Off the cuff, I'd probably stand something else up and have it relay mail to the VAX (I suspect you've already got machines available for this purpose, ping me off-list if not). Have the VAX only accept connections from whatever's doing the relaying. If you can't get VMS or the smtpd to restrict incoming connections, add a transparent hardware firewall in between. This is what I typically do when something old and probably insecure has to be connected to the Internet -- proxy, relay, or otherwise hide the actual server behind something modern.
Thanks, Jonathan On Thu, Nov 30, 2017 at 6:28 PM, Peter Coghlan via cctalk < cctalk@classiccmp.org> wrote: > > > > I have a microvax set up with VMS 5, running MULTINET (and decnet > > locally). The server has a FQDN and after a while being exposed to the > > WWW someone out there started using the server as an SMTP relay. I can > > disable and clear the queue, but I'd like to block entirely this from > > happening in the first place. I'd like to learn more about how this > > happens in VMS. > > > > Anyone have had this same problem before? I realize back when VMS 5 was > > current it was not so much of an issue, but today it is. I am working > on a > > solution. I can envision a few ways including blocking the smtp relay > port > > from the firewall, but if possible I'd like to set up a VMS Multinet > > solution as a learning exercise. > > > > I had this problem about 25 years ago. I suspect lots of people did. > > In the VMS world, networking stacks are separately packaged from the base > operating system and it is possible to install one or more of DECnet, > TCP/IP, > X25 and various other networking products and have them all running > simultaneously. > > VMS doesn't know or care about SMTP, the issue here is with Multinet which > seems to be what was installed to provide TCP/IP networking on your > machine. > Multinet includes a basic SMTP server which can be used to move mail > between > VMS MAIL and the internet. Very old versions of Multinet came with SMTP > relaying enabled because this is what the standards required at the time. > Later versions came with easy ways to disable SMTP relaying. Later still > versions shipped with SMTP relaying disabled out of the box when spammers > targetting open relays became a serious problem. More recently still, > Multinet comes with pretty much all of the TCP/IP servers it provides > disabled > and requires the installer to enable the services they want, leaving less > opportunity for surprises when servers are running that nobody knew > existed, > except the bad guys targetting them. > > The Multinet SMTP server is pretty basic and people who are serious about > doing SMTP on VMS typically disable it and install a proper mailserver like > PMDF. That's my excuse for not knowing how to disable SMTP relaying in > Multinet. That and because it probably varies for different versions of > Multinet and you haven't said what version of Multinet you have. I used to > be one of the people supporting Multinet in this part of the world and I > seem to have inherited a stack of Multinet documentation for different old > versions so if I knew what version, I could probably look it up. I think > the > documentation for the most recent couple of Multinet versions is on the > Multinet website: > > http://www.process.com/psc/service-support/multinet-support/ > > Try the Adminstrator's guide or Adminstrator's reference. > > I do however know how to disable the SMTP server in Multinet completely: > > $ MULTINET CONFIGURE /SERVERS > SERVER-CONFIG> DISABLE SMTP > SERVER-CONFIG> RESTART > Configuration modified, do you want to save it first ? [YES] > > Regards, > Peter Coghlan >