IIS and SMTP - Question Re Securing SMTP Server

Author

Question Re Securing SMTP Server

Joseph Geretz

2006-04-27, 7:52 am

We would like to enable our commercially distributed application to send
e-mails via SMTP. There are a number of applications for this. A couple
quick examples are to enable customers to submit e-mail feedback to us, or
to send in details of a run-time exception via e-mail. Because of the
complexities of dealing with each customer's particular internal e-mail
infrastructure, we are going to establish our own SMTP server at a known
domain location, for example SMTP.mycompany.com. This simplifies our
deployment logistics since we'll know ahead of time that we'll always be
using SMTP.mycompany.com as the SMTP server.

The SMTP server will be open to anonymous access since the e-mail clients
will be running on our customer workstations, completely outside of our
domain. Can I secure the SMTP server to only accept messages for a few
particular addresses? For example:

Feedback@mycompany.com
AppError@mycompany.com

or

anyone @mycompany.com

Since this is a public SMTP site, I don't want to allow users to route any
e-mail through this SMTP server, except to the very narrow list of
recipients which I specify. Can this be done?

Thanks for your suggestions.

- Joseph Geretz -

2006-04-27, 7:52 am

Assuming you mean the default smtp service with 'smtp' there is no way that
I know of to configure only certain email boxes to receive or relay email
and this would be insecure anyway since anyone can manipulate the sender (or
reply-to) email address.

You can however easily configure it to only relay email from certain ip
addresses which is what you normally do when you want to only allow certain
computers or group of computers to relay email.

There is no way to configure a catch-all email box either, there are scripts
that you can install that hook into the smtp service to offer this but this
solution usually encounters performance issues and other wird side effects.

What happens when someone sends an email to an account that doesnt exist is
simply that the smtp service will send out a non delivery report and put the
mail in the badmail directory, this directory should be cleaned with a
scheduled batch file with regular intervals.

If you need more avanced features I'm afraid it is Exchange server or
another commercial email solution you need.

PL.

"Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet
news:%23M9GMl8ZGHA.3652@TK2MSFTNGP03.phx.gbl...
> We would like to enable our commercially distributed application to send
> e-mails via SMTP. ....

Joseph Geretz

2006-04-27, 7:52 am

Hi PL, thanks for your reply.

> Assuming you mean the default smtp service with 'smtp' there is no way
> that I know of to configure only certain email boxes to receive or relay
> email and this would be insecure anyway since anyone can manipulate the
> sender (or reply-to) email address.

Actually, I don't care at all about the Sender or Reply To information. What
I want to filter on is the Recipient. In this way I'll prevent spammers from
using my SMTP server as a relay for their nefarious purposes.

> You can however easily configure it to only relay email from certain ip
> addresses which is what you normally do when you want to only allow
> certain computers or group of computers to relay email.

I'm trying to avoid having to do this, since this will be an extra step
during the software deployment stage; to collect this information from the
client and enter this into our SMTP server security configuration. Also,
what if this changes? We'll constantly incur additional maintenance overhead
to ensure that our SMTP access permissions remain valid with our clients'
actual IP configurations. (We have many hundreds of clients.)

> What happens when someone sends an email to an account that doesnt exist
> ...

Sure, this is not a problem. What I'm trying to prevent is SPAMMERS from
using my SMTP server as a relay.

> If you need more avanced features I'm afraid it is Exchange server or
> another commercial email solution you need.

We do have an Exchange Server in-house, but this is used for internal
purposes. I was hoping to be able to use a simple SMTP server as a brdge
between the remote clients and our internal Exchange Server.

Thanks,

- Joe Geretz -

"PL" <pblse2@yahoo.se> wrote in message
news:uhZpaw8ZGHA.1560@TK2MSFTNGP03.phx.gbl...
>
> Assuming you mean the default smtp service with 'smtp' there is no way
> that I know of to configure only certain email boxes to receive or relay
> email and this would be insecure anyway since anyone can manipulate the
> sender (or reply-to) email address.
>
> You can however easily configure it to only relay email from certain ip
> addresses which is what you normally do when you want to only allow
> certain computers or group of computers to relay email.
>
> There is no way to configure a catch-all email box either, there are
> scripts that you can install that hook into the smtp service to offer this
> but this solution usually encounters performance issues and other wird
> side effects.
>
> What happens when someone sends an email to an account that doesnt exist
> is simply that the smtp service will send out a non delivery report and
> put the mail in the badmail directory, this directory should be cleaned
> with a scheduled batch file with regular intervals.
>
> If you need more avanced features I'm afraid it is Exchange server or
> another commercial email solution you need.
>
> PL.
>
> "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet
> news:%23M9GMl8ZGHA.3652@TK2MSFTNGP03.phx.gbl...
>
>

2006-04-27, 7:52 am

Relaying and receiving is two different things. If all the server is
supposed to do is to receive emails, then there is no problem, just because
it's open for anynonymous access doesn't mean anyone can relay through it.

If you only want to receive emails then set the "Relay restrictions" to only
accept from a list of ip's and then don't add any ip's at all in the list,
keep the anonymous access under "Access restrictions" and voila you have a
server that receives from any address but don't realy for anyone.

PL.

Joseph Geretz

2006-04-27, 7:52 am

Hi PL,

It sounds like this is the solution I'm looking for. Can you just explain to
me what is the difference between Receiving and Relaying? (I guess this is
elementary, but I'm new at this.) As far as I understand, the purpose of the
SMTP server is to receive incoming mail and 'relay' it to a specific
mailbox. Are you saying that this latter action is not called relaying? That
the term Relay means to route the mail on to another SMTP server?

Thanks for your help!

- Joseph Geretz -

"PL" <pblse2@yahoo.se> wrote in message
news:eOlcYpDaGHA.4784@TK2MSFTNGP02.phx.gbl...
>
> Relaying and receiving is two different things. If all the server is
> supposed to do is to receive emails, then there is no problem, just
> because it's open for anynonymous access doesn't mean anyone can relay
> through it.
>
> If you only want to receive emails then set the "Relay restrictions" to
> only accept from a list of ip's and then don't add any ip's at all in the
> list, keep the anonymous access under "Access restrictions" and voila you
> have a server that receives from any address but don't realy for anyone.
>
> PL.
>

2006-04-27, 7:52 am

> Are you saying that this latter action is not called relaying? That the
> term Relay means to route the mail on to another SMTP server?

I think the term 'relay' is sometimes used for other things but the core
meaning is to relay to other servers.

PL.

Joseph Geretz

2006-04-27, 7:52 am

OK, I got it.

I'm finding though that with Relay disabled, I'm not able to use smart host
forwarding for delivery. For example, I have the following two machines on
my network:

exchange.domain.com
smtp.domain.com

With Relaying disabled, all clients can do is send mail to 'Joseph' which
ultimately ends up as Joseph@smtp.domain.com. This being the case, the mail
just sits on smtp.domain.com in the Drop folder without being routed to
Joseph@domain.com via our Exchange server. Sending mail to Joseph@domain.com
would trigger a forwarding to the Exchange smart host, but this can't be
done since Relaying is disabled.

I can see a patth forward for this, but this would involve writing a service
to monitor the drop folder and process incoming mail to either delete it or
forward it on to our Exchange server. Not a huge deal, pretty much simple
file processing and string substitution, but I can't help but think that
there must be a better way of accomplishing what I am trying to do.

Thanks for your advice!

- Joseph Geretz -

"PL" <pblse2@yahoo.se> wrote in message
news:es6NoqHaGHA.3832@TK2MSFTNGP04.phx.gbl...
>
> I think the term 'relay' is sometimes used for other things but the core
> meaning is to relay to other servers.
>
> PL.
>

Joseph Geretz

2006-04-27, 7:52 am

I have been able to get this to work using two SMTP virtual servers running
on the same server.

The first server which is publicly accessible (port 25 punched through the
firewall) is restricted - No Relay. It's domain is set to domain.com. This
means that mail can be dropped off for Joseph or Joseph@domain.com. Any
other domain address will be rejected because Relay is OFF. This server
drops all delivered mail to the Pickup folder for the second server.

The second server is not publicly accessible. It monitors an arbitrary port
which is blocked by the firewall. But it doesn't get any of its mail from an
outside connection. It receives its mail into its Pickup folder from the
first server as described above. The second server's domain is set to
foobar.com. It is set to Relay and also to use our Exchange Server as its
Smart Host. Therefore, it routes all mail in its Pickup folder (for
domain.com) directly to our internal Exchange server for delivery.

With this simple(?) configuration, we acheive our three objectives:

1. Anonymous access
2. Restrict SMTP to mail intended for the domain.com domain
3. Forward all mail submitted for domain.com onwards to the Exchange Server
for delivery.

Simple! Is there a better way of doing this?

Thanks!

- Joe Geretz -

"Joseph Geretz" <jgeretz@nospam.com> wrote in message
news:e2W0WoIaGHA.3612@TK2MSFTNGP03.phx.gbl...
> OK, I got it.
>
> I'm finding though that with Relay disabled, I'm not able to use smart
> host forwarding for delivery. For example, I have the following two
> machines on my network:
>
> exchange.domain.com
> smtp.domain.com
>
> With Relaying disabled, all clients can do is send mail to 'Joseph' which
> ultimately ends up as Joseph@smtp.domain.com. This being the case, the
> mail just sits on smtp.domain.com in the Drop folder without being routed
> to Joseph@domain.com via our Exchange server. Sending mail to
> Joseph@domain.com would trigger a forwarding to the Exchange smart host,
> but this can't be done since Relaying is disabled.
>
> I can see a patth forward for this, but this would involve writing a
> service to monitor the drop folder and process incoming mail to either
> delete it or forward it on to our Exchange server. Not a huge deal, pretty
> much simple file processing and string substitution, but I can't help but
> think that there must be a better way of accomplishing what I am trying to
> do.
>
> Thanks for your advice!
>
> - Joseph Geretz -
>
> "PL" <pblse2@yahoo.se> wrote in message
> news:es6NoqHaGHA.3832@TK2MSFTNGP04.phx.gbl...
>
>

2006-04-27, 7:52 am

Sounds like a workable solution to me, I havent had a reason to use the
smarthost feature yet so I couldn't tell you if there is a better solution.

PL.

"Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet
news:O0i3%234JaGHA.1228@TK2MSFTNGP02.phx.gbl...
>I have been able to get this to work using two SMTP virtual servers running
>on the same server.
>
> ......
>
> Simple! Is there a better way of doing this?
>
> Thanks!
>
> - Joe Geretz -

Joseph Geretz

2006-04-27, 7:52 am

Yes, is simple to set up this way. what was complicated was figuring this
out in the first place. Make me wonder why MS didn't just provide another
dialog box:

Accept mail for the following domain(s)

with the fmailiar two options:

Accept mail for only those domains on the list
Accept mail for all domains except those on the list

This would probably go a long way toward tightening up all those unsecured
SMTP servers which are sending SPAM out all over the world. Typical
Microsoft approach though. Allow everything by default and then leave it up
to the customer to figure out how to close all the loopholes.

- Joe Geretz -

"PL" <pblse2@yahoo.se> wrote in message
news:OEzoIsQaGHA.5004@TK2MSFTNGP02.phx.gbl...
>
> Sounds like a workable solution to me, I havent had a reason to use the
> smarthost feature yet so I couldn't tell you if there is a better
> solution.
>
> PL.
>
> "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet
> news:O0i3%234JaGHA.1228@TK2MSFTNGP02.phx.gbl...
>
>

2006-04-27, 7:52 am

The problem is that you can easily claim to be from any domain when sending
an email, it's better to limit by ip.

You can test if it's an open relay here: http://www.abuse.net/relay.html

Just to make sure it's correctly configured.

There are other sites where you can do this as well, do a google search for
it.

