[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

issues with redirecting SMTP

Hrm. Just found out my SMTP server (smail at the time, now exim) was
open to relaying when I found to my unpleasant surprise a bunch of
bounces from spam in my postmaster box.

This seems to be the problem. I had the MTA configured correctly to not
relay, but since I have the MTA running on a separate machine in a
perimeter network behind the firewall, and since I was using redir to
redirect SMTP to it through the firewall from outside, the MTA was doing
all its checking against the IP address of the firewall, not the outside
source. I.e., it thinks the SMTP connection is coming from the firewall.

I managed to plug the hole in exim by explicitly not listing the
firewall as a host allowed to relay, but this seems like a poor solution
since I would imagine things like RBL filtering and even basic spoofing
would be similarly undetectable by the MTA.

It also makes me wonder what other services would suffer. I do use tcpd
to wrap the redir command, so at least some protection is there, but if
daemons on the perimeter box (which supplies www, ftp, and smtp) always
think packets are coming from the firewall then they can't perform
protocol-specific validation that depends on the origin IP address.

Any thoughts on the matter from you smart folks? I have some general
1) should I be using a forward-only SMTP server at the firewall, rather
than port forwarding?
2) should I be using something other than redir for port forwarding?
3) are there any other holes I'm missing due to this setup?

I unlimbered the latest version of SAINT and pounded everything, and
have plugged several other things while I'm at it. Fun, I suppose, but
more than a little unsettling.

Interestingly enough, SAINT quit complaining about SMTP relaying when I
switched to exim, but the `telnet mail-abuse.org` verifier still
complained until I turned off relaying for the firewall.


Paul Reavis                                      preavis@partnersoft.com
Design Lead
Partner Software, Inc.                        http://www.partnersoft.com

Reply to: