| Groups | Blog | Home |
iis smtp nntp : Question Re Securing SMTP Server
We would like to enable our commercially distributed application to send
e-mails via SMTP. There are a number of applications for this. A couple quick examples are to enable customers to submit e-mail feedback to us, or to send in details of a run-time exception via e-mail. Because of the complexities of dealing with each customer's particular internal e-mail infrastructure, we are going to establish our own SMTP server at a known domain location, for example SMTP.mycompany.com. This simplifies our deployment logistics since we'll know ahead of time that we'll always be using SMTP.mycompany.com as the SMTP server. The SMTP server will be open to anonymous access since the e-mail clients will be running on our customer workstations, completely outside of our domain. Can I secure the SMTP server to only accept messages for a few particular addresses? For example: Feedback@mycompany.com AppError@mycompany.com or anyone @mycompany.com Since this is a public SMTP site, I don't want to allow users to route any e-mail through this SMTP server, except to the very narrow list of recipients which I specify. Can this be done? Thanks for your suggestions. - Joseph Geretz -
Hi PL, thanks for your reply.
[quoted text, click to view] > Assuming you mean the default smtp service with 'smtp' there is no way > that I know of to configure only certain email boxes to receive or relay > email and this would be insecure anyway since anyone can manipulate the > sender (or reply-to) email address. Actually, I don't care at all about the Sender or Reply To information. What I want to filter on is the Recipient. In this way I'll prevent spammers from using my SMTP server as a relay for their nefarious purposes. [quoted text, click to view] > You can however easily configure it to only relay email from certain ip > addresses which is what you normally do when you want to only allow > certain computers or group of computers to relay email. I'm trying to avoid having to do this, since this will be an extra step during the software deployment stage; to collect this information from the client and enter this into our SMTP server security configuration. Also, what if this changes? We'll constantly incur additional maintenance overhead to ensure that our SMTP access permissions remain valid with our clients' actual IP configurations. (We have many hundreds of clients.) [quoted text, click to view] > What happens when someone sends an email to an account that doesnt exist > ... Sure, this is not a problem. What I'm trying to prevent is SPAMMERS from using my SMTP server as a relay. [quoted text, click to view] > If you need more avanced features I'm afraid it is Exchange server or > another commercial email solution you need. We do have an Exchange Server in-house, but this is used for internal purposes. I was hoping to be able to use a simple SMTP server as a brdge between the remote clients and our internal Exchange Server. Thanks, - Joe Geretz - [quoted text, click to view] "PL" <pblse2@yahoo.se> wrote in message news:uhZpaw8ZGHA.1560@TK2MSFTNGP03.phx.gbl... > > Assuming you mean the default smtp service with 'smtp' there is no way > that I know of to configure only certain email boxes to receive or relay > email and this would be insecure anyway since anyone can manipulate the > sender (or reply-to) email address. > > You can however easily configure it to only relay email from certain ip > addresses which is what you normally do when you want to only allow > certain computers or group of computers to relay email. > > There is no way to configure a catch-all email box either, there are > scripts that you can install that hook into the smtp service to offer this > but this solution usually encounters performance issues and other wird > side effects. > > What happens when someone sends an email to an account that doesnt exist > is simply that the smtp service will send out a non delivery report and > put the mail in the badmail directory, this directory should be cleaned > with a scheduled batch file with regular intervals. > > If you need more avanced features I'm afraid it is Exchange server or > another commercial email solution you need. > > PL. > > "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet > news:%23M9GMl8ZGHA.3652@TK2MSFTNGP03.phx.gbl... >> We would like to enable our commercially distributed application to send >> e-mails via SMTP. .... > >
Assuming you mean the default smtp service with 'smtp' there is no way that I know of to configure only certain email boxes to receive or relay email and this would be insecure anyway since anyone can manipulate the sender (or reply-to) email address. You can however easily configure it to only relay email from certain ip addresses which is what you normally do when you want to only allow certain computers or group of computers to relay email. There is no way to configure a catch-all email box either, there are scripts that you can install that hook into the smtp service to offer this but this solution usually encounters performance issues and other wird side effects. What happens when someone sends an email to an account that doesnt exist is simply that the smtp service will send out a non delivery report and put the mail in the badmail directory, this directory should be cleaned with a scheduled batch file with regular intervals. If you need more avanced features I'm afraid it is Exchange server or another commercial email solution you need. PL. "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet news:%23M9GMl8ZGHA.3652@TK2MSFTNGP03.phx.gbl... [quoted text, click to view] > We would like to enable our commercially distributed application to send > e-mails via SMTP. ....
