Open relay possible if you can send without entering password on SMTP 25?

We are using Maib for a week now. Everything ok. But today I setup VeeamBR (a simple client) to send simple mail with the backup statuses. There is a very simple interface so you cannot do too much. However, I just send an email without login information and that one goes, naturally, to spam. So the server accepts on 25 a connection for a user (that exists) without checking for password and sends that email?!?!

Doesn’t this sound like open relay? Should it be blocked?

Any ideas?!

I tried it from another VeeamBR server, from another location but could not replicate (different VeeamBR version).

I modified the port to 587 and it works corectly now.
So the right settings are port 587, connect using SSL, with authentication.

The question remains open though:

Why was I able to send from 25 without credentials???

That’s normal. All incoming mail to your mail server comes in on port 25 from other mail servers without any credentials. If it gets delivered to a mailbox on your server, that’s the correct outcome for receiving email.

The term “open relay” means something different. An open relay is when an email is received without credentials and is then sent back out to another server for delivery (rather than being delivered locally). That’s the “relay” part. It’s using (abusing) the server as if it were the origin for outbound mail. So outbound mail must be restricted to connections that have properly authenticated (which Mail-in-a-Box does).

So i should not be in any trouble…

Can this be used against us? Should we try to do something?

I’m not exactly sure what you mean by “this,” but I think you’re describing a pretty normal type of email. Unfortunately normal includes spam and phishing, etc. which are of course very difficult to stop. So, yes, we should always try, but there are no easy solutions. (You are welcome to propose (or submit an implementation of) a change to make Mail-in-a-Box better, of course.)

1 Like

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.