Re: IIS SMTP - is open relay prevented?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Under Access Control, the relay restrictions are configured such
that only the local host 127.0.0.1 is granted access to relay
through this server, and I have unchecked 'Allow all computers which
authenticate to relay, regardless of the list above.'

That's fine. You are not an open relay. But while on the one hand you
have guarded against remote-initiated sessions, whether authenticated
or anonymous, you have in fact allowed _any_ loopback connections (for
example, from trojans, code injected through your web pages, etc.) to
relay.

I usually advise the opposite tactic. Don't relay by IP. Use SMTP AUTH
in your web code if available, and only relay for authenticated
sessions. This is allows for much more granular control + auditing,
for example by creating different accounts for different web apps.

Note that if you are not allowing remote connections to your box on
port 25 _at all_, then you cannot be an open relay in any traditional
sense. You can be an open _proxy_, however, if there are holes in your
web app or commercial web components that allow people to do an HTTP
form post that results in mail getting sent through the local SMTP
server. Such mail is loopback-initiated and would thus be relayed to
the outside world. An additional layer of protection via passwords can
mitigate some of those risks (though not all, since you usually end up
embedding the SMTP AUTH password in your code). Depends on your app
and how it interacts with users.

Authentication is set to anonymous.

Under authentication, "Anonymous" should be interpreted as "Anonymous
sessions allowed." Technically speaking, as there is no SMTP-level
AUTH mechanism used at all in an anonymous session, so it's not
"anonymous auth."

--Sandy


------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------
.

Relevant Pages

  • Re: SMTP Exchange 2k relay authentication
    ... > NB THERE IS NO USERNAME OR PASSWORD SUPPLIED AND YET IT IS ... >>Exchange will only deny relay after accepting the ... > that Exchange is authenticating the session without any ... > You wont be rejected and the test did authenticate without ...
    (microsoft.public.exchange2000.setup.installation)
  • Re: SMTP Exchange 2k relay authentication
    ... NB THERE IS NO USERNAME OR PASSWORD SUPPLIED AND YET IT IS ... >Exchange will only deny relay after accepting the ... that Exchange is authenticating the session without any ... You wont be rejected and the test did authenticate without ...
    (microsoft.public.exchange2000.setup.installation)
  • Re: E-mails in my Outgoing Queue with sender <>
    ... fact closed and authenticated relaying is disabled why are the ndr's being ... > You mention that you are secure against relay but then say you allow ... only users who authenticate can send mail. ... >> reports. ...
    (microsoft.public.exchange.admin)
  • Re: restrict from address
    ... in the respect that anyone who can authenticate against the server can drop ... The fact that anyone with a domain account can ... authenticate and relay might be a problem in a higher-security environment ...
    (microsoft.public.exchange.admin)
  • Re: [SLE] SMTP Auth howto for 8.2 Professional.
    ... >> I'm trying to set up smtp auth in our network. ... I've got our mail relay ... I have it pretty much set up as the relay ... >> authenticate, it fails every time. ...
    (SuSE)