Re: Broadband querry

Rick Moen <rick@xxxxxxxxxxxxxx> 33 lines of wisdom included:
> Er, while the point is valid for the more _general_ case of security
> testing, when you're talking specifically about mail relaying, you can
> do basic testing (which is pretty much all you should need) right from
> localhost.  And that's generally what I do.  That is, from the console
> of uncle-enzo.linuxmafia.com, I telnet into port 25 of
> uncle-enzo.linuxmafia.com, and attempt to coax the MTA into accepting
> mail addressed From: user$FOREIGN_DOMAIN1, To: user@FOREIGN_DOMAIN2.
> If it is willing to do that, then it relays.  (If it doesn't, yes, it
> might be vulnerable to one of those sneaky methods, but -- to a first 
> approximation -- it doesn't do relaying.)

Rick,

Specifically with both Postfix and Qmail, this is *NOT* an adequate
test. By default with Postfix, for example, it will allow relaying
for any host within mynetworks which, by default, is 127.0.0.0/8.
This means relaying from any FOREIGN_DOMAIN to any FOREIGN_DOMAIN.

Testing from the localhost is not an adequate test, since with a
default Postfix install you should always be able to relay mail from
the localhost. The most common thing to do is something like:

        mynetworks = 127.0.0.0/8, 10.0.0.0/8

Which would mean you need to test from outside the 127/8 network and
the 10/8 network which means accessing the SMTP port from, for
example, an external interface.

So what you're saying above is actually a pretty useless test, since
plenty of MTA's allow relaying for trusted networks/IPs. You need to
access the MTA from an untrusted network/IP. 

Qmail doesn't really have a default install, but all the
recommendations I've seen have basically said the same thing, to
populate /etc/tcp.smtp with:

        127.:allow,RELAYCLIENT=""

So, in a general case, MTA's are setup to allow relaying from client
IP's within their trusted network. Since, more than likely, the
administrator is going to be accessing the MTA from an IP within
that trusted network, testing for mail relaying becomes harder.

In summary, yes the relay test has benefits unless you can prove to
me otherwise, without using such scenarios.

I think for now, you had better stick to using Paul Vixie's tests ;)

http://www.lifewithqmail.org/lwq.html#relaying
http://www.postfix.org/basic.html#relaying

-- 
Philip Reynolds                      | RFC Networks Ltd.
philip.reynolds@xxxxxxxxxxxxxxx      | +353 (0)1 8832063
http://people.rfc-networks.ie/~phil/ | www.rfc-networks.ie
-- 
Irish Linux Users' Group
http://www.linux.ie/mailman/listinfo/ilug/