PL.

"Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet
news:OJn%23p3SaGHA.3612@TK2MSFTNGP03.phx.gbl...
> Yes, is simple to set up this way. what was complicated was figuring this
> out in the first place. Make me wonder why MS didn't just provide another
> dialog box:
>
> Accept mail for the following domain(s)
>
> with the fmailiar two options:
>
> Accept mail for only those domains on the list
> Accept mail for all domains except those on the list
>
> This would probably go a long way toward tightening up all those unsecured
> SMTP servers which are sending SPAM out all over the world. Typical
> Microsoft approach though. Allow everything by default and then leave it
> up to the customer to figure out how to close all the loopholes.
>
> - Joe Geretz -
>

Joseph Geretz

2006-04-27, 7:52 am

> The problem is that you can easily claim to be from any domain when
> sending an email, it's better to limit by ip.

That wans't the thrust of my suggestion. You are quite correct, when
filtering by *sender*, it's practically irrelevant to filter on domain,
which is easily spoofed.

My suggestion is a completely different filter altogether (in addition to
the sender filter by IP). To filter by *destination*. That is to allow me to
set up an SMTP server which will accept only e-mail whose *destination* is
domainA.com or domainB.com. Or, alternatively, to specify that I will accept
mail destined for all domains except domainA.com and domainB.com.

This would allow Anonymous SMTP while at the same time easily cut down on
huge volumes of SPAM, since what can a spammer do with my Anonymous SMTP
server if it only accepts mail for anyone at MyDomain.com? Most of the mail
sent by a spammer for a relay attempt would be immediately rejected based on
the target recipient address(es). Such a simple thought - why hasn't
Microsoft implemented this?

- Joe Geretz -

"PL" <pblse2@yahoo.se> wrote in message
news:uLuswSTaGHA.4972@TK2MSFTNGP03.phx.gbl...
>
> The problem is that you can easily claim to be from any domain when
> sending an email, it's better to limit by ip.
>
> You can test if it's an open relay here: http://www.abuse.net/relay.html
>
> Just to make sure it's correctly configured.
>
> There are other sites where you can do this as well, do a google search
> for it.
>
> PL.
>
>
> "Joseph Geretz" <jgeretz@nospam.com> skrev i meddelandet
> news:OJn%23p3SaGHA.3612@TK2MSFTNGP03.phx.gbl...
>
>

jbongran

2006-06-20, 6:10 pm

Joseph Geretz wrote:[vbcol=seagreen]
>
> That wans't the thrust of my suggestion. You are quite correct, when
> filtering by *sender*, it's practically irrelevant to filter on
> domain, which is easily spoofed.
>
> My suggestion is a completely different filter altogether (in
> addition to the sender filter by IP). To filter by *destination*.
> That is to allow me to set up an SMTP server which will accept only
> e-mail whose *destination* is domainA.com or domainB.com. Or,
> alternatively, to specify that I will accept mail destined for all
> domains except domainA.com and domainB.com.
> This would allow Anonymous SMTP while at the same time easily cut
> down on huge volumes of SPAM, since what can a spammer do with my
> Anonymous SMTP server if it only accepts mail for anyone at
> MyDomain.com? Most of the mail sent by a spammer for a relay attempt
> would be immediately rejected based on the target recipient
> address(es). Such a simple thought - why hasn't Microsoft implemented
> this?
> - Joe Geretz -
>
> "PL" <pblse2@yahoo.se> wrote in message
> news:uLuswSTaGHA.4972@TK2MSFTNGP03.phx.gbl...

My 2 cents:
Rename the default domaine (by creting a new one) by an obvious name (like
ytriuvplo or something) This way no one can send mail to the local smtp.
Dont forget to change the default banner returned by smtp ;-)
Create a remote domaine said exchange.domain.com
In the property of this domain configure a smart host as this
[ipadressofexchange]
Click on the allow to relay
Repeat for every domains you need to forward to one of your domain
That's it

jbongran

2006-06-20, 7:24 pm