Security Basics: Re: Mail relay question

["0x90" <secbasics () spam gagspace com>]

> The amount alone is huge I think when I am only hosting my wife and myself 
> (as well as the
> usual abuse etc. contacts).
> I am worried that my home is an open relay in a manner I have not found.
Getting a lot of spam, and being an open relay do not have much to do with 
each other.
PS: You are most likely NOT an open relay, otherwise you would be on RBL's, 
and you'd have a problem trying to deliver emails anywhere.

> Then I learn that via telnet I can send email from mydomain.com to 
> mydomain.com and have it
> delivered even when the telnet session is from a public IP.

That's how it all works. If you couldn't do that, you wouldn't get any 
emails. They arrive from public IP's (mailservers, etc) to your mail server, 
with the destination address ending with this 'mydomain.com'.

> So, I am a little fuzzy on what it is I am trying to learn here, but:
> 1. Would you think 5000 emails a month with maybe 200 valid emails is 
> normal in a
> home/family type setup?
Yes. This depends on many things, such as you and your wife giving out your 
addresses on websites, having contacts that are infected with spy/spamware, 
predictability or the username part, number of aliases that point to the 
same mailbox, what filtering mechanisms you have to reject emails before 
they are even sent (RBL, rdns verification, etc).

> 2. Is mail always accepted and relayed when the sender and recipient 
> domain is the same?
> (This is without sender authentication configured or capability).

To put it simple, mail is accepted if 1) you send from a trusted source 
(like your home internal ip's, localhost, whatever else you configured), 2) 
the destination domain is handled on your server (mydomain.com).

> a. If yes, what is to stop an angry neighbor on his vacation to China from 
> sending a nasty email
> from me to my wife? (In this unsecure setup).

Anybody can spoof any source address. There's nothing you can do about it. 
> From the headers you would see the originating chinese IP.

> b. My gateway at home (Smoothwall using DSPAM/SEMF? mod) only accepts the 
> initial
> HELO if followed by connecting domain name (HELO domain.com) So how come I 
> can
> connect from domainx.com and send email from domainy.com to domainy.com?
HELO is irrelevant. MAIL FROM and RCPT TO are the source/destination 
addresses, and the From: and To: headers are taken into account in your 
email client. Google SMTP RFC? ;)
> c. What can I do to remove this risk?

What risk.


> 3. Any recommendations on a free mail gateway solution? SpamAssassin? 
> ClamAV? My goal
> is to migrate away from Exchange 2003. I have been wanting to try Zimbra 
> for mail server but
> would like a good mail gateway in the DMZ instead of hosted by the 
> firewall.

Whatever you have, if you properly configure it you should be ok. I vote for 
postfix. But it's a matter of taste.
0x90
http://hax.tor.hu/