Disable SMTP-AUTH To Stop Relay Hackers In Their Tracks

Sometimes setting up a system to allow password authentication is less secure.

Ever notice activity like this on your SMTP-enabled Domino server?

SMTP Server: Authentication failed for user guest ; connecting host 46.137.108.26
SMTP Server: Authentication failed for user backup ; connecting host 46.137.108.26
etc.

Guess what…  In this case, I am not happy that ec2-46-137-108-26.eu-west-1.compute.amazonaws.com (Amazon Web Services, Ireland) thinks they need to relay SMTP through my Domino server.

If this hacker is able to guess a user login and password combo, they can relay whatever they want.

There is a quick fix that prevents these hacking attempts from ever succeeding at circumventing SMTP relay restrictions:

If you are NOT using Internet Site documents, set the following field(s) to “No” in the corresponding server’s Server Document:
[Server Document] > Ports > Internet Ports > Mail

2016-02-09_21-45-04

If you ARE using Internet Site documents, just change the following field(s) to “No”:

2016-02-09_21-49-56

Want more info? Read more here.

Happy hacker snubbing!

 

6 thoughts on “Disable SMTP-AUTH To Stop Relay Hackers In Their Tracks

    • I know what you mean. The original nature of SMTP and IBM’s choice of words in it’s configuration makes for a confusing situation.

      Without getting too far down the rabbit hole, here is one way to explain further:
      SMTP Inbound can be anonymous or authenticated.

      Most all SMTP connections are “anonymous.” That isn’t to say that we can’t or don’t know where they come from. It only means that I am allowing your SMTP server to connect to mine without a user name and password. “You might not know me, but I have some mail that I want you to have.” It is then up to my server to determine what happens after this handshake.

      The core ability for an Anonymous connection to relay SMTP is controlled via a Configuration document. A popular method is to set Router/SMTP > Restrictions and Controls > SMTP Inbound Controls > Inbound Relay Controls > Deny messages to be sent to the following external internet domains = *
      “I’ll only accept your message if it is addressed to a domain that I’m supposed to handle.”

      However, Domino’s default settings would still allow an account (Name & Password) to use SMTP AUTH to circumvent the Anonymous relay controls set above.
      “I’m John Smith, here is the password you issued me to prove my identity, now you MUST take this message from me.”

      By setting the fields associated with SMTP AUTH to “No” the SMTP AUTH feature is disabled. Now I’m saying that the ONLY way you are going to get a chance to relay mail will be determined by my “Anonymous” relay settings. Attempting to provide a name and password is enough for me to deny your connection to this port. Even a correctly guessed (i.e. hacked) name and password will not be allowed SMTP Relay and my server will be saved the further cycles of trying to validate the attempt.

      Like

  1. No worries. In a perfect world IBM would extend the functionality of the Internet Lockout feature so that the IP of offending SMTP AUTH attempts could be blocked after a specified number of failed attempts.

    Like

  2. David, Sadly I dont think Domino will ever address this issue for “Internet lockouts”, more so since its been sold to HCL. I have multiple mobile phone users and thus cant turn off SMTP authentication.

    The solution was a two fold approach:

    1. Wrote a LotusScript agent that runs daily and parses thru all log.nsf documents created in the last 24 hrs, extracts the offending IPs and sends me an email at 9 AM everyday.

    2. Used a windows batch file that creates a windows firewall “incoming” rule that picks the IP list populated daily from step 1 above. I have a threshold of 200 IPs per firewall rule after which it creates a new one. Thanks to an internet poster Chris here in his help creating the batch file:

    https://serverfault.com/questions/653814/windows-firewall-netsh-block-all-ips-from-a-text-file

    These two steps work very well and takes me 5 mins daily to update my firewall rules. Offending IPs are down to roughly 10 a day when typically I had over a 100.

    Like

    • Thanks for your insight, Arvind. The ability to keep on top of the offending IP addresses must be a relief. One thing I’m not sure I understand is your statement that mobile phone users require SMTP authentication. You must be doing something there that is outside of what Traveler has to offer. And I totally agree with you about the frustrating lack of attention both IBM and now HCL have with longtime known problems. “Will be addressed in a future release” has been the standard cop out PMR response for decades. Instead of addressing fundamental issues, they pretend that grandiosely increasing the product version number will somehow win back customers.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s