Relaying and receiving is two different things. If all the server is supposed to do is to receive emails, then there is no problem, just because it's open for anynonymous access doesn't mean anyone can relay through it. If you only want to receive emails then set the "Relay restrictions" to only accept from a list of ip's and then don't add any ip's at all in the list, keep the anonymous access under "Access restrictions" and voila you have a server that receives from any address but don't realy for anyone. PL.
Hi PL,
It sounds like this is the solution I'm looking for. Can you just explain to me what is the difference between Receiving and Relaying? (I guess this is elementary, but I'm new at this.) As far as I understand, the purpose of the SMTP server is to receive incoming mail and 'relay' it to a specific mailbox. Are you saying that this latter action is not called relaying? That the term Relay means to route the mail on to another SMTP server? Thanks for your help! - Joseph Geretz - [quoted text, click to view] "PL" <pblse2@yahoo.se> wrote in message news:eOlcYpDaGHA.4784@TK2MSFTNGP02.phx.gbl... > > Relaying and receiving is two different things. If all the server is > supposed to do is to receive emails, then there is no problem, just > because it's open for anynonymous access doesn't mean anyone can relay > through it. > > If you only want to receive emails then set the "Relay restrictions" to > only accept from a list of ip's and then don't add any ip's at all in the > list, keep the anonymous access under "Access restrictions" and voila you > have a server that receives from any address but don't realy for anyone. > > PL. >
OK, I got it.
I'm finding though that with Relay disabled, I'm not able to use smart host forwarding for delivery. For example, I have the following two machines on my network: exchange.domain.com smtp.domain.com With Relaying disabled, all clients can do is send mail to 'Joseph' which ultimately ends up as Joseph@smtp.domain.com. This being the case, the mail just sits on smtp.domain.com in the Drop folder without being routed to Joseph@domain.com via our Exchange server. Sending mail to Joseph@domain.com would trigger a forwarding to the Exchange smart host, but this can't be done since Relaying is disabled. I can see a patth forward for this, but this would involve writing a service to monitor the drop folder and process incoming mail to either delete it or forward it on to our Exchange server. Not a huge deal, pretty much simple file processing and string substitution, but I can't help but think that there must be a better way of accomplishing what I am trying to do. Thanks for your advice! - Joseph Geretz - [quoted text, click to view] "PL" <pblse2@yahoo.se> wrote in message news:es6NoqHaGHA.3832@TK2MSFTNGP04.phx.gbl... >> Are you saying that this latter action is not called relaying? That the >> term Relay means to route the mail on to another SMTP server? > > I think the term 'relay' is sometimes used for other things but the core > meaning is to relay to other servers. > > PL. >
I have been able to get this to work using two SMTP virtual servers running
on the same server. The first server which is publicly accessible (port 25 punched through the firewall) is restricted - No Relay. It's domain is set to domain.com. This means that mail can be dropped off for Joseph or Joseph@domain.com. Any other domain address will be rejected because Relay is OFF. This server drops all delivered mail to the Pickup folder for the second server. The second server is not publicly accessible. It monitors an arbitrary port which is blocked by the firewall. But it doesn't get any of its mail from an outside connection. It receives its mail into its Pickup folder from the first server as described above. The second server's domain is set to foobar.com. It is set to Relay and also to use our Exchange Server as its Smart Host. Therefore, it routes all mail in its Pickup folder (for domain.com) directly to our internal Exchange server for delivery. With this simple(?) configuration, we acheive our three objectives: 1. Anonymous access 2. Restrict SMTP to mail intended for the domain.com domain 3. Forward all mail submitted for domain.com onwards to the Exchange Server for delivery. Simple! Is there a better way of doing this? Thanks! - Joe Geretz - [quoted text, click to view] "Joseph Geretz" <jgeretz@nospam.com> wrote in message news:e2W0WoIaGHA.3612@TK2MSFTNGP03.phx.gbl... > OK, I got it. > > I'm finding though that with Relay disabled, I'm not able to use smart > host forwarding for delivery. For example, I have the following two > machines on my network: > > exchange.domain.com > smtp.domain.com > > With Relaying disabled, all clients can do is send mail