RE: [cobalt-users] Removing the POP before SMTP pkg

[Jeff Lasman <jblists@xxxxxxxxxxxxx>]

Okay...

Now you're getting me even more confused <wry grin>...

Please see notes interspersed below:

At 07:41 AM 1/8/00  Dan wrote:
> >
> > Do you mean that anything listed in the "Relay email from these
> > hosts/domains" window will be relayed without further checking?  That's a
> > reasonable assumption, but since the RaQ web-interface
> > automatically places
> > the names of all hosted domains in this window, it makes for a pretty
> > insecure mailserver.
>
> The mail must actually come from those domains and it will only be relayed
> to a domain on your RAQ.

But mail NEVER actually "comes" from one of these domains.  The RaQ is in 
my computer room.  Users are connected to the rack either through a local 
area network, a wide area network (the Internet), or a dialup 
connection.  <nobaloney.net> resolves to <209.126.157.68>.  But users 
(including me) are NOT at <209.126.157.68>.  Does that mean we can't use 
the RaQ as a mail-server for outgoing email?  Of course not.  Sendmail 
looks at the "Received:" header to see where the mail is coming from.  Look 
at these headers:

> Received: from jeff.cari.net (jeff.cari.net [209.126.128.251]) by 
> ns.jatek.net (8.9.1/RENOC/8.9.1) with ESMTP
>         id PAA05907 for <jlasman@xxxxxxxxx>; Sat, 8 Jan 2000 15:31:20 -0800
> Received: from jc300 (la-151-25.dialup.cari.net [216.98.151.25])
>         by jeff.cari.net (8.9.3/8.9.3) with ESMTP id OAA31823
>         for <jlasman@xxxxxxxxx>; Sat, 8 Jan 2000 14:49:45 -0800

Reading from the bottom up (of course <smile>), jc300 is the name of my 
system.  I'm dialed in through a pop assigned to cari.net.  The IP# 
216.98.151.25 is NOT in the "Relay email from these hosts/domains" 
window.  In fact, it couldn't be, since we have no idea which dialup we're 
coming from.  What IS in the window is "cari.net".  Note it's not the 
entire "la-151-25.dialup.cari.net"; it's JUST "cari.net".  That's because 
all sendmail does is a simple partial match.

Sendmail accepted the mail (obviously), looked up "jatek.net", and 
forwarded the mail server for jatek.net, which is <ns.jatek.net>.  I picked 
it up from ns.jatek.net (aliased to <mail.jatek.net>) with my copy of 
Eudora Pro 4.2.

It's important to understand what the "Relay email from these 
hosts/domains" window actually is: it's a look into the /etc/mail/access 
database, which is an extension of delivery ruleset S98.

When I removed "cari.net" from the "Relay email from these hosts/domains" 
window, I couldn't send the mail to <jlasman@xxxxxxxxx>; it was returned to 
me with a "relaying denied" error, since the mail now failed rulset S98.

You can either believe me or test extensively yourself, the tests are 
simple partial matches, and the multiple IP#s are totally irrelevant.  The 
box's primary IP# is probably a good idea, though not specifically required 
either, since mail generated on the system automatically passes.

I still think having all the domain names of all the boxes hosted on this 
system constitutes a hole in sendmail's spam-blocking capabilities; any of 
your customers, in fact, any spammer, could send email that would arrive 
with a received header of "anydomain.com".  I'd much rather see only IP#s 
and partial IP#s here; they're much harder to forge.

> It won't relay to an address outside. e.g., I put
> 4sarasota.com in my allowed to relay field. IIRC, I can use the RAQ SMTP to
> send to one of the domains hosted on that RAQ, but not an outside address.

I just did; see above.  My observed behavior matched my expected behavior 
(from many years of using sendmail) exactly.

> I
> believe the RAQ resolves the IP to the domain that the mail is actually
> coming from.

The RaQ software does nothing, but your probably knew that.  Sendmail 
simply does a partial match.  The IP# itself is a lot more secure than the 
name, because it's always in the "Received:" field (really not the field; 
from the envelope at this point; it's put into the field AFTER the mail is 
received).

> Not by checking the "From" or "Reply-to" in the email.

I agree.  From the header information.  Which can still be spoofed.

> So far
> it seems secure. Some RAQ1 servers had a problem with Cobalt's non-standard
> version of Sendmail allowing Spam to relay using
> joe@xxxxxxxxxxxxx@[cobaltdomain.com]  I think that was the syntax. This was
> Sendmail 8.9.something as I recall which was supposed to be secure.

If that syntax worked it would have been very nonstandard.  The standard 
syntax that worked (yes, it was a "standard" because it was very useful at 
one time and would still be useful today if it were safe) was 
<joe#hisdomain.com@xxxxxxxxxxxxxx> as I recall (though it could have been 
the other way around; it's been a while <smile>.

> > A mailserver set up to forward mail for myclient.com will host ALL mail
> > with a return address of <*@myclient.com>, right?  So you, or
> > anyone else,
> > including spammers, can use a return address of
> > <anything@xxxxxxxxxxxx> and
> > bounce off my server?  That seems a pretty unreasonable default, designed
> > wholly to get around the safeguards built into the latest builds of
> > sendmail, so unknowledgeable RaQ purchasers can easily set up promiscuous
> > servers <frown>.

I apologize for using the term "return address"; most people presume that 
to be the "From: " field, which it's not.  Think of the return address as 
what you put in the upper left-hand corner of your outgoing snail-mail.  It 
has nothing to do with what's inside the letter (although you could put the 
same address in both places, and in fact most people do).  What's inside 
the letter is analagous to the "From:" field.

> May affect FormMail.pl, but that's just a guess.

I just tested it.  With "mailtraqna.com" in the window here's the header of 
the email FormMail returns:

> Return-Path: <nobody>
> Received: (from nobody@localhost)
>         by jeff.cari.net (8.9.3/8.9.3) id PAA32106;
>         Sat, 8 Jan 2000 15:28:02 -0800
> Date: Sat, 8 Jan 2000 15:28:02 -0800
> Message-Id: <200001082328.PAA32106@xxxxxxxxxxxxx>
> To: mtq-download@xxxxxxxxxxxxxx
> From: test@xxxxxxxxxxxxxxxx ()
> Subject: Mailtraq Download Submission
> X-UIDL: 726c4e1c8ad8e551875e4c1639518396

And here are the headers without "mailtraqna.com" in the window:

> Return-Path: <nobody>
> Received: (from nobody@localhost)
>         by jeff.cari.net (8.9.3/8.9.3) id PAA32187;
>         Sat, 8 Jan 2000 15:31:56 -0800
> Date: Sat, 8 Jan 2000 15:31:56 -0800
> Message-Id: <200001082331.PAA32187@xxxxxxxxxxxxx>
> To: mtq-download@xxxxxxxxxxxxxx
> From: secondtest@xxxxxxxxxxxxxxxx ()
> Subject: Mailtraq Download Submission
> X-UIDL: 68ca9a0beac7b85acdc9c86199e3eb24

They're exactly the same.

> > Will, your comments are welcome.  So are anyone else's.

Still welcome <smile>.

> Thanks. I guessed that's why you sent it to the list.

Yep <smile>.  I'm still waiting for assurances that I can dial in through 
<goober.foo> and use POP before SMTP to accept it without putting 
<goober.foo> into the window.

Jeff

--
Jeff Lasman, nobaloney.net
<jblists@xxxxxxxxxxxxx>
<www.nobaloney.net>, <www.mailtraqna.com>, <www.email-lists.com>