Preventing Open Relay Activities

1.0 Description

In curbing third-party relay activities, System Administrators should install anti-relay features in their mail servers regardless of type of mail servers being used. The anti-relay feature disables third-party relay activities in the mail server and protects the mail server from being used by unauthorized users or spammers to send unsolicited junk mail to other Internet users. In additional, if an older version which are vulnerable to open-relay activities is being used, System Administrators should upgrade to the latest version which has anti-relay features.

In order to test if your mailserver is vulnerable to third party relay activities, pls refer at: http://spamlinks.net/prevent-secure-relay-test.htm

2.0 Technical Matters

Please follow the instructions below on how to enable the open-relay features in your mail server as according to the different types of mail server;

2.1) Sendmail Version 8

Upgrade the Sendmail program to version 8.9 and above. The latest versions have anti-relay features by default installation.

You can download the latest Sendmail version from the site below:
http://www.sendmail.org

2.2) Lotus Notes and Domino Version 5

Please add below parameter inside your NOTES.INI file

SMTPMTA_REJECT_RELAYS=1

Then restart your mail server.

For more information pls refer to this site:
http://www.dominopower.com/issues/issue199809/mtaspam002.html

2.3) Eudora Internet Mail Server (Macintosh) Version 2.x

Upgrade the Eudora program to the latest version 3.0 which has anti-relay features by default installation.

Pls refer to:
http://www.eudora.com/eims/

2.4) Eudora WorldMail Server Version 1.0

If you're using WorldMail 1.0 or 1.0.1, upgrade to version 2.0. Download the WorldMail 2.0 Updater and run the installer. When the installer prompts you to type in the serial key and activation number use the numbers that you received with your original Eudora WorldMail Server purchase.

For more information, please refer to:
http://www.eudora.com/worldmail/

2.5) Exim, a GNU GPL mailer

1. Firstly you need to specify the local mail domains as tightly as possible(LOCAL_DOMAINS) should only cover domains that really are local - this is relevant since exim allows any sender to mail to these domains (since you have told exim those domains are local you are not actually relaying by sending to them.

   Any domains that are not finally handled by the local exim, but can legitmately be relayed through (ie domains you act as backup MX for) should be specified in the RELAY_DOMAINS, although a short cut for doing this is setting:

   RELAY_DOMAINS_INCLUDE_LOCAL_MX

   which can be used to abuse your mail server by adding MXes pointing at you, but raises the bar so much higher than it is normally good enough.

2. You probably want to be able to relay out from local machines on the same network - be careful here since any open machine on your network could be used to do unauthorised relaying. The control of hosts that can relay is done with the HOST_ACCEPT_RELAY option.

The standard settings for a workstation, allowing relaying through the loopback (since packages such as MH post mail this way), would be:-

RELAY_DOMAINS =MXmx
NO_RELAY_MATCH_HOST_OR_SENDER
HOST_ACCEPT_RELAY = 127.0.0.1/8

this is actually the default settings other than that for HOST_ACCEPT_RELAY.

More information is at:
http://www.exim.org/howto/relay.html

In Exim, you may also use MAPS filters to reduce spam directed at your users; more information is available at:
http://www.exim.org/howto/rbl.html

2.6) Innosoft, a maker of email messaging software for VMS and UNIX

You need to configure PMDF to disallow people from using your PMDF system as a means of relaying.

2.7) Microsoft Exchange Version 5.5 (service pack 1)

Exchange Server 5.0 is vulnerable to unauthorized relaying if you allow local SMTP users. If you're using Exchange Server version 5.0 please update to version Exchange Server 5.5 (Service Pack 1) which has spam control features by adding restrictions to allow the administrator to specify who can and cannot relay mail through the server.

Pls refer to:
http://www.slipstick.com/exs/relay.htm

2.8) Microsoft Exchange 2000

Pls refer at:
http://www.microsoft.com/technet/security/prodtech/mailexch/excrelay.mspx

2.9) Netscape Messaging Server

Netscape messaging server version 3.5 has anti-spam feature called UBE filters which can be used to block unauthorized relaying and if you're running an earlier version you need to upgrade to version3.5.

For more information refer to:
http://home.netscape.com/eng/Messaging/guide35/ch5.htm

If you're using NMS version 4.0, you need to upgrade to version 4.15 and use the Anti-Relay plug-in to block relaying.

For more information, refer to:
http://appsrv.ttnet.net.tr/netscape/

2.10) Mercury Mail Transport System for Novell servers: Version1.44 for Netware and Version 2.16 for Win95/NT

Version 1.40 of Mercury mail Transport System already has ant-relay feature. If you are using a previous version, upgrade to the latest version.The Mercury/32 mailer is re-designed for Windows/95 and Windows/NT. Version 2.11 has anti-relay feature. If you are using a previous version, you need to upgrade to the latest version.To disable relaying, the following text should be added to the [MercuryS] section of "mercury.ini":

[MercuryS]
Relay : 0
Strict_Relay : 1
Allow : 2.3.4.5 # The offsite backup (MX server)
Allow : 192.168.XXX.0 # Our local network
Allow : 192.168.YYY.5 # A single other machine we allow

For some older versions, that the "allow/refuse" entries under [MercuryS] must end with the line:

Refuse: 0.0.0.0

Current versions (including 1.47) reportedly do not need the Refuse: line.

2.11) Post.Office (version 3.5/3.1 for UNIX and Windows NT)

1. For version 3.5, please refer to the following to add anti-relay feature;
   http://www.software.com/po/PO_v3.5_AdminGuide/HTML_Adminv3.5/admin04.htm#E10E24

2. For version 3.1, please refer to:
   ftp://ftp.software.com/post.office/po3.1.2/nt/intel/software/releasenotes.txt

2.12) qmail

qmail is a sendmail-like package that appears to operate on the Apache model of Open Source collaboration.

qmail prohibits relay by default, since version 0.91. The qmail-smtpd daemon will consult the rcpthosts control file to determine valid destination addresses, and reject anything else. However, if you're using version 0.91 below, to fix open relay list in your rcphosts file all the domains that your is hosting (and for which it is acting as secondary mailexchanger, if any)

More information, refer to
http://www.qmail.org/top.html

2.13) smail Version 3.2

smail version 3.2 has support to block unauthorized relay. This is enabled by defining the smtp_remote_allow parameter in your config file. Set it to the list of local IP address ranges from which unrestricted relay is allowed. All other hosts will be refused. If you're using smail v3.0, upgrade to version3.2 or to exim.

2.14) Appleshare IP Server (ASIP)

To add anti-relay feature in Appleshare, please refer to the following site;
http://docs.info.apple.com/article.html?artnum=31108

2.15) Groupwise

In version 5 using NWAdmin, go to the details page of the Gateway. Click on the "Access Control" tab, and then the "SMTP Relay" button. Check the "Prevent Message Relaying" radio button, then click OK.To secure the GroupWise SMTP/MIME gateway, edit the DOMAIN/WPGATE/SMTP/GWSMTP.CFG file (with any text editor) and add the switch "/NOROUTING". Mail relay will now be disabled.In version 5.5, add "/NOROUTING" to the GWIA.CFG file in the SYS:SYSTEM folder.

2.16) AS/400 TCP/IP Connectivity Utilities/400

3.0 More Information

For more information on fixing open-relay, please refer to the following sites:

Back