Re: FW: Mail relay question

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-02-22 Nick Vaernhoej wrote:
> After finding that my own mail setup at home has caught almost 5000
> spam mails in less than a month I have finally thrown my hands in the
> air and wanted to hopefully get some understanding from this list.

Actually, the purpose of this list is not to teach you how e-mail works.
Read RFC 821. Or at least the Wikipedia article on SMTP.

> The amount alone is huge I think when I am only hosting my wife and
> myself (as well as the usual abuse etc. contacts).
> I am worried that my home is an open relay in a manner I have not
> found.
>
> Then I learn that via telnet I can send email from mydomain.com to
> mydomain.com and have it delivered even when the telnet session is
> from a public IP.

Can you send mail to arbitrary domains? Or just to your own domain?

> So, I am a little fuzzy on what it is I am trying to learn here, but:
> 1. Would you think 5000 emails a month with maybe 200 valid emails is
>    normal in a home/family type setup?

That depends on how your "home/family type setup" is actually set up. If
the server does catchall I'd consider it pretty normal.

> 2. Is mail always accepted and relayed when the sender and recipient
>    domain is the same? (This is without sender authentication
>    configured or capability).

No. Usually mail servers only accept mail for their own domains. I would
suspect that not even Exchange relays by default, but it's been quite a
while since I had to deal with it, and it was Exchange 5.5. and 2000 at
that time.

>       a. If yes, what is to stop an angry neighbor on his vacation to
>          China from sending a nasty email from me to my wife? (In this
>          unsecure setup).

That has nothing at all to do with relaying (assuming your wife's
mailbox is hosted on your mail server). Addresses in the From field can
be spoofed. Period. This is how SMTP is specified.

>       b. My gateway at home (Smoothwall using DSPAM/SEMF? mod) only
>          accepts the initial HELO if followed by connecting domain name
>          (HELO domain.com) So how come I can connect from domainx.com and
>          send email from domainy.com to domainy.com?

See above.

>       c. What can I do to remove this risk?

That someone sends mail with a spoofed From address to one of your
mailboxes? Nothing at all.

> 3. Any recommendations on a free mail gateway solution?
>    SpamAssassin? ClamAV? My goal is to migrate away from Exchange
>    2003. I have been wanting to try Zimbra for mail server but would
>    like a good mail gateway in the DMZ instead of hosted by the
>    firewall.

The mail component of Zimbra is basically Postfix with SpamAssassin and
ClamAV. You can easily make that kind of setup on any Linux box without
thw whole Zimbra overhead. If all you need is a mail server then I'd
suggest to simply install Postfix. The documentation is pretty simple
and well-documented.

http://www.postfix.org/documentation.html

Particularly interesting WRT spam protection:

http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/BACKSCATTER_README.html
http://www.postfix.org/uce.html

> This electronic transmission is intended for the addressee (s) named
> above. It contains information that is privileged, confidential, or
> otherwise protected from use and disclosure. If you are not the
> intended recipient you are hereby notified that any review,
> disclosure, copy, or dissemination of this transmission or the taking
> of any action in reliance on its contents, or other use is strictly
> prohibited. If you have received this transmission in error, please
> notify the sender that this message was received in error and then
> delete this message.

You do realize that this kind of disclaimer is utterly pointless, don't
you?

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq