Open relay question
Dear, I'm in Internet and testing if my mail server is an Open Relay. So I execute: telnet mail.mycompany.com 25 After that I do: mail from: us...@mycompany.com OK rcpt to: us...@mycompany.com OK data This is a test !!! . QUEUED The mail from user1 to user2 (both from my company) was sent OK !!! Is this behavior normal or is it an open relay ??? Can I sent a message from one local user to another local user, being that I come from Internet and not from LAN ??? Thanks a lot A.F.
Re: Open relay question
On 11/5/2010 2:28 PM, Alejandro Facultad wrote: Dear, I'm in Internet and testing if my mail server is an Open Relay. So I execute: telnet mail.mycompany.com 25 After that I do: mail from: us...@mycompany.com OK rcpt to: us...@mycompany.com OK data This is a test !!! . QUEUED The mail from user1 to user2 (both from my company) was sent OK !!! Is this behavior normal or is it an open relay ??? Can I sent a message from one local user to another local user, being that I come from Internet and not from LAN ??? Thanks a lot A.F. Yes, that's normal. "Open relay" means the RCPT can be an unrelated domain eg. @hotmail.com.
Re: Open relay question
Thanks but, is it right if coming from Internet I enter to your mail server and after that I send a message from your mail account to your project manager's mail account telling he's an asshole ??? I now SPF is ideal for avoid this behavior, but I think the first example is an "open relay" feature. Thanks a lot. De: Noel Jones Para: postfix-users@postfix.org Enviado: viernes, 5 de noviembre, 2010 16:32:01 Asunto: Re: Open relay question On 11/5/2010 2:28 PM, Alejandro Facultad wrote: > Dear, I'm in Internet and testing if my mail server is an Open > Relay. So I execute: > > telnet mail.mycompany.com 25 > > After that I do: > > mail from: us...@mycompany.com > OK > rcpt to: us...@mycompany.com > OK > data > This is a test !!! > . > QUEUED > > The mail from user1 to user2 (both from my company) was sent > OK !!! > > Is this behavior normal or is it an open relay ??? Can I sent > a message from one local user to another local user, being > that I come from Internet and not from LAN ??? > > Thanks a lot > > A.F. > > Yes, that's normal. "Open relay" means the RCPT can be an unrelated domain eg. @hotmail.com.
Re: Open relay question
On 11/05/2010 03:41 PM, Alejandro Facultad wrote: Thanks but, is it right if coming from Internet I enter to your mail server and after that I send a message from your mail account to your project manager's mail account telling he's an asshole ??? I now SPF is ideal for avoid this behavior, but I think the first example is an "open relay" feature. What about smtp auth? Thanks a lot. *De:* Noel Jones *Para:* postfix-users@postfix.org *Enviado:* viernes, 5 de noviembre, 2010 16:32:01 *Asunto:* Re: Open relay question On 11/5/2010 2:28 PM, Alejandro Facultad wrote: > Dear, I'm in Internet and testing if my mail server is an Open > Relay. So I execute: > > telnet mail.mycompany.com 25 > > After that I do: > > mail from: us...@mycompany.com <mailto:us...@mycompany.com> > OK > rcpt to: us...@mycompany.com <mailto:us...@mycompany.com> > OK > data > This is a test !!! > . > QUEUED > > The mail from user1 to user2 (both from my company) was sent > OK !!! > > Is this behavior normal or is it an open relay ??? Can I sent > a message from one local user to another local user, being > that I come from Internet and not from LAN ??? > > Thanks a lot > > A.F. > > Yes, that's normal. "Open relay" means the RCPT can be an unrelated domain eg. @hotmail.com.
Re: Open relay question
On Fri, 2010-11-05 at 12:41 -0700, Alejandro Facultad wrote: > Thanks but, is it right if coming from Internet I enter to your mail > server and after that I send a message from your mail account to your > project manager's mail account telling he's an asshole ??? > > I now SPF is ideal for avoid this behavior, but I think the first > example is an "open relay" feature. > > Thanks a lot. > > > > __ > De: Noel Jones > Para: postfix-users@postfix.org > Enviado: viernes, 5 de noviembre, 2010 16:32:01 > Asunto: Re: Open relay question > > On 11/5/2010 2:28 PM, Alejandro Facultad wrote: > > Dear, I'm in Internet and testing if my mail server is an Open > > Relay. So I execute: > > > > telnet mail.mycompany.com 25 > > > > After that I do: > > > > mail from: us...@mycompany.com > > OK > > rcpt to: us...@mycompany.com > > OK > > data > > This is a test !!! > > . > > QUEUED > > Hello, If you can connect into a mail server externally (e.g mycompany.com) and send mail through that server without having to provide any means of authentication to another domain entirely (e.g myothercompany.com) then that is an open relay. AFAICT your example used the same domain. If the mail server was configured to accept mail for 'mycompany.com' then it's doing its job in your example. HTH. Regards, Pete. signature.asc Description: This is a digitally signed message part
Re: Open relay question
On 11/05/2010 12:41 PM, Alejandro Facultad wrote: Thanks but, is it right if coming from Internet I enter to your mail server and after that I send a message from your mail account to your project manager's mail account telling he's an asshole ??? I now SPF is ideal for avoid this behavior, but I think the first example is an "open relay" feature. Thanks a lot. Hi Alejandro, The example you described is not relaying. Relaying is when the MTA you connected to needs to send the message to another server. Being an "open relay" means the MTA will receive messages for anyone on the Internet to anyone on the Internet. Hope that clears things up. -will
Re: Open relay question
On 11/5/2010 2:41 PM, Alejandro Facultad wrote: Thanks but, is it right if coming from Internet I enter to your mail server and after that I send a message from your mail account to your project manager's mail account telling he's an asshole ??? I now SPF is ideal for avoid this behavior, but I think the first example is an "open relay" feature. Open relay is about the recipient domain, not the sender domain. If you don't want to allow your own domain as unauthenticated sender, you can control that with a check_sender_access map. Examples are in the mail list archives.
Re: Open relay question
On Fri, Nov 05, 2010 at 12:41:06PM -0700, Alejandro Facultad wrote: > Thanks but, is it right if coming from Internet I enter to your mail > server and after that I send a message from your mail account to your > project manager's mail account telling he's an asshole ??? Don't confuse the envelope sender (which most recipients neither see nor understand) with the "From:" header which most recipients do see and don't understand. The "From:" header is easily (and often legitimately) forged. For example, the Postfix-users list sends your own posts to you, from the Internet. The "From:" header still bears your address. Sure, the envelope sender is not, but the risk you pose applies to the "From:" header not the envelope. Applying policy restrictions to the "From:" header, is fraught with complexity and peril. I don't want to get into the politics of SIDF, DKIM, ... the bottom line is that people largely have unrealistic expectations of what email authentication technologies can do for them. -- Viktor.
Re: Open relay question
Le 05/11/2010 20:41, Alejandro Facultad a écrit : Thanks but, is it right if coming from Internet I enter to your mail server and after that I send a message from your mail account to your project manager's mail account telling he's an asshole ??? that's the same as if someone sends you a letter claiming tobe your father and saying the same. it's a lie, not an open relay. an open relay is when someone causes you to annoy someone else. said otherwise: I don't care if joe tells your boss he is an asshole, whomever joe might be. but I wouldn't be happy if _joe_ makes _you_ send _me_ a message (whatever the message is). I now SPF is ideal for avoid this behavior, but I think the first example is an "open relay" feature. Please don't talk about spf again on this list. spf devots are not welcome here.
RE: Open relay question
But that would be spoofing not relay right? Relay is when you let other users send emails to any other domain claiming be someone in your organization. Spoofing is when you pretend to be someone you are not, right now I cant remember how to prevent this kind of attacks but you may search google (that’s how I fixed it). You may consider any type of authentication. As far as I know (from the list) SPF is not the solution if you don’t know exactly what you are doing. Have a great day. Saludos. Ing. Alfonso Alejandro Reyes Jiménez Analista del sector Gobierno E-mail: aare...@scitum.com.mx <mailto:aare...@scitum.com.mx> Telefono: 91 50 74 00 ext. 7489 Movil: (044) 55 52 98 34 82 La información contenida en el presente correo es confidencial y para uso exclusivo de la persona o institución a que se refiere. Si usted no es el receptor deliberado es ilegal cualquier distribución, divulgación, reproducción, completa o parcial, aprovechamiento, uso o cualquier otra acción relativa a ella. Por favor notifique al emisor e inmediatamente bórrela de forma permanente de cualquier computadora en la que resida y en caso de existir, destruya cualquier copia impresa. De: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] En nombre de mouss Enviado el: viernes, 05 de noviembre de 2010 03:12 p.m. Para: postfix users Asunto: Re: Open relay question Le 05/11/2010 20:41, Alejandro Facultad a écrit : Thanks but, is it right if coming from Internet I enter to your mail server and after that I send a message from your mail account to your project manager's mail account telling he's an asshole ??? that's the same as if someone sends you a letter claiming tobe your father and saying the same. it's a lie, not an open relay. an open relay is when someone causes you to annoy someone else. said otherwise: I don't care if joe tells your boss he is an asshole, whomever joe might be. but I wouldn't be happy if _joe_ makes _you_ send _me_ a message (whatever the message is). I now SPF is ideal for avoid this behavior, but I think the first example is an "open relay" feature. Please don't talk about spf again on this list. spf devots are not welcome here. <>
Re: Open relay question
Le 05/11/2010 22:26, Alfonso Alejandro Reyes Jimenez a écrit : But that would be spoofing not relay right? Relay is when you let other users send emails to any other domain claiming be someone in your organization. no there's no claim. open relay is when someone uses your server to send mail to people outside of your organisation. it doesn't matter who they claim to be. they can tell the truth. the thing is: it is unauthorized relay. a long time ago, "open relay" was a natural thing ("collaboration"). unfortunately, spammers/abusers have killed this collaboration. Spoofing is when you pretend to be someone you are not, right now I cant remember how to prevent this kind of attacks but you may search google (that’s how I fixed it). the first question to ask yourself is: why would you care? in most cases, the recipient can take care of that.