Re3: Solved: Help: my PO is open relay

[anita@xxxxxxxxx (Anita Holmgren)]

At 10:40 AM -0800 12/5/03, Glenn A. Bookout wrote:
> Sue:
>
>    Thanks for your update on this problem.
>
> On Thursday, Dec 4, 2003, at 17:29 US/Pacific, Sue Chester wrote:
>
> > The problem turned out to be that one of the accounts was using 
> > POP-before-SMTP and was popping continuously from a remote 
> > location.  POP-before-SMTP opens a relay window for accounts for a 
> > settable amount of time.  The relay database testers used that 
> > login account name to send relay through the system, and they were 
> > able to do so.  That's why the system got put into the open relay 
> > database.
> >
> > POP-before-SMTP is designed for peripatetic users, who need to send 
> > mail from various locations.  When used this way, there is little 
> > or no risk of some unauthorized person sending mail through your 
> > system as that account name, but for an account that needs 100% 
> > accessing, or if you have to POP that account all the time, it's 
> > better to turn POP-before-SMTP off, and use SMTP-Authentication.
>    Interesting.
>
>    I have a number of clients that have to use POP-before-SMTP ( 
> mainly due to the P.O restrictions on SMTP-Authentication needing a 
> match between ID and address, which is not very workable when 
> hosting multiple domains ),

Glenn, what are these restrictions you're talking about?  As far as I 
know, there are no restrictions on SMTP-Auth. There are, however, 
restrictions on POP-before-SMTP that have to do with the POP login 
name matching the email address.  Please explain this.

> and there are times that they will query our server for msgs. every 
> few min. for hours on end.
>
>    How can we check our logs to see if we're being exploited by this "bug"?

This isn't actually a bug.  It's just the ramification of using 
POP-before-SMTP incorrectly.  Since POP-before-SMTP creates a 
time-limited window allowing a particular account holder the freedom 
to send mail from an obscure/random location, if someone uses 
POP-before-SMTP continuously, they are obviously opening a relay 
window that lets an attacker use their account to relay thru their 
mail server.  So using POP-before-SMTP is fine, but not for 
continuous poping from well-known accounts.

>    I looked in my logs and there doesn't seem to be any difference 
> between the SMTP-Accept/SMTP-Deliver logging for an incomming or 
> outgoing msg.
>
>    Also, I thought that POP-before-SMTP was based on an ID/IP 
> address pair for successful sending, how can an "outsider" obtain 
> that information in order to exploit the system?

The current implementation is based on user account information, not 
IP address.

>    Is there any chance that Tenon is working to improve 
> SMTP-Authentication to allow more flexible ID/address pairs?

Again, please explain this.  If there's an issue, we'll definitely 
look into it.
-Anita
--
Tenon Intersystems                                       805-963-6983
232 Anacapa Street, #2A                               anita@xxxxxxxxx
Santa Barbara, CA 93101                          http://www.tenon.com
---------
Tenon Intersystems' Post.Office Mailing List
To unsubscribe: send mailto:post_office-request@xxxxxxxxxxxxxxx
with the body only containing: unsubscribe
Find the searchable mailing list archives at:
http://postoffice.computeroil.com/