to 'Joseph' which > ultimately ends up as Joseph@smtp.domain.com. This being the case, the > mail just sits on smtp.domain.com in the Drop folder without being routed > to Joseph@domain.com via our Exchange server. Sending mail to > Joseph@domain.com would trigger a forwarding to the Exchange smart host, > but this can't be done since Relaying is disabled. > > I can see a patth forward for this, but this would involve writing a > service to monitor the drop folder and process incoming mail to either > delete it or forward it on to our Exchange server. Not a huge deal, pretty > much simple file processing and string substitution, but I can't help but > think that there must be a better way of accomplishing what I am trying to > do. > > Thanks for your advice! > > - Joseph Geretz - > > "PL" <pblse2@yahoo.se> wrote in message > news:es6NoqHaGHA.3832@TK2MSFTNGP04.phx.gbl... >>> Are you saying that this latter action is not called relaying? That the >>> term Relay means to route the mail on to another SMTP server? >> >> I think the term 'relay' is sometimes used for other things but the core >> meaning is to relay to other servers. >> >> PL. >> > >
[quoted text, click to view]
> Are you saying that this latter action is not called relaying? That the > term Relay means to route the mail on to another SMTP server? I think the term 'relay' is sometimes used for other things but the core meaning is to relay to other servers. PL.
Sounds like a workable solution to me, I havent had a reason to use the smarthost feature yet so I couldn't tell you if there is a better solution. PL. "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet news:O0i3%234JaGHA.1228@TK2MSFTNGP02.phx.gbl... [quoted text, click to view] >I have been able to get this to work using two SMTP virtual servers running >on the same server. > > ...... > > Simple! Is there a better way of doing this? > > Thanks! > > - Joe Geretz -
Yes, is simple to set up this way. what was complicated was figuring this
out in the first place. Make me wonder why MS didn't just provide another dialog box: Accept mail for the following domain(s) with the fmailiar two options: Accept mail for only those domains on the list Accept mail for all domains except those on the list This would probably go a long way toward tightening up all those unsecured SMTP servers which are sending SPAM out all over the world. Typical Microsoft approach though. Allow everything by default and then leave it up to the customer to figure out how to close all the loopholes. - Joe Geretz - [quoted text, click to view] "PL" <pblse2@yahoo.se> wrote in message news:OEzoIsQaGHA.5004@TK2MSFTNGP02.phx.gbl... > > Sounds like a workable solution to me, I havent had a reason to use the > smarthost feature yet so I couldn't tell you if there is a better > solution. > > PL. > > "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet > news:O0i3%234JaGHA.1228@TK2MSFTNGP02.phx.gbl... >>I have been able to get this to work using two SMTP virtual servers >>running on the same server. >> >> ...... >> >> Simple! Is there a better way of doing this? >> >> Thanks! >> >> - Joe Geretz - > >
[quoted text, click to view]
> The problem is that you can easily claim to be from any domain when > sending an email, it's better to limit by ip. That wans't the thrust of my suggestion. You are quite correct, when filtering by *sender*, it's practically irrelevant to filter on domain, which is easily spoofed. My suggestion is a completely different filter altogether (in addition to the sender filter by IP). To filter by *destination*. That is to allow me to set up an SMTP server which will accept only e-mail whose *destination* is domainA.com or domainB.com. Or, alternatively, to specify that I will accept mail destined for all domains except domainA.com and domainB.com. This would allow Anonymous SMTP while at the same time easily cut down on huge volumes of SPAM, since what can a spammer do with my Anonymous SMTP server if it only accepts mail for anyone at MyDomain.com? Most of the mail sent by a spammer for a relay attempt would be immediately rejected based on the target recipient address(es). Such a simple thought - why hasn't Microsoft implemented this? - Joe Geretz - [quoted text, click to view] "PL" <pblse2@yahoo.se> wrote in message news:uLuswSTaGHA.4972@TK2MSFTNGP03.phx.gbl... > > The problem is that you can easily claim to be from any domain when > sending an email, it's better to limit by ip. > > You can test if it's an open relay here: http://www.abuse.net/relay.html > > Just to make sure it's correctly configured. > > There are other sites where you can do this as well, do a google search > for it. > > PL. > > > "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet > news:OJn%23p3SaGHA.3612@TK2MSFTNGP03.phx.gbl... >> Yes, is simple to set up this way. what was complicated was figuring this >> out in the first place. Make me wonder why MS didn't just provide another >> dialog box: >> >> Accept mail for the following domain(s) >> >> with the fmailiar two options: >> >> Accept mail for only those domains on the list >> Accept mail for all domains except those on the list >> >> This would probably go a long way toward tightening up all those >> unsecured SMTP servers which are sending SPAM out all over the world. >> Typical Microsoft approach though. Allow everything by default and then >> leave it up to the customer to figure out how to close all the loopholes. >> >> - Joe Geretz - >> > >
The problem is that you can easily claim to be from any domain when sending an email, it's better to limit by ip. You can test if it's an open relay here: http://www.abuse.net/relay.html Just to make sure it's correctly configured. There are other sites where you can do this as well, do a google search for it. PL. "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet news:OJn%23p3SaGHA.3612@TK2MSFTNGP03.phx.gbl... [quoted text, click to view] > Yes, is simple to set up this way. what was complicated was figuring this > out in the first place. Make me wonder why MS didn't just provide another > dialog box: > > Accept mail for the following domain(s) > > with the fmailiar two options: > > Accept mail for only those domains on the list > Accept mail for all domains except those on the list > > This would probably go a long way toward tightening up all those unsecured > SMTP servers which are sending SPAM out all over the world. Typical > Microsoft approach though. Allow everything by default and then leave it > up to the customer to figure out how to close all the loopholes. > > - Joe Geretz - >
[quoted text, click to view]
Joseph Geretz wrote: >> The problem is that you can easily claim to be from any domain when >> sending an email, it's better to limit by ip. > > That wans't the thrust of my suggestion. You are quite correct, when > filtering by *sender*, it's practically irrelevant to filter on > domain, which is easily spoofed. > > My suggestion is a completely different filter altogether (in > addition to the sender filter by IP). To filter by *destination*. > That is to allow me to set up an SMTP server which will accept only > e-mail whose *destination* is domainA.com or domainB.com. Or, > alternatively, to specify that I will accept mail destined for all > domains except domainA.com and domainB.com. > This would allow Anonymous SMTP while at the same time easily cut > down on huge volumes of SPAM, since what can a spammer do with my > Anonymous SMTP server if it only accepts mail for anyone at > MyDomain.com? Most of the mail sent by a spammer for a relay attempt > would be immediately rejected based on the target recipient > address(es). Such a simple thought - why hasn't Microsoft implemented > this? > - Joe Geretz - > > "PL" <pblse2@yahoo.se> wrote in message > news:uLuswSTaGHA.4972@TK2MSFTNGP03.phx.gbl... >> >> The problem is that you can easily claim to be from any domain when >> sending an email, it's better to limit by ip. >> >> You can test if it's an open relay here: >> http://www.abuse.net/relay.html Just to make sure it's correctly >> configured. >> >> There are other sites where you can do this as well, do a google >> search for it. >> >> PL. >> >> >> "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet >> news:OJn%23p3SaGHA.3612@TK2MSFTNGP03.phx.gbl... >>> Yes, is simple to set up this way. what was complicated was >>> figuring this out in the first place. Make me wonder why MS didn't >>> just provide another dialog box: >>> >>> Accept mail for the following domain(s) >>> >>> with the fmailiar two options: >>> >>> Accept mail for only those domains on the list >>> Accept mail for all domains except those on the list >>> >>> This would probably go a long way toward tightening up all those >>> unsecured SMTP servers which are sending SPAM out all over the >>> world. Typical Microsoft approach though. Allow everything by >>> default and then leave it up to the customer to figure out how to >>> close all the loopholes. - Joe Geretz - My 2 cents: Rename the default domaine (by creting a new one) by an obvious name (like ytriuvplo or something) This way no one can send mail to the local smtp. Dont forget to change the default banner returned by smtp ;-) Create a remote domaine said exchange.domain.com In the property of this domain configure a smart host as this [ipadressofexchange] Click on the allow to relay Repeat for every domains you need to forward to one of your domain That's it
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |