Mail Relay / SPAM September 27, 2002 I came across something one day that made me check out direct to see if it was relaying mail. It was. There are many interesting sites to read about efforts to stop SPAM. See http://www.maps.vix.com http://www.spews.org http://www.uwsg.iu.edu/security/mail-relay.html http://www.jtap.ac.uk/reports/htm/jtap-040.html http://www.honet.com/Nadine/ http://spam.abuse.net http://www.mids.org/nospam/ http://www.sendmail.org/antispam.html --------------------------------------------------------------------------- Useful acronyms, UBE = Unsolicited Bulk Email UCE = Unsolicited Commercial Email These are spammer lists maintained by MAPS (http://www.maps.vix.com) DUL = Dial-up User List NML = Non-conforming Mailing List RBL = Realtime Blackhole List RSS = Relay Spam Stopper --------------------------------------------------------------------------- This came from http://www.jtap.ac.uk/reports/htm/jtap-040.html#_Toc456143292 Is my system open to relaying? This question should be asked after making changes intended to secure a mail system. The same method can also be used to demonstrate dangers of leaving the system unprotected. The trick is simple: connect on port 25 to the system under test and instigate a dialogue similar to the following (other end's responses are indented for clarity): telnet victim.sys.ac.uk 25 Connecting to victim.sys.ac.uk ... <<< 220- victim.sys.uk Sendmail 8.6.11/8.6.12 ready >>> HELO hacker.naughtysys.ac.uk <<< 250 ******.***.ac.uk Hello hacker.naughtysys.ac.uk [130.88.x.x] >>> MAIL FROM: <<< 250 ... Sender ok >>> RCPT TO: <<< 250 :... Recipient ok >>> DATA can contain anything ..... terminated by a line with only a single dot <<< 250 OAA14072 Message accepted for delivery >>> QUIT <<< 221 victim.sys.ac.uk closing connection It also mentioned a Perl script called rlytest that I plucked from the Internet and is in my aixnotes/perl_examples directory. Tweaking it and testing it against indirect, showed that yes indeed, it was a mail relay. --------------------------------------------------------------------------- This page http://216.239.53.100/search?q=cache:bQGU6Dd7EuUC:whippet.stanford.edu/~ssklar/articles/ibm-esdd/securing_network_services.html+%2B%22mail+relay%22+%2B%22aix+4.3.3%22&hl=en&ie=UTF-8 had these tidbits on sendmail & AIX. Hardening sendmail The sendmail mail transport program has a reputation of being the swiss cheese of software, filled with exploitable vulnerabilities. In fact, the first ever advisory released by the Computer Emergency Response Team (CERT) in 1997 dealt with a problem with sendmail and ftpd. Fortunately, current versions of sendmail have a much better track record of security, and any issues that are found are dealt with promptly by the developers of the sendmail application and by IBM. AIX 4.3.3 ships with sendmail 8.9.3 (part of the bos.net.tcp.client fileset) and while this is not the latest available version, it is stable and relatively secure. In order to fully secure the sendmail service, there are some configuration changes that need to be changed from those in the default installation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Later on, it had this on how to fix AIX 4.3.3, but it didn't work. Closing the open relay It is probably not feasible to disable incoming mail service on every system within an organization. If a system has been designated as a mail server, there are steps that can be taken to ensure that the system is not used to route mail not generated by or destined for an organization. The default behavior of sendmail in AIX 4.3.3 permits what is known as open relaying. Basically, this means that the mail server will accept and process mail sent from outside an organization to addresses that are also outside that organization. Exploiting open relays is the most common technique used by spammers to send email to thousands of addresses, all originating from a single mail server. Before enabling sendmail in daemon mode (assuming it was disabled per the instructions earlier in this tutorial), the sendmail configuration file must be modified to prevent this misuse of a given system. The following steps detail the process of generating the updated sendmail.cf configuration file: Ensure that the filesets bos.net.tcp.adt and bos.adt.base are installed. Change the current working directory to /usr/samples/tcpip/sendmail/cf, and create a backup of the file aix433.mc. Edit the file aix433.mc, making the changes detailed in the following table: divert(0)dnl This line should not be changed. OSTYPE(aix43)dnl This line contains an error; change aix43 to aix433 FEATURE(genericstable)dnl This line should be deleted unless the genericstable feature is required. FEATURE(mailertable)dnl This line should be deleted unless the mailertable feature is required. FEATURE(virtualusertable)dnl This line should be deleted unless the virtualusertable feature is required. FEATURE(domaintable)dnl This line should be deleted unless the domaintable feature is required. FEATURE(allmasquerade)dnl This line should be deleted unless the allmasquerade feature is required. FEATURE(promiscuous_relay)dnl Delete this line to disable open relaying. FEATURE(accept_unresolvable_domains)dnl Delete this line to increase security. FEATURE(accept_unqualified_senders)dnl Delete this line to increase security. DOMAIN(generic)dnl Without an organization-specific domain.m4 file, this line should not be changed. MAILER(local)dnl This line should not be changed. MAILER(smtp)dnl This line should not be changed. MAILER(uucp) This line should be deleted unless the routing of mail via UUCP is required. After making the above changes and saving the file, the contents of the aix433.mc file should be divert(0)dnl OSTYPE(aix433)dnl DOMAIN(generic)dnl MAILER(local)dnl MAILER(smtp)dnl Build a new sendmail configuration file by executing the command: m4 ../m4/cf.m4 aix433.mc > /tmp/sendmail.cf.new (editing quite a bit here ...) Comment out the following lines from /tmp/sendmail.cf.new Fw/etc/sendmail.cw FR-o /etc/mail/relay-domains Confirm that there are no errors in the new sendmail configuration file, by running the command: sendmail -C/tmp/sendmail.cf.new -bt < /dev/null echo $? If the sendmail command exited with a zero return code, then the new configuration file is ready to be used. Make a backup of sendmail.cf, copy the new one in, and restart sendmail. cp -p /etc/sendmail.cf /etc/sendmail.cf.orig cp -p /tmp/sendmail.cf.new /etc/sendmail.cf startsrc -s sendmail -a "-bd -q30m" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Not related, but interesting, was also this suggested to run at boot time. #!/bin/ksh # --------------------------------------------------------------------- # /etc/rc.no : sets network options to improve performance and security # --------------------------------------------------------------------- echo "Setting network options" # protection against SYN flood attacks ... /usr/sbin/no -o clean_partial_conns=1 # protection against ICMP redirects ... /usr/sbin/no -o ipignoreredirects=1 # protection against illegal access via source routing ... /usr/sbin/no -o ipsendredirects=0 /usr/sbin/no -o ipsrcroutesend=0 /usr/sbin/no -o ipsrcrouteforward=0 /usr/sbin/no -o ip6srcrouteforward=0 /usr/sbin/no -o tcp_pmtu_discover=0 /usr/sbin/no -o udp_pmtu_discover=0 ---------------------------------------------------------------------------