EIMS Relay Security | ||
What is relaying? How does EIMS 3.2 decide if a message should be relayed? EIMS 3.2 relay security EIMS 3.2 SMTP Submit How does EIMS 2.1 to 3.1 decide if a message should be relayed? EIMS 2.1 to 3.1 relay security How do I secure my EIMS Server version 2.1 to 3.1 against relaying? What to do if you can't secure your server immediately Such and such site says EIMS can't be secured against relaying. What is relaying?Relaying is when a mail server accepts and delivers a message to another server. A mail server accepting and delivering a message to an account on that server is not relaying. A server accepting a message for an account that forwards to an address on another server is also not relaying. When the protocol for email (SMTP) was originally designed, relaying wasn't a security issue so no relay security was built in. Unfortunately spammers came along and changed all that by abusing the relaying capabilities of mail servers, so now it is necessary to restrict relaying to avoid your server being hijacked. A number of different ways of restricting relaying have been added on to SMTP. EIMS supports two ways of restricting relay, domain and IP based restrictions, and SMTP AUTH. Domain and IP based restrictions decide if a message should be relayed based on either the domain of the recipient address, or the domain of the sender address and the IP address of the client. The main advantage of this method is that it can support existing clients as is. The main disadvantage is that it is not very useful for supporting roaming clients that are connecting from unknown IP addresses. SMTP AUTH (also known as SMTP Authentication or SMTP Authorization) is the ideal solution for roaming clients, as the client can authenticate with a username and password to allow relaying. This requires support for SMTP AUTH in the client (now days all clients support SMTP AUTH) and it typically needs to be turned on by the user. EIMS version 2.1 and later support SMTP AUTH with CRAM-MD5, version 3.0 and later also support SMTP AUTH with PLAIN and LOGIN, version 3.1 and later also support SMTP AUTH with NTLM. Some email servers support POP-before-SMTP, where they will allow relaying from an IP address if a client has checked mail from that IP address in the last few minutes. There are a number of disadvantages to this, it requires that the client connect before sending (most clients don't support doing this automatically), it leaves a window where the IP address the client used could potentially be hijacked by someone else, and for clients behind routers or dialup servers using NAT it allows relaying for everyone else behind the router or dialup server. EIMS has never supported POP-before-SMTP and I have no plans for supporting it, SMTP AUTH has always been a more secure and standards based way of achieving the same results. EIMS 1.3 and 2.0 supported restricting relaying by domain name only, however that still allowed anyone to relay if they forged an allowed domain. Users of these old versions should upgrade. How does EIMS 3.2 decide if a message should be relayed?EIMS 3.2 will relay a message if it meets one of the following criteria:
EIMS 3.2 relay securityNew installations of EIMS 3.2 default to being compeletely secure. If you have upgraded from an older version of EIMS that was not secured,
you will need to remove entries from the Relay Security that allow relaying from untrusted IP ranges.
Clients connecting from untrusted IP ranges should turn on SMTP AUTH in their mail client. To make sure you don't turn your server in to an open relay:
EIMS 3.2 SMTP SubmitIn order to prevent spammers from using dialup accounts to send spam through other servers, many ISPs are blocking access from dialup clients to SMTP (port 25) other than to that ISPs SMTP server. As a result, roaming clients that connect via these ISPs typically have to reconfigure their client to use that ISPs server. EIMS 3.2 supports a solution to this problem called SMTP Submit, where it can also receive mail on a second SMTP port, port 587 by default. If your users configure their client to use port 587, then they don't need to change any configuration when connecting from other ISPs. Using the SMTP Submit port also makes it easier to manage client to server SMTP load vs server to server SMTP load. If all your clients are switched to port 587, then any sort of overloading on port 25, due to large incoming mail volumes or DoS (Denial of Service) attacks, will not interrupt sending mail for clients. How does EIMS 2.1 to 3.1 decide if a message should be relayed?EIMS 2.1 to 3.1 will relay a message if it meets one of the following criteria:
EIMS 2.1 to 3.1 relay securityNew installations of EIMS 3.1.1 to 3.1.5 default to being compeletely secure. See below for instructions on securing older installations. To make sure you don't turn your server in to an open relay:
If you need to do something like relay mail for a web server while still having your EIMS server act as a backup MX for other domains, EIMS 3.2 has relay security that offers better flexability and security for this sort of thing, you should upgrade. How do I secure my EIMS Server version 2.1 to 3.1 against relaying?Set the Relay restrictions to the 2nd option and then set the IP Range Restrictions for Mail Relay to only allow access from your local network and/or any trusted IP ranges. Clients connecting from outside these IP ranges should turn on SMTP Authentication in their mail client. Follow these steps to configure your EIMS Server:
Clients connecting from outside these IP ranges can relay if they turn on SMTP AUTH in the mail client.
What to do if you can't secure your server immediatelyIf you can't secure your server immediately, due to large numbers of clients connecting from untrusted IP ranges that need to turn on SMTP AUTH, there are some options for increasing relay security to block spammers and get off blacklists. With EIMS 3.0 and later you can turn off Login Enabled for accounts to stop them being used to relay. Many blacklists will test your postmaster account to see if it can relay, turning off Login Enabled for the postmaster account will often get you off the blacklist. This should only be considered to be a temporary measure while you finish securing your server, as any other account with Login Enabled turned on can be used to relay until you have secured your server using the IP Range Restrictions for Mail Relay. In order not to block all of your clients at once, you can start progressively blocking IP ranges in the IP Range Restrictions for Mail Relay. To get a good idea of what IP ranges your clients are connecting from, export a list of users from EIMS Admin (open the domain and go to Export Users from the Users & Groups menu) and sort the list by IP address. You should then be able to identify large IP ranges that clients do not connect from, as well as get an idea of how many users will be blocked in a particular IP range so you can block a few users at a time and have them turn on SMTP AUTH in their mail client. Such and such site says EIMS can't be secured against relaying.Such and such site is very out of date (and if it is the site I am thinking of, they have repeatedly ignored requests to update their web page with current information), I suggest you ignore it. EIMS 2.1 (which was released in April 1998) and later can be completely secured using the above procedure. EIMS 2 users can download free updates to EIMS 2.2.2 from Qualcomm.
|
Home Questions? Features Demo Support EIMS Quick Start Email client configuration EIMS 3.3 Documentation Relay Security OS 9 to OS X Updates EIMS mailing lists Filters | |
Last modified 28 October 2022. Copyright 1997-2022 Glenn Anderson. |