Hello all,
I have a confusion about SMTP and I cannot understand it nor can solve my problem.

I am working at a company, which has a web site named , say, www.services.com . The site office does not have neither the web server not the mail server in it's premisis. Rather the Web and Mail servers are some where on the internet. Now lets talk about the mail server only. At this site office, located some where in remote area of my country, we have an internet connection, which allows my office to surf the web and collaborate with the rest of the world. At this site office, I installed Sendmail (initially) on RHEL3 AS to act as an SMTP gateway for our office people. So all of these office workers could send their mail out to who so ever in the world using their Outlook / similar tools. Now I noticed something. I could do a telnet session with my SMTP gateway as follows:

[root@wokhorse root]# telnet smtpgateway 25
Trying 203.135.0.3...
Connected to smtpgateway (xxx.xxx.xxx.xxx).
Escape character is '^]'.
220 ***********************
helo services.net
250 smtpgateway
mail from: zafar@services.net
250 ok
rcpt to: kamran@services.net
250 ok
data
354 go ahead
This is test mail and I am impersonating as some one else (zafar).
I am Kamran sending this mail.
.
250 ok 1114633499 qp 90
quit
221 smtpgateway
Connection closed by foreign host.

===============

Now I did recieve this email as well and was shocked to imagine that any one of my users can impersonate any body and things may get very wrong at this site office or wher ever.

So I decided to look for solutions. I frequently stumbled on SMTP AUTH mechanisms offered by Sendmail but is probably too complicated to understand and configure. Two days ago I decided to test qmail toaster and thus installed Qmail and un-installed sendmail from my SMTP gateway. Please note that my users get mail using pop or IMAP from the remote servers and this machine under discussion is only being used to send mails out.

By using SMTP auth mechanisms, I am getting an impression that I have to create user accounts and passwords of all office mates in the (now qmail ) SMTP server so they must provide this username and password to send the mail out. But my question is that "won't it be another set of username/password" that my users have to remember and they may forget it or may not want to send mail like this. Since I am not clear on this, please guide me what to do. And "how" to do it will be much much more appreciated or any pointers?

This may have been asked preciously but I have searched so many lists and only got more and more confused.

Please help me understand and solve this dilema.
Thankyou for your time.

Regards,
Kamran

Now I did recieve this email as well and was shocked to imagine that any one of my users can impersonate any body and things may get very wrong at this site office or wher ever.

True. But it's fairly trivial to impersonate someone else. It can be done (even accidently) in the account setup of (probably) any MUA.

So I decided to look for solutions.... Please note that my users get mail using pop or IMAP from the remote servers and this machine under discussion is only being used to send mails out.

Perhaps this is a stupid question (and I'm not trying to avoid helping), but can your users not use the POP/IMAP server as their SMTP server? Any SMTP authorization on that remote server would more than likely be the same username/password as to POP or IMAP in... All that would require of you is to set up each MUA to use SMTP authentication, telling it to use POP/IMAP username password (depending, of course, on how/if SMTP authentication is set up on the remote server)

But even with authentication, as above, this will not stop someone from impersonating someone else. Chances are (in the qmail/vpopmail world) that the SMTP authenticating username IS the email address of the person, but the authentication mechanism doesn't tell qmail that the "from" line MUST MATCH the username, else reject it.

Ever heard of spam double-bouncing? It happens because senders address was bogus... Someone impersonating someone else.

I don't know of any solutions, but I do know it is an every day occurance. I think your first concern would be to make sure any MUA's are set up with the proper Sender information. Most users will not tamper with those settings, and they certainly won't be using telnet-to-smtp to forge messages. I've been an email admin for 6 years now and I STILL have to look up instructions on how to do that (since I need to test that type of thing so little).

Your second concern (like with any other administration) is the user and their integrity. There are 3rd party patches/utilities to track the email actions of users, but unless you admin for a den of thieves, the effort of continuous monitoring of your users emailing habits probably aren't worth the time involved.

Thanks for reply.

Assuming I am stupid, but still here is my question.

