SMTP Mail Relay
CAN 1999-0512
Impact
An e-mail spammer, or other unauthorized user, may be able to use the system
to relay mail.
Background
The Simple
Mail Transfer Protocol (SMTP) is used by a mail server to send,
receive, or route e-mail across a network. The protocol requires the
MAIL FROM (sender) address and the RCPT TO
(recipient) address to be specified. Normally, either the sender or the
recipient address is in the server's domain.
The Problem
Some SMTP servers accept any sender or recipient address
without checking whether or not at least one of them is in the server's
domain. On such
servers, it is possible to supply a fake sender address, and an
arbitrary recipient address, which greatly facilitates the spread
of e-mail spam.
Note: Even SMTP servers which generally don't
allow relaying sometimes do allow it if the session originates from a host in the server's domain
or from a host from which relaying is explicitly permitted. If
the scan is performed from such a host, a false alarm may result.
Other related CVE entries:
CAN 2003-0285 AIX Sendmail
Resolution
UNIX mail servers should be upgraded to
Sendmail 8.9 or higher, which does not allow
relaying by default. For non-UNIX mail servers, contact your vendor
for fix information.
If upgrading is not possible, users of
Sendmail 8.8.6 or higher can deny relaying by adding
the following
rulesets to the Sendmail configuration, which is usually found
in /etc/sendmail.cf.
Where Can I Read More About this?
The MAPS Transport
Security Initiative page is a good source of information
on mail relaying. Also see
sendmail.org for information on the anti-relaying features in
Sendmail 8.9. Users of Sendmail 8.8 who do not wish to upgrade can refer to
sendmail.org for
information on preventing relaying in Sendmail 8.8.