Mailing List SIMS@mail.stalker.com Message #12331
From: Neil Herber <nospam@mail.eton.ca>
Subject: Re: Open relay detected within your network
Date: Wed, 8 Jan 2003 11:57:54 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
It is rumored that on or about 2003-01-08 8:04 AM -0800, Paul Didzerekis wrote as follows:
Seems to me the existence of the primary server in the client host list of the backup server will allow relaying to a local account on the primary only.

But I think that the addition of the .smtp line in the router on the backup is what opens the system to relaying to anywhere.  It's the combination of the two together, but keep reading.  If that is true then anyone could setup a SIMS box and add anyone else's SIMS box (yours or mine) to their client host list and also add that .smtp router line routing from their server to yours and then they would be able to relay mail through that hijacked server.

Paul

I am not sure that I should wade back into these muddy waters, but ...

Your statements above indicate to me that you may misunderstand the purpose of the client hosts list.

Here is my interpretation of how it works - the actual steps are probably different, but the result will be the same.

When a host connects to SIMS trying to send mail, SIMS checks to see if "relay for clients only" is set (it should be unless you want to be a totally open relay). Let us assume that it is set.

SIMS then looks at the IP number of the connecting host (it doesn't give a damn about its name) and compares it to the "client hosts" list.

If the IP number IS in the client host list, then SIMS is willing to send this mail anywhere, either to a local account or to any outside address.

If the IP number is NOT in the client host list, then SIMS will ONLY deliver the mail to a local account. It will not relay it to an outside address.

The client host list should ONLY contain the IPs of hosts for which you are willing to "relay" mail. In practice, you will either need to enter the IPs of all your users, or you will need to enable the "read before send" mechanism that temporarily authorizes IPs based on a user trying to pick up POP mail.

So your statement above "existence of the primary server in the client host list of the backup server" makes no sense whatsoever. Why would you ever want to relay mail from the primary through the backup?

Also, your statement that "addition of the .smtp line in the router on the backup is what opens the system to relaying to anywhere" makes no sense. SIMS only looks at the IP of the connecting host to determine if it will allow it to relay. The names of the connecting host or the SIMS host have nothing to do with it. You go on to disprove your own statement by the example you give. This is more-or-less what I suggested to you a few days ago - that if the ".smtp" scenario worked, then I could relay through any SIMS server I chose.

You also seem to have forgotten that Bill Cole, who has forgotten more about SIMS than I know, could not get your scenario to work.

There is something else that is the problem here - it is not a latent defect in SIMS.

--
Neil

Neil Herber
Corporate info at http://www.eton.ca/
Eton Systems, 15 Pinepoint Drive, Nepean, ON, Canada K2H 6B1
Tel: (613) 829-4668

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster