Re: open proxy

[Michael Osten <mosten () bleepyou com>]

On Sun, 2003-03-30 at 04:31, Joost Ernest wrote:
> Hello all, 
>
> I have a question regarding to "open proxy". We are using Domino server
> as our mail server in a w2k server environment. A week ago we started to
> receive a-mail from a Dutch ISP dat our mailserver has been listed in an
> Open Proxy Database. As a result of this we can't send e-mail at all... 

By default Lotus Domino is/was (I don't keep up on the newest patch
levels, as I no longer have to admin that piece of crap) a open relay by
default.  Domino *does* fail some of the tests that most of the RBL's
use to identify open proxies.  This is due to Domino's completly borked
SMTP and lack of caring about RFC's.  Here is a tech note on how to fix
the situation.

from technote 180045:
Problem:
A customer wants to prevent their Domino R5 server from being used as a
relay host by other SMTP servers. How can this be done?
Solution:
To do this, set the following parameters on the Server Configuration
document:
1.Open the Server Configuration document for the server on which you
want to
restrict relaying.
2.Select the Router/SMTP tab, and the Restrictions and Controls tab.
3.Then select the SMTP Inbound Controls tab, and under the Inbound Relay
Controls section, set the following values:
Allow messages from external internet domains to be sent only to the
following internet domains: <blank>
Deny messages from external internet domains to be sent to the following
internet domains: *
Allow messages only from the following external internet hosts to be
sent to
external internet domains: <blank>
Deny messages from the following external internet hosts to be sent to
external internet domains: *
4.    Stop and restart the SMTP task.

**IMPORTANT**

This may very well break other things.  My suggestion, and the route
that I took, is to put a Linux/BSD SMTP proxy in front of your Domino
server.  Not only will this give you added fine grained functionality
and security that you can not get with Domino, it will spool mail for
later final delivery when Domino decides to shit the bed.

> I have started to block some ports explicitly (135, 139, 443, 1080, 
> etc..) I also read some articles about this subject in which was written
> that i should use Authentication for every user that wants tos end
> E-mail. I know how to configure this in Exchange but i don't know how i
> can arrange this with Domino server. 
> Any suggestions en url's would be appreciated! 


Are you saying that you have no firewall, or that up to this point it
was wide open?

You may have more problems than just an open relay.

You will have to have each individual RBL retest your mail server to get
removed from the blacklists.  If you are listed in SPEWS, well, good
luck with that one.

-- 
Michael Osten
(620)437-2961


-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics