I discovered my server has been used to relay a fair amount of spam over the last few days, and in doing the investigation behind it, it turns out ASSP is the hole that they got through. Version 2.0.0 15.06, in particular, however I tested with 15.11 and it does the exact same thing.
First off: I have my listenPort2 and smtpAuthServer set, so that my users can connect and send mail through my server. I also have EnforceAuth set - however, upon investigation, anyone can connect to my mail server, and without doing SMTP Auth, in a simple plain SMTP session, pretend to be anyth...@anyofmydomains, and send mail to any valid user on my server. Thankfully, if the user attempts to send mail to a third party on a domain not hosted by me, it rejects it with "530 SMTP authentication is required", so it's not wide open. However, it is quite clearly ignoring EnforceAuth. Which brings me to my second problem. With my v1 ASSP, it was set up thusly: 1. Anyone could connect on port 25 and send mail from any user to any user on my server, with no auth required. This is an obvious public SMTP server. 2. Users could connect on port 25 or 125 with SMTP Auth, and could send mail from themselves (MAIL FROM had to be a known user on the server) to any email address. #1 is working, as you would expect. However, #2 is not working. The way it is currently functioning is: any user who has a valid account on my server, can log in via SMTP AUTH, and send mail from ANY email address, to ANY email address, and my server will happily relay it. This is where the spam problem comes in - One of my users had their PC compromised, and their SMTP password stolen by a trojan. This was then used to log into my server from zombie spam bots and send massive amounts of spam all over the world. This spam had "MAIL FROM" various spammy places, not my local domains. Normally, if it was working as it should, this would not have been permitted - the only way the SMTP AUTH session should be able to send mail is if the mail is from a valid user on the server. noProcessingIPs contains a small list of IPs, primarily containing a web server that sends mail through my mail server. noProcessingList contains one email address. noProcessingDomains:= acceptAllMail contains the same list of IPs as is used for noProcessingIPs. DoLocalSenderDomain:=1 DoLocalSenderAddress:=1 nolocalDomains:= ispip:= contentOnlyRe:= ispHostnames:= LocalAddresses_Flat:=file:files/users.txt localDomains:=file:files/domains.txt (these are both updated regularly by my mail server) noMsgId contains the same list of IPs as is used for noProcessingIPs. DoNoValidLocalSender:=1 ForceNoValidLocalSender:=1 DoNoSpoofing:=1 DoLocalSender:=1 Am I missing something? Do I have something configured incorrectly? Or is there a problem here in ASSP itself? I've been over the configuration many times now, and I don't see what I could have set up incorrectly. ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
