Security Basics mailing list archives
Re: open proxy
From: Michael Osten <mosten () bleepyou com>
Date: 31 Mar 2003 14:12:25 -0600
On Sun, 2003-03-30 at 04:31, Joost Ernest wrote:
Hello all, I have a question regarding to "open proxy". We are using Domino server as our mail server in a w2k server environment. A week ago we started to receive a-mail from a Dutch ISP dat our mailserver has been listed in an Open Proxy Database. As a result of this we can't send e-mail at all...
By default Lotus Domino is/was (I don't keep up on the newest patch levels, as I no longer have to admin that piece of crap) a open relay by default. Domino *does* fail some of the tests that most of the RBL's use to identify open proxies. This is due to Domino's completly borked SMTP and lack of caring about RFC's. Here is a tech note on how to fix the situation. from technote 180045: Problem: A customer wants to prevent their Domino R5 server from being used as a relay host by other SMTP servers. How can this be done? Solution: To do this, set the following parameters on the Server Configuration document: 1.Open the Server Configuration document for the server on which you want to restrict relaying. 2.Select the Router/SMTP tab, and the Restrictions and Controls tab. 3.Then select the SMTP Inbound Controls tab, and under the Inbound Relay Controls section, set the following values: Allow messages from external internet domains to be sent only to the following internet domains: <blank> Deny messages from external internet domains to be sent to the following internet domains: * Allow messages only from the following external internet hosts to be sent to external internet domains: <blank> Deny messages from the following external internet hosts to be sent to external internet domains: * 4. Stop and restart the SMTP task. **IMPORTANT** This may very well break other things. My suggestion, and the route that I took, is to put a Linux/BSD SMTP proxy in front of your Domino server. Not only will this give you added fine grained functionality and security that you can not get with Domino, it will spool mail for later final delivery when Domino decides to shit the bed.
I have started to block some ports explicitly (135, 139, 443, 1080, etc..) I also read some articles about this subject in which was written that i should use Authentication for every user that wants tos end E-mail. I know how to configure this in Exchange but i don't know how i can arrange this with Domino server. Any suggestions en url's would be appreciated!
Are you saying that you have no firewall, or that up to this point it was wide open? You may have more problems than just an open relay. You will have to have each individual RBL retest your mail server to get removed from the blacklists. If you are listed in SPEWS, well, good luck with that one. -- Michael Osten (620)437-2961 ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics
Current thread:
- Re: open proxy James P. Schmidt (Apr 01)
- <Possible follow-ups>
- Re: open proxy Mel (Apr 01)
- Re: open proxy Michael Osten (Apr 01)
- open proxy nee cee (Apr 01)
- Re: open proxy Anders Reed Mohn (Apr 01)
- Re: open proxy Devdas Bhagat (Apr 01)
- RE: open proxy J.P.A. Ernest (Apr 03)