I had no idea the 
status of the connection when I hit send. My version of Eudora for 
Palm also did not do Smtp Auth (not that Post.Office does). So I had 
a receive only email setup for my palm until I figured out that 
Post.Office can allow relay based solely on the Return address. Then 
it was simply finding a friend who also runs a Post.Office so we can 
trade domain names to add to this fantastic field. (Sprint also does 
not provide an SMTP server that will allow me to send email using my 
domain name as my return address.)

I can think of several other situations where this feature is the 
only way to get mail relayed. To me, this is one of the least-used 
and most powerful feature of Post.Office (when used properly).

Bottom line, find a PO buddy and achieve SMTP (relay) freedom with
Post.Office!

Please, please Eric, Sue, Andrea et al, promise me Tenon will never 
remove this "feature" no matter how many Bob Minors there are out 
there. I begged other Mail server suppliers to offer this feature and 
none of them think it is worthwhile weighed against the hassle of 
dealing with users who are not careful. I have convinced several 
folks to switch to PO for this feature alone!

Thanks for listening,

Charles



At 12:49 AM -0800 1/29/03, faQ wrote:
>Robert,
>
>on 1/28/03 10:33 PM, Bob Minor at bob@xxxxxxxxxxxxx wrote:
>
>>  right but its not suppose to. Its suppose to see its not for the
local
>>  domain and then reject it.
>>
>This is not quite correct. You are confusing the "Local Mail Domains"
in the
>"External Relay Restrictions:" section (top of the page) with the
"Local
>Mail Domains" in the "Allow delivery to:"  section (bottom of the
page).
>
>It is checking to see if it is FROM the local mail domain based solely
on
>the Mail From mail envelope.  This is not the best way to check and
should
>not be enabled.  The syntax on this form will be changed slightly in
future
>versions.
>
>The one on the bottom does what you are referring to:
>ie:
>Allow delivery to:
>  Local Mail Domains
>
>TTS
>--Eric
>
>>  On Tuesday, January 28, 2003, at 11:46 PM, Bruce Sommer wrote:
>>
>>>  "When relay restrictions are set using domain names, Post.Office
>>>  checks the
>>>  return address on the envelope of every message in the system
against
>>>  the list
>>>  of allowed or restricted domains. Because a user can easily alter
>>>  his/her return
>>>  address to include any domain, using domains to restrict or allow
>>>  relaying is
>>>  not as secure as restricting by IP addresses."
>  >>
>>  Robert Minor
>>
>>
>
>---------
>Tenon Intersystems' Post.Office Mailing
>List
>To unsubscribe: send mail to
>post_office-request@xxxxxxxxxxxxxxx
>with the body only containing:
>unsubscribe
>Find the searchable mailing list archives
>at:
>http://postoffice.computeroil.com/

---------
Tenon Intersystems' Post.Office Mailing 
List
To unsubscribe: send mail to 
post_office-request@xxxxxxxxxxxxxxx
with the body only containing: 
unsubscribe
Find the searchable mailing list archives 
at:
http://postoffice.computeroil.com/                               

---------
Tenon Intersystems' Post.Office Mailing 
List
To unsubscribe: send mail to 
post_office-request@xxxxxxxxxxxxxxx
with the body only containing: 
unsubscribe
Find the searchable mailing list archives 
at:
http://postoffice.computeroil.com/