I connected to my ISP here. I knew my boss's email address on the same ISP so I tried to repeat the same steps which I did for my SMTP server here at my office . That is I did the same telnet steps I did in the previous messege. The mail server did tell me that "Sender Ok" and and "Recepient OK" messages and I typed an email and it accepted the email for delivery. But I "did not" get that email, supposedly from my boss. I hope I was able to explain the scenario correctly. Now my question is they must be using some mechanism to avoid the kind of activity which I intended. So how they might be controlling it ?

Thankyou for your time.

This is just a stab in the dark, but if it's a high speed ISP, they do know the name and email account(s) associated w/ the MAC address of their modem. Perhaps they are doing some sort of cross-referencing before sending a message (making sure an SMTP connection from a specific MAC corresponds to that customers existing email accounts)... Dunno though.

But I don't know of any facility similar w/ qmail that would do that. Perhaps someone else around here has familiarity w/ a patch (or two) that combined would do something similar.

I think you should wait and see if the message arrives ok. I suspect it will arrive just fine since you got all "ok" from the server.

Consider this... you can forge postal mail anytime you want. It's horrifically easy to put someone else's return address on an envelope and pop it into the mail. If you typed the letter and signed someone else's name to it, anyone could easily be fooled into thinking the message was really from the advertised sender.

I know it boggles the mind, and it probably makes you feel a little uncomfortable now that you know the painful truth, but like Chalk was suggesting... unless you're surrounded by criminals, I wouldn't worry too much. Most people do not forge emails in the way you describe. Usually that sort of thing is done by spammers or people who want to cause trouble for themselves.

<nods>

One thing DonBoy spurred me into wondering... If there was some sort of problem w/ your telnet test, the message MAY have been returned to your boss, since it was forged. You might want to check w/ him and see if he's received it.

Hello all,
This is my actual telnet session with my ISP from my home. I am kamran but I am impersonating as Zafar. And I did not recieve the neither the previous mail nor this mail.

As far as binding MAC addresses or IP with email accoutns is a long shot.

So what do you conclude out of this. Lastly I need to check with my boss if he recieved any bounced mail or not.

Thanks and regards,
Kamran


[root@homeserver root]# telnet isb.paknet.com.pk 25
Trying 203.135.0.3...
Connected to isb.paknet.com.pk (203.135.0.3).
Escape character is '^]'.
220 ***********************
ehlo homedomain.com
502 unimplemented (#5.5.1)
helo homedomain.com
250 isb.paknet.com.pk
mail from: zafar@isb.paknet.com.pk
250 ok
rcpt to:mkazeem@isb.paknet.com.pk
250 ok
data
354 go ahead
this is test message from kamran, impersonating as zafar.
.
250 ok 1114801468 qp 14104
quit
221 isb.paknet.com.pk
Connection closed by foreign host.
You have new mail in /var/spool/mail/root
[root@homeserver root]#

Sorry, I dont think I can be of anymore help than what I've already offered. But if you really want to persue this, you can go here and search the qmail mailing list archives about your issue...

http://msgs.securepoint.com/qmail/

If you can't find an answer to your problem, try joining the mailing list and ask your question. You may be able to find somebody who knows how to better satisfy your need.

Hello all,
This is my actual telnet session with my ISP from my home. I am kamran but I am impersonating as Zafar. And I did not recieve the neither the previous mail nor this mail.

As far as binding MAC addresses or IP with email accoutns is a long shot.

So what do you conclude out of this. Lastly I need to check with my boss if he recieved any bounced mail or not.

Thanks and regards,
Kamran


[root@homeserver root]# telnet isb.paknet.com.pk 25
Trying 203.135.0.3...
Connected to isb.paknet.com.pk (203.135.0.3).
Escape character is '^]'.
220 ***********************
ehlo homedomain.com
502 unimplemented (#5.5.1)
helo homedomain.com
250 isb.paknet.com.pk
mail from: zafar@isb.paknet.com.pk
250 ok
rcpt to:mkazeem@isb.paknet.com.pk
250 ok
data
354 go ahead
this is test message from kamran, impersonating as zafar.
.
250 ok 1114801468 qp 14104
quit
221 isb.paknet.com.pk
Connection closed by foreign host.
You have new mail in /var/spool/mail/root
[root@homeserver root]#
try helo'ing as isb.paknet.com.pk.. or what ever server you are claiming to be from in the mail from... just a wild guess...