James Marcinek wrote:
I'm no expert at this but I did some reading and was under the impression that people will use your mail server to send emails and that there's not a lot that can be done about it. I would definitely like to be proven wrong with this. The simply script something to telnet into your mail port and send emails... These emails are generated from your server so even setting your email to send only from your domain does not protect you. Is anyone listening that could shed some more light on this?
To shed more light on this. You can configure a server that can be used remotely and safely , without having it being used by spammers. To do this , you have some work to do, because you need to add authentication (it is a bit trivial on postfix. Never tried on sendmail or qmail). Also it's suggested to use cryptography to protect the passwords during authentication (also known as Transport Layer Security, or TLS).
So , a properly configured server will accept incoming conections (even bad ones) , but will reject the bad ones during authentication.. Here's an example of a properly configured server in action:
220 mailhost. ESMTP ehlo mailhost 250-mailhost 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250 8BITMIME mail from:<someuser@somedomain> 250 Ok rcpt to:<anotheruser@anotherdomain> 554 <anotheruser@anotherdomain>: Relay access denied
From this point on , the spammer can keep trying to send his spam , but probably the server will reject all his attempts , because he didnt use authentication. This example server didnt show anything about authentication , because I've configured it to only show authentication information if the channel is secure. If the software connects to port 25 , then uses the STARTTLS command , then it'll have the option to authenticate and send a message (if it's a valid user).
-- Pedro Macedo
