Q: My Mercury server is being used for unauthorized 3rd-party relaying and now my server is blacklisted on the ORBS and MAPS sites as an Open Relay. How can I prevent 3rd-party relaying through my Mercury server?
A: The Mercury/NLM Mail Transport Agent (MTA) is a mail host for Novell NetWare servers (v3.x and above). Provisions to prevent unauthorized relaying have been added as of version 1.40. If you are running a previous version, please download and install the latest version.
The Mercury/32 MTA is a Win32 application designed for Windows 95/98/Me/NT/2000/XP. Provisions to prevent unauthorized relaying have been added as of version 2.11. If you are running a previous version, please download and install the latest version.
The latest versions of Mercury are available from: http://www.pmail.com
Mercury provides three levels of relay control: Normal, Strict, and SMTP Authentication.
In all three modes, mail is always accepted if the recipient address is local (or the recipient address is defined as a Mercury synonym or alias). Relay control only concerns itself with mail for non-local recipients and it is here that the relay modes differ.
"Normal" mode will catch 99% of all current unauthorized relaying attempts (spam attacks) and is very simple to set up. To activate Normal anti-relaying mode, the following text should be added to the [MercuryS] section of your "MERCURY.INI" file (located in the SYS:SYSTEM directory for the Mercury/NLM version or in the Mercury program directory for Mercury/32):
[MercuryS]
Relay : 0
Allow : 192.168.1.0 # Our local Class C (254-node) network
Allow : 192.168.10.5 # A single other machine we allow to relay
With Normal anti-relay mode, Mercury simply requires that the From: address of the e-mail message be an address that is considered local to the Mercury host (meaning that Mercury can resolve the address to a local user or that a synonym or alias was defined within Mercury for that address). Alternatively, if the sender's address is not considered local, then Mercury compares the IP address of the connecting SMTP client/host to the list of "Allow" statements in the [MercuryS] section of the MERCURY.INI file. If a match cannot be found, the relay attempt is refused.
Normal anti-relay mode is quite simple to set up and requires very little. However, it is susceptible to From: address spoofing, meaning someone could forge the From: address to make the message appear to be coming from an address that the Mercury host considers to be local.
"Strict" mode will catch practically all unauthorized relaying attempts (as long as the relaying controls are properly configured), but requires you to actively manage an "Allow" list of permitted relay hosts. To activate Strict anti-relaying mode, the following text should be added to the [MercuryS] section of your "MERCURY.INI" file (located in the SYS:SYSTEM directory for the Mercury/NLM version or in the Mercury application directory for Mercury/32):
[MercuryS]
Relay : 0
Strict_Relay : 1
Allow : 192.168.1.0 # Our local Class C (254-node) network
Allow : 192.168.10.5 # A single other machine we allow
With Strict anti-relay mode, Mercury only looks to see if the IP address of the connecting SMTP client/host is on its "Allow" list. If not, Mercury will not allow the connecting SMTP client/host to relay mail. Thus, you must make sure that there is an "Allow" statement for all SMTP clients/hosts that should be allowed to relay mail through Mercury. This would include any local PCs that are running a POP3/SMTP mail client (like Outlook, Outlook Express, Eudora, Netscape Messenger, and perhaps even Pegasus Mail if set up to use its built-in SMTP client rather than a LAN or user-defined gateway). Don't forget to include your web and application servers with SMTP Clients that need to relay mail through your Mercury host.
"SMTP Authentication" mode will also catch practically all unauthorized relaying attempts (as long as the relaying controls are properly configured), but is not supported by all SMTP clients/hosts and also requires you to actively manage username/password combinations for every user who should be allowed to relay. SMTP Authentication allows for relay control in situations and environments where Strict anti-relaying is not feasible, such as an Internet Service Provider or Internet Mail Service Provider. In such cases, managing the list of allowable IP addresses used by all of your customers is too cumbersome or perhaps just completely impossible (e.g. dynamic IP addresses).
To activate SMTP Authentication, the following text should be added to the [MercuryS] section of your "MERCURY.INI" file (located in the SYS:SYSTEM directory for the Mercury/NLM version or in the Mercury application directory for Mercury/32):
For Mercury/NLM --
[MercuryS]
SMTP_Authentication : 1
# SMTP Auth text file is always SYS:SYSTEM\AUTH.MER
For Mercury/32 --
[MercuryS]
SMTP_Authentication : 1
Auth_File : AUTH.MER # Use whatever filename you wish
The Auth File is a simple text file containing a single username/password combination on each line. Each line should contain a username followed by a space and then the corresponding password associated with that username. The passwords are case-sensitive.
You can use SMTP Authentication in combination with either the Normal or Strict anti-relaying modes (only one relay method needs to grant approval in order for the relay attempt to be successful). In Mercury/NLM, SMTP Authentication cannot be required, so you must also enable Normal or Strict anti-relaying in order to prevent your Mercury host from becoming an open relay.
In Mercury/32, you do have the option of requiring SMTP Authentication in order to relay. This is highly recommended if you will not be enabling either the Normal or Strict anti-relaying modes; otherwise, your Mercury host will still be an open relay. To always require SMTP Authentication in Mercury/32, simply change the SMTP_Authentication statement above to:
SMTP_Authentication : 3
Note: If using Mercury/32, you can also directly configure all of the relay controls mentioned above from within the program itself by clicking on the Configuration -> MercuryS SMTP Server menu option and then clicking on the Relay/Connection Control tab.
Note: When configuring Mercury to allow connections from certain IP addresses, you can specify a single IP address (e.g. 1.2.3.4) or you can specify a whole Class A (e.g. 1.0.0.0), Class B (e.g. 1.2.0.0), or Class C (e.g. 1.2.3.0) network range of addresses by using zero (0) for the node portion of the IP address.
Note: "Refuse" statements in the [MercuryS] section have nothing to do with relay control. Instead, "Refuse" is a connection control feature that will refuse to even accept a connection from an SMTP client/host with the specified IP address or in the specified IP address range.
Keywords: MERCURY MERCURY/NLM MERCURY/32 OPEN RELAY RELAYING SPAM ORBS MAPS SMTP AUTHENTICATION AUTHENTICATE AUTH ALLOW REFUSE MERCURYS MERCNDSS STRICT_RELAY SMTP_AUTHENTICATE AUTH_FILE
Previous Page
Printer friendly version of this document.
Send this document to a friend