I was under the impression that if we used "Relay for local users only" that iMail would do just that and reject any request from a "From" address that was not a local user. Am I wrong? It appears so.Push Ipswitch hard on this. Complain to them that mail isn't being delivered because they don't have bold warnings explaining that all options except "Relay for Addresses" and "No Mail Relay" will allow spammers to send mail through your servers.
My belief was that anyone trying to send e-mail allegedly from a user account on the server would have to provide a password to send a message. So it shouldn't be possible to hack in with a bogus address and send email, right?And that's exactly why you need to complain to Ipswitch. That's not the case (you're thinking of SMTP AUTH, which is used with the "No Mail Relay" and sometimes with "Relay for Addresses").
But, even if it was a forged local account how can someone send a message through the server without providing the valid user password? Or more properly, why does iMail pass it on?That's because SMTP doesn't normally use a username/password. You just tell it who you want to be, and send the E-mail. Only with SMTP AUTH will the password be required.
Hmmm.Regarding requiring SMTP AUTH, this is a place I don't really want to go.
How did you think the password was getting sent to IMail? What do you think that SMTP AUTH does differently than the sending of the username/password that you thought was happening? It sounds like SMTP AUTH is exactly what you thought was happening.
SMTP AUTH is just a standard SMTP connection, with one additional step -- a username/password is sent, and outgoing E-mail is rejected if the username/password is not valid.
Many of our users barely know how to get their e-mail. I can just imagine the nightmare we would have trying to get them to set up the authentication for netscape, Outlook, Outlook Express, Eudora and who knows what else. Listing their IP addresses is out of the question as there are several hundred users some of whom have dial-up lines through ISPs where the same IP address may never come up twice.Then preventing spammers from abusing your mailserver is either going to be a nightmare or out of the question; it's your choice. That's just the way mailservers need to be run now.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no annual licensing fees.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
