Possible security question

Hi Team,

I have been running MIAB for a few years. I am learning Python recently and trying to test a snip of email related code. What surprised me is that I can just send and receive without any user/pass authentication. Is this a normal behavior with any mail server setup, like gmail, etc ?
It can not send email to other domains and it prompts “relay denied”.
It doesn’t work with sender email from other domains.
It only work between local domain for both sender and receiver.

Should I worry about this being used by remote parties? Thanks!

from email.mime.text import MIMEText
msg = MIMEText(“Hi There”)
msg[‘Subject’] = “A Test Message”
msg[‘From’] = ‘John kim john.kim@abc.com
msg[‘To’] = ‘Pikcarass pik.cara@abc.com

import smtplib
s = smtplib.SMTP(‘box.abc.com’)

Hi @miabatf2f10.

This is exactly how other servers send email to you. If emailing you required a username/password, you would never receive any mail. :slight_smile:


Hi Josh,

If I know two email addresses within one email domain, I can essentially spam them each other remotely?

For example, I know there’s jacob@cisco.com and there’s peter@cisco.com; I then, can remotely use tools similar to above python script, or even a telnet session, to box.cisco.com and send email to them from each other?

or, even, from maxist@abc.com to peter@cisco.com ? This is supposed to work?
Then, it would be part of venue for spam, is it not?

Please enlighten a bit on this further.
Thanks Josh!

I’m not a developer and you’ve provided scarce details for anyone who is not a developer to understand even what you are doing.

Is this some sort of code being executed from MiaB server?

It’s executed from a laptop.

Is the laptop running MiaB?

As Josh already stated, this is how it is supposed to work. Note however, that mail does not necessarily be delivered in your inbox.
When I tried this, my email first got greylisted, so i had to try again. After that, there are a number of checks. For instance, the spam score for my attempt was:


A score of 20 is very much above the threshold of 5. This is all because my home computer does not have a trusted ip. Measures surrounding SPF, DKIM are all ignored. Probably my home ip is on a list of less trusted ips, etc. A remote mail server has to have all of that in place before the mail is delivered to your inbox.

No, this is a bit of Python code that implements a very simple remote mail server. It tries to deliver an email to the MiaB at box.abc.com It can be run on any computer connected to the internet.

So, this isn’t something that has to do with the MiaB server. What you are accomplishing with your code can be accomplished from any server with an SMTP server. In Linux you can accomplish the same by just installing postfix and using sendmail from command line, or even add the mail package which is slightly more user friendly.

Since this is a very old issue related to email infrastructure, many protections have been created that are both local policies and published standards.

You might want to spend some time understanding how a mail message makes its way through an MiaB server, if you are desiring to understand mail infrastructure, as most modern standards are implemented, with few exceptions.

You can even send email using “telnet” and just typing (by hand) the SMTP lines, and the email headers, and so on. Back in the old days, it used to be a quick way to send a test message - you only needed to type the ELHO and TO lines, the message, and a final dot. :grin:

You can still do that, but not many servers will accept it. Alas, now email is untrusting and so (for practical purposes) encryption and lots of extra stuff is required … too much for anyone to calculate and type by hand.

But to miabatf2f10’s point, within a trusted network this trusting & unverified method might reasonably still work. Would depend on the mail server setup.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.