Re: FW: Mail relay question

[Aaron Howell <aaron_howell () ngenuity-is com>]

Nick Vaernhoej wrote:
> Good day,

Hello!

> So, I am a little fuzzy on what it is I am trying to learn here, but:
> 1. Would you think 5000 emails a month with maybe 200 valid emails is normal in a home/family type setup?

I don't keep a close eye on my spam statistics anymore, but a quick,
off-the-cuff assessment shows:

> From January 16th to January 31st, 2008 a single account on my personal
mail server received 611 messages tagged by spamassassin, and another 50
or so that got through my filters. If we extrapolate that for the month,
we get about 1300 messages for that account. This domain has been
registered for about 7 years, but has never had more than a handful of
accounts on it (same situation as you describe, myself, my family, and a
few friends have used it over the years).

It also really depends on how you use the email addresses associated
with the domain. If you go out and sign up for lots of forum accounts
and miscellaneous garbage with addresses from that domain, it's much
more likely to get targeted.

> 2. Is mail always accepted and relayed when the sender and recipient domain is the same? (This is without sender 
> authentication configured or capability).

That depends.(TM)

Most (more likely all?) modern MTAs (and clients) support SMTP
authentication, and there is no good reason at this point not to be
using it. This would end the conversation right here, actually...

That being said, mail is generally accepted by a mail server if the
recipient is one of it's users. That is, after all, the purpose of a
mail server. A better test than connecting and sending yourself an
email, would be to connect from somewhere outside your network and try
sending some third party an email from a non-local account. Example:

user@host:/var/log# telnet mail.example.com 25
Trying 127.0.0.1...
Connected to mail.example.com.
Escape character is '^]'.
220 saturn.example.com ESMTP
ehlo otherexample.org
250-saturn.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
mail from: example () somewhere com
250 Ok
rcpt to: nobodyhome () otherexample org
554 <nobodyhome () otherexample org>: Relay access denied
quit

If that address had been accepted, then that would be an open relay.
Usually, the mail server doesn't care what the sender's domain is, it
only cares about the recipient. If the recipient isn't local, it should
check to see if it's allowed to relay mail for that domain, and if not,
reject it.

>       a. If yes, what is to stop an angry neighbor on his vacation to China from sending a nasty email from me to my 
> wife? (In this unsecure setup).

Spoofing email headers is trivial. Email headers should not be trusted.
Email should not be trusted, unless it's signed in some verifiable way.
If I know (or can guess) a valid address on your domain, I can send
email that appears to be from just about anywhere to that address. Don't
trust email.

>       b. My gateway at home (Smoothwall using DSPAM/SEMF? mod) only accepts the initial HELO if followed by 
> connecting domain name (HELO domain.com) So how come I can connect from domainx.com and send email from domainy.com 
> to domainy.com?

If what you describe here is accurate, you are an open relay, and should
immediately take steps to rectify the problem.

To answer this question, you need a better understanding of what
HELO/EHLO are intended to do, because they don't do what you think they
do. Go here:

http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-avoid-helo.html

>       c. What can I do to remove this risk?

See answer to question 2(a)...

> 3. Any recommendations on a free mail gateway solution?  SpamAssassin? ClamAV? My goal is to migrate away from 
> Exchange 2003. I have been wanting to try Zimbra for mail server but would like a good mail gateway in the DMZ 
> instead of hosted by the firewall.

I use postfix with spamassassin in my environment, and think it works
quite well. I also use it for clients. If you're not a *nix guy, you may
not like it as much. YMMV

> Thank you and I will follow up with answers to questions for clarification.

I hope my answers were useful


-- 
Aaron Howell
nGenuity Information Services
509-396-2075 x6000

http://www.ngenuity-is.com