Topic: SME 6 appears to have an "open mail relay"

[Mike]

Never though I would have to report a bug like that about SME 6.0.

I had a SME 6 Beta3 running and needed to configure it so someone could get pop-mail from my server from the internet so I configured "POP and IMAP server access" to "Allow public access (entire Internet)".
Everything worked fine but I have "AWStats - Web statistics" running and I noticed that I got a lot of hits and datatransfers from ....proxy.aol.com so I got suspicious.
I knew I had recently enabled popmail for the entire internet so I started serching the internet for mailrelay tests.
I found several mailrelay tests but ended up with the one from www.abuse.net.
I got the next message:

*****************************************************************************************
Relay test result
Hmmn, at first glance, host appeared to accept a message for relay.
THIS MAY OR MAY NOT MEAN THAT IT'S AN OPEN RELAY.

Some systems appear to accept relay mail, but then reject messages internally rather than delivering them, but you cannot tell at this point whether the message will be relayed or not.

If it is really an open relay, the test message will be delivered to you. If you do not receive the test message in your e-mail in the next few hours, it IS NOT an open relay.
*****************************************************************************************

Unfortunately I received the mail from them.
So I started to update and closeup my system testing for mail relaying after every step.
1) Updated my SME 6.0 Beta3 to the SME 6.0 stabile release.
     Result: The problem persisted, meaning I still got the relayed testemail from them.
2) Closed the "POP and IMAP server access" to "Allow access only from local networks"
     Result: The problem persisted, meaning I still got the relayed testemail from them.
3) Disabled "Enable/Disable Webmail "
     Result: The problem persisted, meaning I still got the relayed testemail from them.

The open relay test seems to see that the server accepts relay mail, but then rejects messages internally as far as the test can determain.
Still the testmessage they talk about in the end should not be received if the server is fully closed to mail relaying but unfortunately it does relay the message because I got that test email.
And that after updating it to the last status and setting the server so it will only allow pop mail from local networks and disabling webmail.

Worth looking into I think....

[Mike]

By reading a lot of how the test worked I stumbled over a sentence that said something like; If we detect that the test is done several times after each other, the test just gives back the result of the first test.

Therefor I registered with www.abuse.net (which is neccesarry to do the test) with another of my email adresses and tested again from step2 (see first email) meaning: Closed the "POP and IMAP server access" to "Allow access only from local networks" and with webmail still enabled (Secure mail only) and tested the mail relay again.
Result: No mail relay possible anymore.

So the conclusion of this second test is that SME 6.0 is only relaying mail if you configure SME 6.0 to "POP and IMAP server access": "Allow public access (entire Internet)".
At least you can close it up bij allowing POP and IMAP server access only from local networks.

It is still a security breach, a hole that should be closed!!!

[%sig%]

[Rob]

Hi,

Did you receive the relayed email on the server under test, or on
a different server, and what is the result of the "anonymous test"?

I tried this on my server (6.0), and I only get the relayed email
ifthe mail account is on my server, or a domain/ebay exists with
the same domain as in the email.
This is expected because those are known, local, domains and
should accept those emails.

(My server does have does have clam/amavis and spamassassin installed)

Groetjes,
Rob

[Mike]

>Did you receive the relayed email on the server under test
Yes

>and what is the result of the "anonymous test"?
OK, tested that today.
No mail relay detected and I did also not get the testemail.

>I tried this on my server (6.0), and I only get the relayed email
>if the mail account is on my server, or a domain/ebay exists with
>the same domain as in the email.
>This is expected because those are known, local, domains and
>should accept those emails.
You are right, I started testing with an email-adress that resides on my testserver.

After that I registered with abuse.net with another email account that is hosted by my Internet provider, not on the test-server itself, but that I receive trough this server by configuring my Outlook to get this mail.
I have one other emailadres that I get with outlook and that is hosted with yet another provider but this is a free internet provider and this one is very slow so the registration with abuse.net is not fully completed yet.
I will test with those 2 emails again.

The problem is that the test just gives back the result of the first test if I did not wait long enough. That makes quick testing impossible.

I made one more mistacke.
Test one was already a change, The upgrade from SME 6 Beta 3 to SME 6 stabile.
I have not fully ruled out that this didn't solve the problem because the test can not be done with the same emailadress if you test again to quickly.

The testserver (my only, and production server) now has the status SME 6 Stabile with webmail enabled (as Secure only) and pop mail Allowed by the Public (so full internet access). I will test it again today with those 2 external mail programs from the internetproviders webmail to fully rule out that "the mail knows that it came from or through my server".

[Charlie Brady]

Mike wrote:

> Never though I would have to report a bug like that about SME
> 6.0.

I can confidently say that either the test is a false positive, or you have done some customisation which has broken the security of the server.

But just to be on the safe side, please report your problem, in detail to smesecurity@mitel.com.

> I had a SME 6 Beta3 running and needed to configure it so
> someone could get pop-mail from my server from the internet so
> I configured "POP and IMAP server access" to "Allow public
> access (entire Internet)".

Mail isn't sent via POP, so I doubt this is relevant.

> I found several mailrelay tests but ended up with the one
> from www.abuse.net.
> I got the next message:
>
>
> *****************************************************************************************
> Relay test result
> Hmmn, at first glance, host appeared to accept a message for
> relay.

You haven't told us which test has produced the anomolous result, which makes it impossible to determine what might be the issue abuse.net is highlighting.

> The open relay test seems to see that the server accepts
> relay mail, but then rejects messages internally as far as the
> test can determain.

Abuse.net's testing has long had a reputation of wrongly reporting open relays in qmail systems. See:

http://homepages.tesco.net/~J.deBoynePollard/FGA/maps-relay-test-is-wrong.html

> Still the testmessage they talk about in the end should not
> be received if the server is fully closed to mail relaying but
> unfortunately it does relay the message because I got that test
> email.

Please send a copy of that message to smesecurity@mitel.com.

Charlie

> Worth looking into I think....

Worth reporting to the correct place

[Mike]

Thanks Charlie

I think I already have almost completely proved my suspicion to be wrong, I am happy to say.
But you are right, to be on the save side I will mail mitel a link to this thread, just to be on the save side.

Just something else, Charlie, isn't Mitel monitoring contribs.org's bugreporting?
Maybe something should change here because I thought that for non paying customers this, contribs.org's bugreporting, would be the right place to report this.

Mike

[Dan York]

Mike,

> Just something else, Charlie, isn't Mitel monitoring
> contribs.org's bugreporting?
> Maybe something should change here because I thought that for
> non paying customers this, contribs.org's bugreporting, would
> be the right place to report this.

As far as I am aware, this *is* the correct place to report the issue (unless the contribs.org folks indicate otherwise).

However, given that security has always been a high priority for us here at Mitel, we definitely do appreciate ALSO receiving the notice in case there is an issue to be
addressed that is an issue for both the unsupported and our commercial release.
We have always treated security issues with a very high priority, and will continue
to do so.

Thanks,
Dan

[Graeme Fleming]

Use the tests on this site - http://msv.dk/ to check your server it does a pretty good job to telling you exactly what relays work or not.

BTW - SME 6 final passed all tests

HTH