LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-06-2003, 10:23 AM   #1
ganninu
Member
 
Registered: Jul 2003
Distribution: RH 7.3/8.0/9.0, Debian Stable 3.0, FreeBSD 5.2, Solaris 8/9/10,HP-UX
Posts: 340

Rep: Reputation: 30
Unhappy Accessing an SMTP server via TELNET


hello folks,

As all of you know, one can access an SMTP server via telnet at port 25 and send emails. Is there a way to block this type of access? I'm a bit paranoid and I don't want to allow all the world to abuse of my server to send unsolicited mail.

Thanks.
 
Old 08-06-2003, 01:41 PM   #2
cyph3r7
Member
 
Registered: Apr 2003
Location: Silicon Valley East, Northern Virginia
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238

Rep: Reputation: 30
depends on whacha mean by "block"

If you don't need to receive mail, turn the mail app off or put in a firewall rule that blocks 25 requests.

Now if you do need mail, then you simply reconfigure your mail server to not act as a relay. It is different for each mail daemon so research your flavor and it should be simple to do.
 
Old 08-06-2003, 03:56 PM   #3
ganninu
Member
 
Registered: Jul 2003
Distribution: RH 7.3/8.0/9.0, Debian Stable 3.0, FreeBSD 5.2, Solaris 8/9/10,HP-UX
Posts: 340

Original Poster
Rep: Reputation: 30
This is basically the college SMTP server where students having an account with this system, can use this SMTP server to send their mails. It is based on sendmail. What I want to know is how do most ISPs (with domain isp.com) not allow telnet-based-email to recipients which are not user@isp.com. Or put it in other words, how can i make the system more secure, and at the same time allowing only subscribed people (in this case the students) to use the SMTP server to send their email.
 
Old 08-06-2003, 04:13 PM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Being able to connect via telnet is not the same thing as sending unsoliticited email. Telnet is simply the mechanism for issuing SMTP commands to the server. Other email clients do the same thing. They just have a better frontend.

If you sendmail system allows anyone to connect and send email to anyone, then you are an open relay. Telnet is not your problem. You need to look at the anti-spam configuration options for sendmail.
 
Old 08-06-2003, 04:57 PM   #5
TheOther1
Member
 
Registered: Feb 2003
Location: Atlanta, GA
Distribution: RHAS 2.1, RHEL3, RHEL4, SLES 8.3, SLES 9, SLES9_64, SuSE 9.3 Pro, Ubuntu, Gentoo
Posts: 335

Rep: Reputation: 32
IBM has a document on their website called Securing_Linux_Servers_xSP_external.pdf that explains in detail how to secure Sendmail, Postfix and Qmail. Sorry I don't have the link at my fingertips but a quick search on their site should find it.

HTH!

P.S. Try http://www.sendmail.org/ They have some docs on how not to relay. Afterall, they wrote it!
 
Old 12-09-2003, 12:56 AM   #6
johnyy
Member
 
Registered: Jun 2003
Posts: 92

Rep: Reputation: 15
so it's a way i could block people from telneting in port 25, but still I still want to be enable send and receive email ?

thanks
 
Old 12-09-2003, 01:11 AM   #7
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
>This is basically the college SMTP server where students having an account >with this system, can use this SMTP server to send their mails.

You either have to make the server require a login before relaying mail or you have to restrict it to only relay mail from the ip addresses of machines in the college. You probably want port 25 blocked off from outside the college.


>so it's a way i could block people from telneting in port 25, but still I still want to be enable send and receive email ?

As stickman has already said, you can either allow or disallow connections to port 25. You can't tell what program is being used to connect to port 25. When a remote computer opens a connection to your port 25 they might be manually typing in TCP packets on a hexadecimal keypad for all your know.
 
Old 12-09-2003, 01:36 AM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
telnet is a very simple program. It lets you connect to any TCP port and interact with it, if the protocol syntax is simple enough for a human to figure out (i.e. not encrypted, hashed, in binary, etch).

The is absolutely zero difference between using telnet to access an SMTP daemon and a slow e-mail client or server doing exactly the same thing (the only essential difference from normal is the rate at which commands are issued, but you have to permit this because of possible link latency in communicating with clients/servers).

Even if you require authentication to send to non-local domains (which you should) you still can't prevent someone from telnet'ing to your server and composing a message to local users, i.e. a user in a domain that you accept mail for.

If you want to learn how to lock down your SMTP server (by the way, Sendmail is a scary choice for an MTA, it has a myriad of security flaws and if it's been more than a few months since you patched it, it's probably vulnerable) then go to my site on e-mail security and visit the "links" section. There is a link near to top to the MAPS TSI anti-relay site. That has a full set of instructions for locking down just about any MTA ever created.

In addition to the anti-relay site, you may find some of the information on my site (MAPS is not affiliated with me in any way, I just find their site... insightful). It's only about half finished at this point, but it does have a lot of good info on the basics of protecting e-mail infrastructure.
 
Old 12-09-2003, 11:56 AM   #9
kdemaree
LQ Newbie
 
Registered: Nov 2003
Posts: 4

Rep: Reputation: 0
If they don't need telnet access, turn off the telnet service. I would think you would want telnet off anyway for security reasons, and use SSH instead.
 
Old 12-09-2003, 03:14 PM   #10
mac_phil
Member
 
Registered: Sep 2003
Distribution: Mandrake 10.0
Posts: 200

Rep: Reputation: 30
All you care about is whether or not you are an open relay, and whether or not your version of sendmail has a vulnerability. You're running a server, so you can't be paranoid about it being open to the internet. The issue isn't whether people can connect, it's whether you are relaying mail.

When someone sends you mail, it comes knocking on port 25. You want the whole internet to be able to send mail to your users. Thus you let the whole internet connect to port 25. (This is oversimplified, there are exceptions, etc., etc.)

Read up about sendmail and relaying. Since I use postfix (which handles this by default), I can't give you specific instructions.

The most basic form of preventing relaying would be to only accept/relay/send mail which originates or terminates within your domain. I.e., the author or recipient is a user connecting to their email account from a computer on your network. This gets more complicated in terms of authentication, off-campus computers needing to send mail, etc.

Last edited by mac_phil; 12-09-2003 at 07:13 PM.
 
Old 12-09-2003, 03:21 PM   #11
mac_phil
Member
 
Registered: Sep 2003
Distribution: Mandrake 10.0
Posts: 200

Rep: Reputation: 30
Quote:
Originally posted by kdemaree
If they don't need telnet access, turn off the telnet service. I would think you would want telnet off anyway for security reasons, and use SSH instead.
That's orthogonal to this issue. You're talking about access to shell accounts, not the mail transfer agent.
 
Old 12-09-2003, 03:22 PM   #12
mac_phil
Member
 
Registered: Sep 2003
Distribution: Mandrake 10.0
Posts: 200

Rep: Reputation: 30
Quote:
Originally posted by zaphodiv
You probably want port 25 blocked off from outside the college.
Then how does mail from outside get in?

Last edited by mac_phil; 12-09-2003 at 03:43 PM.
 
Old 12-09-2003, 07:07 PM   #13
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally posted by mac_phil
Then how does mail from outside get in?
It wouldn't.
 
Old 12-09-2003, 11:35 PM   #14
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
Ganninu specifially said a server for outgoing email.
I assume that incoming email would is handled by a different machine.
I meant block access to port 25 on the outgoing email server from outside the college.

>Then how does mail from outside get in?
Via the server that handled incoming email

>You're running a server, so you can't be paranoid about it being open to the internet.
Yes you can if it is only supposed to be sending email out.

Last edited by zaphodiv; 12-09-2003 at 11:37 PM.
 
Old 12-10-2003, 03:37 AM   #15
ganninu
Member
 
Registered: Jul 2003
Distribution: RH 7.3/8.0/9.0, Debian Stable 3.0, FreeBSD 5.2, Solaris 8/9/10,HP-UX
Posts: 340

Original Poster
Rep: Reputation: 30
hehe thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
smtp problem..telnet to 25 rnj Linux - Newbie 9 12-12-2005 11:16 PM
Problem with accessing other network server when connected from a dial-in server radatan71 Linux - Networking 0 11-22-2005 03:20 AM
Refusing smtp and telnet connections johnsfrj Linux - Networking 18 10-21-2004 12:35 PM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 06:17 PM
Telnet to Port 25 to test SMTP. jnkyrd111 Linux - Newbie 2 03-29-2002 02:55 PM


All times are GMT -5. The time now is 03:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration