prevent external use of our smtp without authentication

[leonardo99]

our server is being listed on spam-lists, so I did a small test: via CDO, without any authentication, I tried to send mails from a non-existing user on a existing domain; and unfortunately this worked; "Enable SMTP Authentication" is active, also "Allow Any Accounts Login Details" and "Allow POP Before SMTP (Pre-Authentication)"; what should I configure to block this use? I cannot lock to a certain IP ... this is surely a basical configuration ... but I was not able to find it; how should we manage this?

[Code Crafters]

If you have SMTP authentication enabled, the only thing that can bypass this is SMTP relaying safe IPs on the same page of the settings. Make sure that you haven't allowed any IPs such as your router IP that may let all traiffic coming from that IP to have relaying access. If you send your mail server domain to chris@code-crafters.com I'll test if it's definitely an open relay to confirm as well.

Note that your users with valid usernames and passwords could also be sending SPAM or possibly their account is comprimised and some other source is using the account to send SPAM without the users knowing this. Check the SMTP logs and OutMail logs to see which email addresses any SPAM may be coming coming from. You should also set the group limits of Max Mail Sent Per Day to prevent any one user sending too many mails a day. If all your mail doesn't come from a single router IP you can also set a Max Mails Sent Per IP Per Day limit in the SMTP settings.

[leonardo99]

The problem is the following:
- we installed the software long ago, maybe 2 years, I think
- initially I think the blocking of unwanted smtp-users did work, as I think to remember we did the same test
- now I did a very simple test, using a valid domain, but an invalid user: there was no authentication at all, the mail got through!

during the last year we did many configuration changes to AMS, but all of them were regarding the spam-filters, which now works rather well and of course, other changes, were the adding of new users and new domains
I also tried to switch off options, switch them on again; stop the service manually, rerun it again; install the latest version 2.70 some days ago… it all didn’t work
I also updated Windows 2003
As I wasn’t really sure about how you manage the authentication (maybe a user is authenticated by IP, and maybe it keeps authenticated for a long while, so our office would be thought as authenticated during our tests, as we previously used Outlook to download our own mails), I sent this test-software to a friend which is not our customer, so he surely was never authenticated; but it still worked

I also tried to activate other options, like “enable ip range control”, inserting ununsual ips (10.10.10.10 which points to nothing), but it didn’t seem to work; I was still able to send mail from our local pc
The only IP able to bypass relaying check should be the local IP from the server (as also used as webserver with applications sending mails indicating sender-domains which are not hosted by ourselves), but also deactivating this possibility doesn’t change things
so I really don’t know what to change in the configuration anymore …

Could you log on to our server (I could give you the logindata by mail or telephone); maybe your experienced eyes see immediately where the problem is? Feel free to change configuration parameters for your tests between 9 PM and 7 AM Greenwich time (but it shouldn’t be a problem as you are working on the other side of this world, and your office working time is completely shifted);

thank you in advance for your time!

[Code Crafters]

Please send me your mail server domain, remote admin port and remote admin username / password (general settings) to chris@code-crafters.com and I'll take a look at your configuration for any obvious problems. I'll also check for your mail server being an open relay and disable any necessary options to prevent this.

[leonardo99]

I just sent you an email with the logon data

[Code Crafters]

I have replied to your mail with my analysis of your setup and possible solutions to try.

[leonardo99]

unfortunately the problem persists.

if somebodey tries to send emails from an existing domain (on our server) with a user that doesn't exist, the mails go through - but they should be blocked by your program.
it doesn't check the received sender.

example:
...
Tue, 20 Oct 2009 13:11:28 -> 88.61.45.60 -> Success: Action=[Received Sender], Details=[test@filmclub.it]
...
Tue, 20 Oct 2009 13:12:31 -> 88.61.45.60 -> Success: Action=[Start Mail Transaction]
Tue, 20 Oct 2009 13:12:35 -> 88.61.45.60 -> Success: Action=[Complete Mail Transaction], Details=[...]
Tue, 20 Oct 2009 13:12:45 -> 88.61.45.60 -> Success: Action=[Close Connection]


test@filmclub.it is not an existing email adress.

[Code Crafters]

Mail on SMTP is allowed to come TO your users FROM any email address at all. Otherwise, how would you receive mail from the Internet. The limitation is that mail from external email addresses isn't allowed to be relayed through your mail server to other mail servers without SMTP authentication to prove it's one of your approved users. Otherwise unauthorised SPAM could be relayed via your server making it an open relay. You should check your outmail logs to see if any unauthorised mail is leaving your mail server via the outgoing mail queue.

I tested your mail server and it isn't an open relay so only your users can send mail FROM your mail server. Of course policing what they send is another issue altogether and one that may cause you to use sending limits in the group options or check logs for abusive users sending SPAM or too much mail.

[leonardo99]

but what is with "internal not existing email addresses"?
they should be blocked as well.

[Code Crafters]

1) Anyone can delivery to your mail server for incoming mail.
2) Only your users can relay for outgoing mail via SMTP authentication or similar.
3) To further filter mail from domains not on your mail server you can use a combination of SPAM and content filtering to protect your mail server from unwanted SPAM mails from these addresses (but still allow genuine mails from external addresses unless you don't need to of course).
4) As for email addresses on your domain that don't exist on your mail server you can use the Domain Sender Check SPAM filter in particular to filter these out. You should also make sure that your domain settings doesn't allow relaying for non-existent addresses on that domain.