hello folks,

As all of you know, one can access an SMTP server via telnet at port 25 and send emails. Is there a way to block this type of access? I'm a bit paranoid and I don't want to allow all the world to abuse of my server to send unsolicited mail.

Thanks.

depends on whacha mean by "block"

If you don't need to receive mail, turn the mail app off or put in a firewall rule that blocks 25 requests.

Now if you do need mail, then you simply reconfigure your mail server to not act as a relay. It is different for each mail daemon so research your flavor and it should be simple to do.

This is basically the college SMTP server where students having an account with this system, can use this SMTP server to send their mails. It is based on sendmail. What I want to know is how do most ISPs (with domain isp.com) not allow telnet-based-email to recipients which are not user@isp.com. Or put it in other words, how can i make the system more secure, and at the same time allowing only subscribed people (in this case the students) to use the SMTP server to send their email.

Being able to connect via telnet is not the same thing as sending unsoliticited email. Telnet is simply the mechanism for issuing SMTP commands to the server. Other email clients do the same thing. They just have a better frontend.

If you sendmail system allows anyone to connect and send email to anyone, then you are an open relay. Telnet is not your problem. You need to look at the anti-spam configuration options for sendmail.

IBM has a document on their website called Securing_Linux_Servers_xSP_external.pdf that explains in detail how to secure Sendmail, Postfix and Qmail. Sorry I don't have the link at my fingertips but a quick search on their site should find it.

HTH!

P.S. Try http://www.sendmail.org/ They have some docs on how not to relay. Afterall, they wrote it!

so it's a way i could block people from telneting in port 25, but still I still want to be enable send and receive email ?

thanks

>This is basically the college SMTP server where students having an account >with this system, can use this SMTP server to send their mails.

You either have to make the server require a login before relaying mail or you have to restrict it to only relay mail from the ip addresses of machines in the college. You probably want port 25 blocked off from outside the college.


>so it's a way i could block people from telneting in port 25, but still I still want to be enable send and receive email ?

As stickman has already said, you can either allow or disallow connections to port 25. You can't tell what program is being used to connect to port 25. When a remote computer opens a connection to your port 25 they might be manually typing in TCP packets on a hexadecimal keypad for all your know.

telnet is a very simple program. It lets you connect to any TCP port and interact with it, if the protocol syntax is simple enough for a human to figure out (i.e. not encrypted, hashed, in binary, etch).

The is absolutely zero difference between using telnet to access an SMTP daemon and a slow e-mail client or server doing exactly the same thing (the only essential difference from normal is the rate at which commands are issued, but you have to permit this because of possible link latency in communicating with clients/servers).

Even if you require authentication to send to non-local domains (which you should) you still can't prevent someone from telnet'ing to your server and composing a message to local users, i.e. a user in a domain that you accept mail for.

If you want to learn how to lock down your SMTP server (by the way, Sendmail is a scary choice for an MTA, it has a myriad of security flaws and if it's been more than a few months since you patched it, it's probably vulnerable) then go to my site on e-mail security and visit the "links" section. There is a link near to top to the MAPS TSI anti-relay site. That has a full set of instructions for locking down just about any MTA ever created.

In addition to the anti-relay site, you may find some of the information on my site (MAPS is not affiliated with me in any way, I just find their site... insightful). It's only about half finished at this point, but it does have a lot of good info on the basics of protecting e-mail infrastructure.

If they don't need telnet access, turn off the telnet service. I would think you would want telnet off anyway for security reasons, and use SSH instead.

All you care about is whether or not you are an open relay, and whether or not your version of sendmail has a vulnerability. You're running a server, so you can't be paranoid about it being open to the internet. The issue isn't whether people can connect, it's whether you are relaying mail.

When someone sends you mail, it comes knocking on port 25. You want the whole internet to be able to send mail to your users. Thus you let the whole internet connect to port 25. (This is oversimplified, there are exceptions, etc., etc.)

Read up about sendmail and relaying. Since I use postfix (which handles this by default), I can't give you specific instructions.

The most basic form of preventing relaying would be to only accept/relay/send mail which originates or terminates within your domain. I.e., the author or recipient is a user connecting to their email account from a computer on your network. This gets more complicated in terms of authentication, off-campus computers needing to send mail, etc.

That's orthogonal to this issue. You're talking about access to shell accounts, not the mail transfer agent.

Then how does mail from outside get in?

It wouldn't.

Ganninu specifially said a server for outgoing email.
I assume that incoming email would is handled by a different machine.
I meant block access to port 25 on the outgoing email server from outside the college.

>Then how does mail from outside get in?
Via the server that handled incoming email

>You're running a server, so you can't be paranoid about it being open to the internet.
Yes you can if it is only supposed to be sending email out.

hehe thanks