Novell Home

My Favorites

Close

Please to see your favorites.

How to avoid Mail Proxy being used to spam or forward mail

(Last modified: 10Feb2003)

This document (10013929) is provided subject to the disclaimer at the end of this document.

goal

How to avoid Mail Proxy being used to spam or forward mail

fact

Novell BorderManager 3.0

Novell BorderManager 3.5

Telnet to the BorderManager public IP address

Receive a 220 service ready

If this was GWIA there would be a different screen

fix

Duplicate by typing:
1. helo novell.com  
2. mail from: <joe@spam.com>  
3. rcpt to: <username@novell.com>
4. data
5. type in message
6. end the mail with a return "." return
7. should respond with "250 OK
8. See solution 4.0.18689443.2270424

Result: Receive an email message from joe@spam.com, which confirms that Mail Proxy is being used as a mail forwarder (allowing spam of unsuspecting domains).

Use the following access rules to block incoming "relay" requests. (Using novell.com as the example mail domain).

(1) Action: Allow
 Access Type:  Port
Origin Server Port:25
 Source: IP Address or Range
 Destination: Any

(2) Action: Allow
Access Type:  Application Proxy
Service:  Mail Proxy
Source: Any
 Destination: novell.com

(3) Action: Deny
Access Type:  Application Proxy
Service: Mail Proxy
 Source Any
Access: SMTP
 Destination: Any
  
Rule 1 will block all spam requests. The IP address could be the internal SMTP server or the subnet range of all internal workstations. If Internet non-routable address ranges (like 10.X.X.X or 192.168.X.X) are used on the private segments then all the better.

Rule 2 allows the SMTP mail proxy to forward mail with destination novell.com.

Rule 3 block all other SMTP mail.

WORKAROUND:  Use static NAT translation, Enable a secondary IP address that will be translated into the SMTP mail server on the private Network (Assuming the SMTP mail server is able to "disallow mail relay")  

Note: The IP address assigned to the MX record must be used as the Secondary IP address.

INSTRUCTIONS:
1. Unbind primary IPAddress
2. Use INETCFG to bind another IPAddress
3. Then in AUTOEXEC.NCF add the following command: "ADD SECONDARY IPADDRESS X.X.X.X"  (X.X.X.X representing the IP address)
4. INETCFG | bindings | choose public NIC | expert TCPIP bind options | Network Address Translation | enable in static and dynamic | select the table and add a translation from the secondary IP address to the Internal Private Mail server IP address

Test: TELNET to the secondary IP address on port 25. Then see if you can send mail.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10013929
  • Solution ID: 4.0.17354428.2268858
  • Creation Date: 09Aug1999
  • Modified Date: 10Feb2003
    • NovellGroupware

      NetWare

      BorderManager Services

Did this document solve your problem? Provide Feedback