Is this behavior an open relay or not ?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Is this behavior an open relay or not ?

Roberto Carna
Hi people, suppose my domain is "company.com".

My email users are as this: [hidden email]

Is normal that I can send a mail from [hidden email] to [hidden email], from a public IP not belonging to my company?

In my case, I am at home and I execute:

$ telnet smtp.company.com 25
mail from: [hidden email]
data
test
.

and finally the message arrives to may Inbox.

Because I suppose that the normal behavior is sending mail from local address just from an internal IP...not from external.

Thanks a lot, regards!!!
Reply | Threaded
Open this post in threaded view
|

Re: Is this behavior an open relay or not ?

Noel Jones-2
On 11/26/2018 1:34 PM, Roberto Carna wrote:

> Hi people, suppose my domain is "company.com <http://company.com>".
>
> My email users are as this: [hidden email] <mailto:[hidden email]>
>
> Is normal that I can send a mail from [hidden email]
> <mailto:[hidden email]> to [hidden email]
> <mailto:[hidden email]>, from a public IP not belonging to my
> company?
>
> In my case, I am at home and I execute:
>
> $ telnet smtp.company.com <http://smtp.company.com> 25
> ehlo company.com <http://company.com>
> mail from: [hidden email] <mailto:[hidden email]>
> rcpt to:[hidden email] <mailto:to%[hidden email]>
> data
> test
> .
>
> and finally the message arrives to may Inbox.
>
> Because I suppose that the normal behavior is sending mail from
> local address just from an internal IP...not from external.
>
> Thanks a lot, regards!!!


That's perfectly normal.  Anyone on the internet can send mail to
your company's public mailserver, and the mail from address is not
checked with default setup.

If you don't like people spoofing the mail from: address, use SPF.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Is this behavior an open relay or not ?

Roberto Carna
Dear Noel, thanks for your help.

In the case of rejecting incoming mail from my own domain, do I have to use just SPF? Or is it possible to use an ACL defined in main.cf ?

Thanks again, good bye !!!

El lun., 26 nov. 2018 a las 16:47, Noel Jones (<[hidden email]>) escribió:
On 11/26/2018 1:34 PM, Roberto Carna wrote:
> Hi people, suppose my domain is "company.com <http://company.com>".
>
> My email users are as this: [hidden email] <mailto:[hidden email]>
>
> Is normal that I can send a mail from [hidden email]
> <mailto:[hidden email]> to [hidden email]
> <mailto:[hidden email]>, from a public IP not belonging to my
> company?
>
> In my case, I am at home and I execute:
>
> $ telnet smtp.company.com <http://smtp.company.com> 25
> ehlo company.com <http://company.com>
> mail from: [hidden email] <mailto:[hidden email]>
> rcpt [hidden email] <mailto:[hidden email]>
> data
> test
> .
>
> and finally the message arrives to may Inbox.
>
> Because I suppose that the normal behavior is sending mail from
> local address just from an internal IP...not from external.
>
> Thanks a lot, regards!!!


That's perfectly normal.  Anyone on the internet can send mail to
your company's public mailserver, and the mail from address is not
checked with default setup.

If you don't like people spoofing the mail from: address, use SPF.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Is this behavior an open relay or not ?

Noel Jones-2
On 11/26/2018 2:00 PM, Roberto Carna wrote:
> Dear Noel, thanks for your help.
>
> In the case of rejecting incoming mail from my own domain, do I have
> to use just SPF? Or is it possible to use an ACL defined in main.cf
> <http://main.cf> ?
>
> Thanks again, good bye !!!

Yes, you can find examples on google. SPF is the accepted way to
deal with it.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Is this behavior an open relay or not ?

Bill Cole-3
On 26 Nov 2018, at 17:08, Noel Jones wrote:

> On 11/26/2018 2:00 PM, Roberto Carna wrote:
>> Dear Noel, thanks for your help.
>>
>> In the case of rejecting incoming mail from my own domain, do I have
>> to use just SPF? Or is it possible to use an ACL defined in main.cf
>> <http://main.cf> ?
>>
>> Thanks again, good bye !!!
>
> Yes, you can find examples on google. SPF is the accepted way to
> deal with it.

Another option with added benefits is to use a submission (port 587
and/or 465) daemon and require users to authenticate on and never use
port 25 for submission. Then you can simply prohibit external clients
using sender addresses in your own domain on port 25. Note that this has
failure modes that might be solvable with SPF if you have known
legitimate external sources of inbound mail using your domain in sender
addresses.

--
Bill Cole
Reply | Threaded
Open this post in threaded view
|

Re: Is this behavior an open relay or not ?

Benny Pedersen-2
In reply to this post by Roberto Carna
Roberto Carna skrev den 2018-11-26 20:34:

> and finally the message arrives to may Inbox.
>
> Because I suppose that the normal behavior is sending mail from local
> address just from an internal IP...not from external.

its not open relay if mail is delivered local

it will be open ralay if its delivered elsewhere

that depens on how you have postconf -n

maillisst need more info to help
Reply | Threaded
Open this post in threaded view
|

Re: Is this behavior an open relay or not ?

Benny Pedersen-2
In reply to this post by Roberto Carna
Roberto Carna skrev den 2018-11-26 21:00:
> Dear Noel, thanks for your help.
>
> In the case of rejecting incoming mail from my own domain, do I have
> to use just SPF? Or is it possible to use an ACL defined in main.cf
> [3] ?

its safe to reject rcpt to domains as senders on port 25, spf is just
more simple to get working

if you send mail with submission or pickup that allow sasl auth its not
a problem on port 25

i have postfixadmin as backend, its cheap to test alias in postfixadmin
backend does not being used in port 25

so use your virtual alias to avoid forged senders on this