[Sussex] Securing Mail Servers

Jamie L. Penman-Smithson lists at silverdream.org
Sun Apr 16 17:34:04 UTC 2006


On 16 Apr 2006, at 17:01, paul.morriss at tokenbay.co.uk wrote:
> I have been testing a new mail server setup (atm it's on a private
> network, but will be public when configuration finished),

Which mail server are you trying to use?

> I have noticed that anyone can telnet into the mail server and issue:
> helo, from, to, data and then send.... I see this as a large  
> security hole
> as it means hacker X could send a malicious email from
> webmaster at whatever.com without any authorisation.

You should make sure that your mail server is not an open relay,  
authorised users should use SMTP AUTH when sending mail using the  
mail server, any other mail which is addressed to non-local  
recipients should be rejected. If you run an open relay, your server  
will be blacklisted.

There's more info on open relays and how to prevent becoming one here:
<http://spamlinks.net/prevent-secure-relay.htm>

> We have added security that it will be bounced if the from address  
> is not
> valid but is there a way so that only authorised users can send mail..

Make sure that any rejections are done in-protocol to avoid  
backscatter - the sender address is very easily forged, the only way  
to ensure that any bounce goes to the actual sender is to reject  
during the SMTP transaction, not after, this way the remote MTA will  
be responsible for delivering the DSN.

There's further information here:
<http://spamlinks.net/prevent-secure-backscatter.htm>

> Apologies if this has been asked many times but I am new to mail  
> systems.

Setting up and running a mail server is an infinitely complex subject  
- you should at least ensure that you have a sound understanding of  
the SMTP protocol. The slightest error in configuration can have  
great consequences, not just for yourself but for your 'neighbours' -  
please don't become part of the problem.

-j


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060416/6e9572ac/attachment.pgp 


More information about the Sussex mailing list