prevent telnet to port 25
Iam running postfix+mysql+courier imap+courier maildrop+spamassasain+squirrel mail on a sunfire v880 server with solaris 10.
The problem is that any person can telnet to port 25 in my server and use ESMTP to spoof a message, so i want to prevent users from relaying mail using my server (by telnet 25 or any other mail client) but i want them to relay only through squirrelmail which is installed on the same server).
in main.cf file i have the following 2 entries
mynetworks_style = host
mynetworks = 127.0.0.0/8
as far as i know any of them should prevent relaying from any host but the localhost (to allow squirrelmail only which is installed on the same server) but when i added them then restarted postfix it seemed that nothing happened and i was still able to connect using telnet to port 25 and spoof a message without being asked to authenticate.
Would anyone please help me with this.
Thanks.
# 1
Theres no way to distinguish between a telnet connection to port 25 and a "mail" connection.
They are both just tcp connections on port 25.
So if you require people to be able receive mail, then you need to be accepting port 25 connections.
If you only need the box to be able to send mail but not receive it then you can block port 25.
But I don't know postfix so I can't advise how.
However, if someone can make a port 25 connection and get your box to receive mail for an address that isn't local to your own machine and your box will receive it and send it on to another mail server for them. Then thats called an open relay and is very bad.
In that case your box is badly misconfigured.
If however, they can only do this to send mail to people on your box, then thats expected behaviour. Thats just the way email works. Its a protocol with no security unfortunately.
Its a consequence of the time and environment in which the mail protocol was designed.
And its the major reason why we have such a bad spam problem today.
Theres a reason why its called SMTP (simple mail transport protocol).
Its a reflection of the fact that it was a protocol thrown together just for the moment to get something working. With the expectation that someone would sort something better out later.
Only noone ever did :-(.
# 2
Robert, thanks for your reply,
What i meant is that i want to enable only localhost to be able to send mail, i don't want to close port 25, i just want to limit hosts that send mail to only localhost.
And no, when connecting to port 25 , relaying is only limited to those domains mentioned for the relay domains variaable.
Rgrds.
Message was edited by:
Haythammorsy
# 3
Theres no effective difference between receiving mail and sending mail.
They both involve tcp connections on port 25.
But assuming you arent an open relay, only localhost should be able to persuade mail
to transmit mail to an external host.
Anyone else should get knocked back by the relaying rules.
What makes you think that other hosts can "send" mail.
Being able to make a port 25 connection from an external host is normal.
But you shouldnt be able to do anything with that connection except send mail to users on the box.
# 4
Well, if you telnet to port 25 you can still send mail to domains defined in the relay_domains in main.cf file.
# 5
Yes, thats expected.
Theres no way you can stop that without breaking mail.
You shouldnt have any domains except the ones local to your organisation in relay_domains.
So perhaps my previous statement was inprecise.
Anyone can make port 25 connections. But only connections from localhost or other IP's local to your organisation should be able to relay mail to external hosts.
Other connections should only be able to send mail to domains local to your organisation.
# 6
Well, i can't restrict access to the mail by IP addressses of the subnets in my organisation, as it is a mail for a university and they need to be able to access it from anywhere, whether within the university domain, or from home or wherever (That's what they want).
Only if i can find a way that relay will ONLY be accepted from localhost, that's gonna solve my problem, as users connect only through webmail, so the postfix sees the connection originating from 127.0.0.1 in all cases of sending mail.
Thanks Robert for your useful posts and for your help :).
# 7
Well I'm not familiar with postfix configuration so I can't advise as to the specifics.
But the general principles tend to be the same across mailers.
I'm assuming that you mean that users need to be able to access the webmail from anywhere.
Thats fine. That just means you can't firewall port 80. It doesnt say anything about what you can do to port 25.
I'm using sendmail terminology here, but the principles should be the same.
If you have a 1 host mail system running a webmail.
Then only localhost needs to be able to relay mail.
The host needs to accept mail for your domain from anywhere. But it doesnt need to relay it.
It just delivers it locally.
Unless you have other hosts also hosting mail.
In that case, in sendmail you would have nothing in relay_domains. That indicates nothing needs to be relayed. localhost is usually relayed by default. But if its not, you might need to add it specifically.
And put the local domain in the local_host_names file. That indicates that the machine should accept mail for that domain and deliver it locallly.
