Telnet To Email Server?

[Carlosinfl]

I was building a email server and one of the test to make sure that it works it to Telnet into the email server and try and send email that way. Everything obviously works but I was now questioning how secure this was seeing how I am able to send email from Telnet as anyone I specify versus just my email account so what stops anyone on the LAN from sending out emails masked as rouge email accounts?

Example...

telnet mail.example.com 25
220 mail.example.com ESMTP Postfix
HELO carloswill.example.com
220 mail.example.com
MAIL FROM: <[email protected]>
250 Ok
RCPT TO: <[email protected]>
250 Ok
Data
You're fired!
.
Mail queued as 123456
Quit
Bye!

 

[Malk-a-mite]

Disclaimer - I don't work with or play with the admin side of mail servers directly.

With that out of the way, it's possible with most (if not all) mail servers to limit the domain in which they will accept outing mail from (no more spoofing whitehouse.gov) and what commands it will accept when a user is telnet'ed in. From the look of it you are setup as an open relay.

http://www.seaglass.com/postfix/faq.html#ubeor2
http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from

 

[SJConsultant]

It is important to test your email from an internal address as well as an external address.

Some mail servers may be preconfigured to allow relaying from any internal IP address, however they may disallow relaying from any external ip address.

In a Microsoft Exchange environment, we typically will turn off relaying for all authenicated users (we only allow relaying for specific users) as well as restrict the internal ip addresses that are allowed to relay.

 

[jpochedl]

What you're referring to is commonly called email spoofing.

http://en.wikipedia.org/wiki/E-mail_spoofing

Depending on the mail server software you're using, there are a couple things you can do to mitigate the issue. The two most common are Sender Policy Framework (SPF - http://en.wikipedia.org/wiki/Sender_Policy_Framework) and Sender ID (http://en.wikipedia.org/wiki/Sender_ID)

Unfortunately there's no consensus on which is the best to use, and support for either depends on the mail server you're using. However, when properly implimented you can mitigate the possibility for individuals to spoof the internal domain name in email to your own server.

That being said, I'm not sure I've ever seen an implimentation where these were a foolproof measure, or that there weren't holes punched to allow mail from network scanners, or automated processes, etc... It's best, in any email situation, to let your users know that the sender's email address is no more secure than any address on a physical envelope. (Just because the envelope says it's from George Bush, doesn't mean that he's the one who sent it to you....)