Security Incidents mailing list archives
Re: E-Mail relay or break in?
From: graeme () LBORO AC UK (Graeme)
Date: Wed, 9 Feb 2000 17:25:17 -0000
On 09-Feb-2000 JJ Gray wrote:
AFAIK Exchange cannot be configured to prevent open relay
Oh yes it can... Graeme *** START OF EXCERPT FROM MICROSOFT.COM *** XFOR: Preventing the IMS from Relaying UCE messages Last reviewed: December 10, 1998 Article ID: Q193922 The information in this article applies to: Microsoft Exchange Server, version 5.5 IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe. SUMMARY Administrators of Microsoft Exchange Server version 5.5 have the ability to prevent their server from acting as a relay host for Unsolicited Commercial E-mail (UCE) messages. MORE INFORMATION WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD). When the Internet Mail Service is installed, it is configured by default to allow rerouting for POP3 and IMAP4 clients. This rerouting is found on the Routing tab of the Internet Mail Service object. The Internet Mail Service accepts and relays mail to non-local recipients. Message relaying occurs when a client or remote SMTP server connects to the Internet Mail Service and submits messages for non-local recipients. If the Internet Mail Service does not restrict relay messaging, it can be used to relay UCE messages. If your configuration prevents the client from relaying mail, SMTP RCPT (receipt) commands specifying a non-local recipient are refused with a "550 relaying prohibited" response. Relay restrictions are configured within the registry using values in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service\ MSExchangeIMC\Parameters. The following examples outline the value, the data type, and the function it performs. After the changes have been made, the Internet Mail Service should be stopped and restarted. RelayFlags, REG_DWORD Defines which relay control rules are in effect. RelayDenyList, REG_MULTI_SZ Specifies hosts that cannot relay messages through your server. RelayAllowList, REG_MULTI_SZ Specifies hosts that can relay messages through your server. RelayLocalIPList, REG_MULTI_SZ Specifies the local IP addresses of the server to which an SMTP client can connect and relay mail. This is useful for multi-homed servers that have internal and external interfaces. Enabling IP-forwarding disables this feature. NOTE: RelayDenyList, RelayAllowList, and RelayLocalIPList consist of a net address and optional mask per line. Order is not important in these lists. Each line consists of two parts, the net address and the mask, separated by a semicolon. For example: Net[;mask] If the mask is omitted, the default used is 255.255.255.255. A net address matches a rule if the bitwise-AND of the IP address and the mask equals the net. That is: (IP Address AND mask) = net Examples: To add net 192.168.0.0 to a list, add the following line to the list: 192.168.0.0;255.255.0.0 To add the host 192.168.1.17 to a list, add either the following line to the list: 192.168.1.17;255.255.255.255 - or - 192.168.1.17 What follows is the logic used to determine if the client can relay mail. If none of these apply, the client will not be allowed to relay. If bit 1 of RelayFlags is set (decimal value 1) and the client's IP address is matched by a pattern in RelayDenyList, the client will not be allowed to relay. If bit 2 of RelayFlags is set (decimal value 2) and the client's IP address is matched by a pattern in RelayAllowList, the client will be allowed to relay. If bit 3 of RelayFlags is set (decimal value 4) and the client is connected to a local IP address that matches a pattern in RelayLocalIPList, the client will be allowed to relay. If bit 4 of RelayFlags is set (decimal value 8) and the client is authenticated, the client will be allowed to relay. If only bit 1 is set, the client will be allowed to relay. Examples: All clients not explicitly denied can relay. Set bit 1 of RelayFlags (by setting its decimal value to 1), and add a rule to RelayDenyList for each host or group of hosts to be denied. To prevent all hosts on the subnet 192.168.17.0 from relaying mail, add the following line to RelayDenyList: 192.168.17.0;255.255.255.0 All clients not explicitly allowed are denied. Set bit 2 of RelayFlags (by setting its decimal value to 2), and add a rule to RelayAllowLists for each host or group of hosts to be allowed. To allow all hosts on subnet 192.168.1.0 to relay mail, add the following line to RelayAllowList. 192.168.1.0;255.255.255.0 Allow all hosts on a subnet except for a subset. To allow all hosts on a subnet, set bit 2 of RelayFlags (by setting its decimal value to 2), and add a rule to RelayAllowList to match the subnet. For the subnet 192.168.1.0, the following rule works. 192.168.1.0;255.255.255.0 To prevent a subset of the hosts on subnet 192.168.1.0 from relaying mail, also set bit 1 in RelayFlags in addition to bit 2, (which was set above); the net result is to set its decimal value to 3. Add the IP address of each host to RelayDenyList. If the subset of hosts is grouped together, you can add a single rule to match all of them. For example, if 192.168.1.1 through 192.168.1.7 are not allowed to relay, the following rule is adequate. Listing each address explicitly in RelayDenyList also works. 192.168.1.0;255.255.255.248 Allow clients connecting to the selected network interfaces to relay. This method is useful if the host has multiple network interfaces, and IP-forwarding is not enabled. Set bit 3 of RelayFlags (by setting its decimal value to 4), and add the IP addresses of the network interfaces that will relay mail to RelayLocalIPList. Allow authenticated clients to relay. Set bit 4 of RelayFlags (by setting its decimal value to 8) to allow clients that have authenticated (by using the AUTH command) to relay mail. The Internet Mail Service must be stopped and restarted in Control Panel, Services for these registry settings to take effect after they are created or modified. When a message is denied for relay through the Internet Mail Service, an event is logged to the Application Event Log if the SMTP Interface Events diagnostics logging category is set to minimum or a higher logging level using the Internet Mail Service Diagnostic Logging property page. The event will indicate the sender's IP address, sender's host name (if available), the sender's authentication account (if authentication was used), and the recipient address for the message. Exchange Server version 5.5 Service Pack 1 (SP1) gives the administrator the ability to configure these options through the Routing tab on the properties of the Internet Mail Service (IMS) object. *** END OF EXCERPT FROM MICROSOFT.COM *** -- Graeme Fowler Network Officer, Infrastructure & Networks Group Loughborough University Computing Services +44 1509 228426
Current thread:
- Re: Strange traceroute, (continued)
- Re: Strange traceroute Jacobs, Guy Edward (Feb 03)
- Re: Strange traceroute RB (Feb 03)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: Strange traceroute Dragos Ruiu (Feb 07)
- Private networks and home.{net|com} Etaoin Shrdlu (Feb 07)
- Strange ping reply packets Artur Nowak (Feb 08)
- Re: Private networks and home.{net|com} Bruce A. Mah (Feb 08)
- Re: Private networks and home.{net|com} Dragos Ruiu (Feb 09)
- E-Mail relay or break in? Seth Georgion (Feb 08)
- Re: E-Mail relay or break in? JJ Gray (Feb 09)
- Re: E-Mail relay or break in? Graeme (Feb 09)
- Re: E-Mail relay or break in? Nathan Nichols (Feb 09)
- Re: Strange traceroute CyberPsychotic (Feb 05)
- Re: E-Mail relay or break in? Ryan Russell (Feb 09)
- Recent DDoS Bino Gopal (Feb 08)
- Re: Recent DDoS Qmail Admin (Feb 09)
- Port 34545 jimwebb () EASYSTREET COM (Feb 09)
- Re: Recent DDoS MMS26 (Feb 09)
- Re: Recent DDoS Vanja Hrustic (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Kerry Baker (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Eivind Eklund (Feb 11)
- SSH2 Exploit? Jonathan A. Zdziarski (Feb 09)