Disable SMTP-AUTH To Stop Relay Hackers In Their Tracks

Sometimes setting up a system to allow password authentication is less secure.

Ever notice activity like this on your SMTP-enabled Domino server?

SMTP Server: Authentication failed for user guest ; connecting host 46.137.108.26
SMTP Server: Authentication failed for user backup ; connecting host 46.137.108.26
etc.

Guess what…  In this case, I am not happy that ec2-46-137-108-26.eu-west-1.compute.amazonaws.com (Amazon Web Services, Ireland) thinks they need to relay SMTP through my Domino server.

If this hacker is able to guess a user login and password combo, they can relay whatever they want.

There is a quick fix that prevents these hacking attempts from ever succeeding at circumventing SMTP relay restrictions:

If you are NOT using Internet Site documents, set the following field(s) to “No” in the corresponding server’s Server Document:

2016-02-09_21-45-04

If you ARE using Internet Site documents, just change the following field(s) to “No”:

2016-02-09_21-49-56

Want more info? Read more here.

Happy hacker snubbing!

 

Advertisements

4 thoughts on “Disable SMTP-AUTH To Stop Relay Hackers In Their Tracks

    • I know what you mean. The original nature of SMTP and IBM’s choice of words in it’s configuration makes for a confusing situation.

      Without getting too far down the rabbit hole, here is one way to explain further:
      SMTP Inbound can be anonymous or authenticated.

      Most all SMTP connections are “anonymous.” That isn’t to say that we can’t or don’t know where they come from. It only means that I am allowing your SMTP server to connect to mine without a user name and password. “You might not know me, but I have some mail that I want you to have.” It is then up to my server to determine what happens after this handshake.

      The core ability for an Anonymous connection to relay SMTP is controlled via a Configuration document. A popular method is to set Router/SMTP > Restrictions and Controls > SMTP Inbound Controls > Inbound Relay Controls > Deny messages to be sent to the following external internet domains = *
      “I’ll only accept your message if it is addressed to a domain that I’m supposed to handle.”

      However, Domino’s default settings would still allow an account (Name & Password) to use SMTP AUTH to circumvent the Anonymous relay controls set above.
      “I’m John Smith, here is the password you issued me to prove my identity, now you MUST take this message from me.”

      By setting the fields associated with SMTP AUTH to “No” the SMTP AUTH feature is disabled. Now I’m saying that the ONLY way you are going to get a chance to relay mail will be determined by my “Anonymous” relay settings. Attempting to provide a name and password is enough for me to deny your connection to this port. Even a correctly guessed (i.e. hacked) name and password will not be allowed SMTP Relay and my server will be saved the further cycles of trying to validate the attempt.

      Like

  1. No worries. In a perfect world IBM would extend the functionality of the Internet Lockout feature so that the IP of offending SMTP AUTH attempts could be blocked after a specified number of failed attempts.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s