• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Setting up mail relay access - what are my options/concerns?

T

Transition

Banned
Let me first preface this by saying we have a company that handles a majority of our networking configuration and i have a question regarding mail servers. We're currently running iMail by IPSwitch for our mail server (in addition to MailWarden for event viewing and further configuration for relays, etc.) To date we don't have mail relay access setup for people that are not within our LAN. I've had quite a few requests from people to be able to use their SMTP account from home and be able to send messages. I've been told opening up mail-relay access is an open invitation for spammers to send/relay mail through our servers, possibly causing us to get black-listed. Now, how does everyone else handle this situation? Perhaps i'm not understanding the mail relay service entirely. Doesn't a user need a user/password with the server in order to relay mail through us?

Any help / advice in this situation is appreciated, 🙂

- RJ
 
. I've been told opening up mail-relay access is an open invitation for spammers to send/relay mail through our servers, possibly causing us to get black-listed.
Click to expand...

What you've heard is correct. If your mail server allowed relay indiscriminantly, then after about a week or two spammers would be having a field day with your mail server.

Now, how does everyone else handle this situation?
Click to expand...

There's a few ways to address this issue. A common way is to have the users set their outgoing/SMTP server on their e-mail client to whatever is appropriate for their local ISP. For example, I use comcast at home so I set mine to "smtp.comcast.net" (err...at least that's what I think it is. Heh, I don't remember exactly, but that's not important). Most users get confused by this as they think it changes the way their e-mail "looks" to the reciever.
The only negative to this setup is for users who switch ISP's or move around a lot with a notebook due to travel, etc as they'd have to constantly change the outgoing mail setting.

You could also setup your mailserver to prompt for a username+password. The problem with this is that all of your users will have to constantly type in their password everytime they want to send mail...although I suppose they could use the "save the password" setting. I'm not sure if IPswitch can do this, but it would be nice if it had a feature where you could exclude local users, based on IP, from having to validate themselves.

 
Thanks for the reply Sub.

Here's a question. I own a domain name and i'm using it for both my incoming and outgoing mail servers (mail.dionsys.com). The site is being hosted by another provider, but how would a hosting provider prevent spammers from using their customers outgoing mail server (ex mail.dionsys.com)? Perhaps i'm not understanding the whole mail-relay concept correctly.

 
Hmm....I'm not sure I entirely understand your question, but I'll give it a shot 🙂

It sounds like you're saying that you own your own domain name, but you don't actually run your own mail server? I mean, the mail server is not administered by you? Is this correct? ....Wait, earlier you mentioned that, "we're currently running iMail" so I'm not sure of your situation.

In any case, the answer to your question is that ISP's which control the actual mail server that their clients use restrict relay by IP address. They typically only allow IP's from their own network (which by extension includes all of their clients' networks as well) to relay mail. Assuming their own clients are not spammers themselves, this is reasonable assurance that their mail server won't be abused by spammers.

In cases where the customers administer their own mail server, there's nothing the hosting provider can do to stop their clients from improperly setting up open relays. What usually happens is that the hosting provider recieves a ton of complaints about spam coming from a particular server on their network. At that point they usually cut off your service until it's fixed. 😉
 
Originally posted by: subflava


What you've heard is correct. If your mail server allowed relay indiscriminantly, then after about a week or two spammers would be having a field day with your mail server.
Click to expand...

Week or two? Try and hour or two. 🙂
 
A common way is to have the users set their outgoing/SMTP server on their e-mail client to whatever is appropriate for their local ISP. For example, I use comcast at home so I set mine to "smtp.comcast.net" (err...at least that's what I think it is. Heh, I don't remember exactly, but that's not important). Most users get confused by this as they think it changes the way their e-mail "looks" to the reciever.
Click to expand...

That is the typical way to handle things, and my recommendation as well. It provides a security model that is workable, since your ISP allows relaying from within their range of IP's, and will "police their own". If they get hammered by spam from within, they can track it down and deal with it, if they are responsible.
I have some very specific ranges opened up for relaying, in some cases exact static IP's from certain users. That is about it for my relaying.
 
Week or two? Try and hour or two.
Click to expand...

Yeah, I know that's the standard answer, but I've not really seen any concrete data on these types of issues. I used to work at a small ISP that had about 4000 DSL lines (about 70/30 residential to business) and we'd deal with complaints about open relays on our network. It didn't seem to me like these open relays were setup recently. I had no idea how long they were allowing relay.

Of course, it could be that by the time I got the complaint and looked at the problem the spammers had already been using it for a while.

In any case, it's pretty interesting to me...I wonder if anyone has tried any testing to try to measure how fast it takes.
 
Originally posted by: subflava
Week or two? Try and hour or two.
Click to expand...

Yeah, I know that's the standard answer, but I've not really seen any concrete data on these types of issues. I used to work at a small ISP that had about 4000 DSL lines (about 70/30 residential to business) and we'd deal with complaints about open relays on our network. It didn't seem to me like these open relays were setup recently. I had no idea how long they were allowing relay.

Of course, it could be that by the time I got the complaint and looked at the problem the spammers had already been using it for a while.

In any case, it's pretty interesting to me...I wonder if anyone has tried any testing to try to measure how fast it takes.
Click to expand...

I think it depends on how "open" it is. The place I'm at now used to act as an open relay as long as your from address contained the domain of any of the ones we hosted. Thats easily faked and the spam db's considered it to be an open relay if they tested it. But it was also closely watched and in all the time they ran it that way it was never used for spam. I've introduced them to the glory of smtp-auth so thats no longer how its done, but for them being a semi-open relay was not an issue.
 
Just another option to consider: POP before SMTP. This requires authentication via POP3 before you can send mail out, but this would depend on your server supporting it. SMTP Auth would be more ideal I should think, but the alternate popular method is to send mail out as if it were from your one address through your local ISP's mailserver. The reason the latter is so popular is because it works.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top