Re: [Exim] Unathenticated SMTP ??

Top Page
Delete this message
Reply to this message
Author: Tim Jackson
Date:  
To: exim-users
Subject: Re: [Exim] Unathenticated SMTP ??
Hi Peter, on Fri, 2 Jan 2004 19:16:41 -0800 (PST) you wrote:

> The web hosting company won't believe me, stating
> emphatically that no-one can send SMPTP without
> authentication. This company uses Exim 4.24 #1 , and
> the latest replies have indicated that I must have
> found an open relay somehow, and that I'm only sending
> "TO" the domain , and _not_ THROUGH the email servers.
> But, in each test, the SMTP server details were my
> domain, so isn't that sending THROUGH ??


Does your web hosting company also handle your e-mail? If so, what's the
problem? I suspect you may be making the seemingly common but puzzling (to
me) mistake of thinking that because you can telnet into an MX server for
your domain (or set that server as your mail gateway in an e-mail client)
and send e-mail, this is in some way an open relay. How can it be? If the
remote server *didn't* accept a telnet session where you send mail (except
on the basis of a dialup DNSBL or something), how would it ever actually
handle mail for you? How would *any* mail to you actually be accepted?
Remember that SMTP is SMTP; there is no conceptual difference between
"SMTP between two MTAs", "SMTP where one end is using a telnet client" and
"SMTP where one end is using an MUA with smarthost set to the other end".

In summary: a server is only an open relay if you can send mail through
it, unauthenticated, to *arbitrary* domains (i.e. not a domain which it is
set up to handle). Try sending to foo@??? and see if it lets you
do that. If it does, it's an open relay. If it doesn't, it's probably not.

> Doesn't the "250" reply from the email server:
> AUTH PLAIN LOGIN
> .. message indicate that unauthenticated SMTP is
> possible ?


No, it means that the server is offering login services via AUTH PLAIN,
which may well, upon successful authentication, let you use it as a relay
(depending on how it is configured). This has no consequence unless you
actually go ahead and log in before doing the rest of your SMTP session.

> My concern is that, if I can do it, so can ANYONE


Er, don't you want "anyone" to be able to send you mail?


Tim