Rick Moen <rick at linuxmafia.com> 33 lines of wisdom included:
> Er, while the point is valid for the more _general_ case of security
> testing, when you're talking specifically about mail relaying, you can
> do basic testing (which is pretty much all you should need) right from
> localhost. And that's generally what I do. That is, from the console
> of uncle-enzo.linuxmafia.com, I telnet into port 25 of
> uncle-enzo.linuxmafia.com, and attempt to coax the MTA into accepting
> mail addressed From: user$FOREIGN_DOMAIN1, To: user at FOREIGN_DOMAIN2.> If it is willing to do that, then it relays. (If it doesn't, yes, it
> might be vulnerable to one of those sneaky methods, but -- to a first
> approximation -- it doesn't do relaying.)
Specifically with both Postfix and Qmail, this is *NOT* an adequate
test. By default with Postfix, for example, it will allow relaying
for any host within mynetworks which, by default, is 127.0.0.0/8.
This means relaying from any FOREIGN_DOMAIN to any FOREIGN_DOMAIN.
Testing from the localhost is not an adequate test, since with a
default Postfix install you should always be able to relay mail from
the localhost. The most common thing to do is something like:
mynetworks = 127.0.0.0/8, 10.0.0.0/8
Which would mean you need to test from outside the 127/8 network and
the 10/8 network which means accessing the SMTP port from, for
example, an external interface.
So what you're saying above is actually a pretty useless test, since
plenty of MTA's allow relaying for trusted networks/IPs. You need to
access the MTA from an untrusted network/IP.
Qmail doesn't really have a default install, but all the
recommendations I've seen have basically said the same thing, to
populate /etc/tcp.smtp with:
So, in a general case, MTA's are setup to allow relaying from client
IP's within their trusted network. Since, more than likely, the
administrator is going to be accessing the MTA from an IP within
that trusted network, testing for mail relaying becomes harder.
In summary, yes the relay test has benefits unless you can prove to
me otherwise, without using such scenarios.
I think for now, you had better stick to using Paul Vixie's tests ;)
Philip Reynolds | RFC Networks Ltd.
philip.reynolds at rfc-networks.ie | +353 (0)1 8832063
http://people.rfc-networks.ie/~phil/ | www.rfc-networks.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!