Date: Mon, 14 Jun 1999 17:40:35 +0100 From: Robert Lister To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Lotus Notes Relay Following postings about NTMail having open relaying ability, (in certain situations) I have identified a problem with the Lotus SMTP MTA (right up to v4.6.4, have yet to test Domino 5) Basically, it's possible to relay (and even appear to "forge" a message) using a combination of the percent hack and the blank from address, and this is *despite* having changed the notes.ini with the settings for anti-relaying: telnet server 25 Connected to 192.168.100.1. Escape character is '^]'. 220 company.com Lotus SMTP MTA Service Ready HELO some.domain 250 company.com MAIL FROM:<> 250 OK RCPT TO: 250 OK DATA >From: ... etc whaterver you like.. . 250 Message received OK. quit 221 GoodBye The bad bit of this is that notes seems to strip out previous headers (depending on how it's configured) and add new outgoing notes headers, and it even goes as far as doing thigs like expanding cc:headers and permitting sending to notes mailing lists, etc, making it look like mail originated from the notes domain itself. It also takes whatever I put in the "From: " header and presents this in its outgoing "MAIL FROM:<>" I have contacted Lotus support and they have confirmed that this is an issue and are looking in to it. Can't wait to get testing on version 5!! I have also pointed out to them that the lotus SMTP MTA seems to accept any mail for any domain, and then, only having accepted it, make a decision as to what to do with it. If it decides that it cannot relay it, it generates a message back to the "sender" that "this server will not relay" however, 9 times of of 10, the remote domain won't exist, so this message will fail. - as opposed to responding with, say, 5xx relaying not permitted before accepting the message. - Possibly not the best use of the protocol! Regards, Rob (robl@lentil.org) -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 08:52:28 +1000 From: Mark Laffan To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Lotus Notes Relay This will work UNLESS the two below notes.ini settings are set. smtpmta_allow_known_domains=1 smtp_och_reject_smtp_originated_messages=1 Connected to 192.168.100.1. Escape character is '^]'. 220 company.com Lotus SMTP MTA Service Ready HELO some.company 250 company.com MAIL FROM:<> 250 OK RCPT TO: 501 This MTA is configured NOT to relay message from [some.server.com] to [company.com.com]. quit 221 GoodBye This is a new SMTPMTA setting from R4.6.4 onward. Cheers Mark -------------------------------------------------------------------------------- Date: Wed, 16 Jun 1999 10:06:18 +0100 From: Robert Lister To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: Lotus Notes Relay On Wed, Jun 16, 1999 at 08:52:28AM +1000, Mark Laffan wrote: > This will work UNLESS the two below notes.ini settings are set. > > smtpmta_allow_known_domains=1 > smtp_och_reject_smtp_originated_messages=1 > > Connected to 192.168.100.1. > Escape character is '^]'. > 220 company.com Lotus SMTP MTA Service Ready > HELO some.company > 250 company.com > MAIL FROM:<> > 250 OK > RCPT TO: > 501 This MTA is configured NOT to relay message from [some.server.com] to > [company.com.com]. > quit > 221 GoodBye > > This is a new SMTPMTA setting from R4.6.4 onward. > > Cheers > Mark > Interesting that one. It seems to be more secure in that it sends 501 back for anything it doesn't like, but our server still permits me to relay using the mentioned percent hack, IF the domain after the @ sign is the same as the server's domain name. PS: lotus didn't seem to know about this one, so I'll let the guy I was speaking to at lotus know. Interesing possible DOS attack on my server: - will do a little more research (but I'll have to put together a test server, my notes guy is getting irritated rebooting the live server that I picked on to do this, since I did this quite by accident!) Trying 192.168.100.10... Connected to 192.168.100.10. Escape character is '^]'. 220 company.com Lotus SMTP MTA Service Ready HELO lart 250 company.com MAIL FROM: 250 OK RCPT TO: 501 This MTA is configured NOT to relay message from [xxxxx] to [bogus.org]. RCPT TO: