RE: SMTP Service in private DMZ OK?

From: Bruce Martins (BMartins_at_extend.COM)
Date: 01/30/04

Next message: Sergey V. Gordeychik: "RE: terminal server"

Previous message: Kevin E. Casey: "RE: SMTP Service in private DMZ OK?"
Maybe in reply to: A. Bluecoat: "SMTP Service in private DMZ OK?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 30 Jan 2004 08:13:32 -0500
To: "Random Task" <rand0m_t4sk@yahoo.com>, <mlyman-security@comcast.net>, <focus-ms@securityfocus.com>

Exchange
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/prodtech/mailexch/excrelay.asp

Here is a link for all systems not sure if it is up to date but check it
out

http://mail-abuse.org/tsi/ar-fix.html

-----Original Message-----
From: Random Task [mailto:rand0m_t4sk@yahoo.com]
Sent: Tuesday, January 27, 2004 5:42 PM
To: mlyman-security@comcast.net; focus-ms@securityfocus.com
Subject: Re: SMTP Service in private DMZ OK?

--- Mike Lyman <mlyman-security@comcast.net> wrote:
> If you are talking about Window 2000 and beyond, it's locked down
> against relaying by default.

One issue I've found but not resolved yet is the ability to relay mail
to users in a domain by using a fake email address in that domain as the
From: address. Example:

>> nc mail.domain.com 25
220 mail.domain.com ready
helo
250 mail.domain.com Hello [1.2.3.4]
mail from: fake-user@domain.com
220 2.1.0 fake-user@domain.com....Sender OK rcpt to:
real-user@domain.com 220 2.1.5 real-user@domain.com
354 Start mail input; end with <CRLF>.<CRLF>
subject: blah
message
message
.
250 2.6.0 <msgid stuff> Queued mail for delivery

This message went through even though that user didn't exist. This could
allow an attacker to perform some social engineering of some sort,
whether it's through URL redirection, reply-to address, or whatever. Has
anyone seen a way to prevent this behavior in Exchange 2000/2003?
GroupWise?

Thanks.
rt
(I can respond on my real work address if you like, just request it.)

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Sergey V. Gordeychik: "RE: terminal server"

Previous message: Kevin E. Casey: "RE: SMTP Service in private DMZ OK?"
Maybe in reply to: A. Bluecoat: "SMTP Service in private DMZ OK?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: from: address not verified; see http://help.yahoo.com/l/us/yahoo/mail/original/manage/sendfrom&#
... AND going thru the yahoo address verification ... Select SMTP service requires secure.... ... through the yahoo mail settings but did not make this the default. ...
(microsoft.public.mac.office.entourage)
RE: SMTP Service in private DMZ OK?
... Security Business Unit (ISA SE) ... "I used to hate writing assignments, ... SMTP Service in private DMZ OK? ...
(Focus-Microsoft)