× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2001

RE: fix.your.open.relay.or.die.net

OK, I'm concerned we're getting confused here. You CAN NOT simply turn off
port 25 access from the outside world to your SMTP host! If you do, how do
you expect to get inbound e-mail? There are two different scenarios here:

1) connections from anywhere on the net where the mail is addressed to
someone AT YOUR location
2) connections from anywhere on the net where the mail is addressed to
someone NOT at your location

Scenario 1 is how you get YOUR mail. You can not turn that off or you have
no mail.

Scenario 2 is what is called relaying. Relaying must be disabled in the SMTP
server (or a SMTP-aware proxy/firewall) by looking at the RCPT TO commands
in the SMTP stream. It's simple enough to turn off relaying at the server,
but here's the hitch. If you do that then your employees dialed into the net
from the outside world won't be able to use your SMTP server to send their
mail. There are several possible solutions to this:

1) Allow relaying from internal addresses only and have them connect to your
LAN via a VPN connection. Then they can access the SMTP server from an
INTERNAL address and all is good. A spammer trying to relay off you would
access from an external address and be denied. (IMHO this is the best
solution as the VPN allows so many other "cool" things too.)

2) Allow relaying from external addresses ONLY if user validates w/a
password. This works too, but obviously requires a SMTP server that supports
authentication. IIRC, authentication isn't part of the base RFC, but rather
an ESMTP extension. Does the AS/400s SMTP server support this?

3) Use a higher-level mail client like exchange or domino. In the case of
Exchange (and I think, domino) I'm not actually sending SMTP mail from my
PC. I'm sending a message into Exchange and Exchange passes it off to the
SMTP sender at the server. Using products like Exchange and Domino would
also allow the use of browser-based access to e-mail so the road-warriors
could check/send e-mail from any web browser in the world.

-Walden

------------
Walden H Leverich III
President
Tech Software
(516)627-3800 x11
WaldenL@TechSoftInc.com
http://www.TechSoftInc.com



-----Original Message-----
From: R. Bruce Hoffman, Jr. [mailto:rbruceh@attglobal.net]
Sent: Tuesday, November 20, 2001 6:50 PM
To: midrange-l@midrange.com
Subject: Re: fix.your.open.relay.or.die.net


----- Original Message -----
From: "Fritz Hayes" <fhayes@spiritone.com>
To: <midrange-l@midrange.com>
Sent: Tuesday, November 20, 2001 6:13 PM
Subject: RE: fix.your.open.relay.or.die.net


> POP3 or IMAP.  How would you propose setting up the SMTP server on the
> AS/400 or Domino to service these users without the user/password
> technique?

It's not really something that _should_ be done on the 400 or any other smtp
server (sendmail, etc.).

It's something your firewall should do at a minimum.

Two ways: NO access from outside networks, just filter off port 25 the other
- allow access only from specific static IP addresses. ATT and some of the
other big players do this, which is why you have to dial in to their systems
and use their assigned addresses in order to access their smtp servers.

The idea is that you should not allow access to _any_ smtp server from
unrestricted/uncontrolled hosts.

===========================================================
R. Bruce Hoffman, Jr.
 -- IBM Certified Specialist - AS/400 Administrator
 -- IBM Certified Specialist - RPG IV Developer

"I want to be different, just like everybody else!"
  - Ceili Rain



_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.