0

Is it safe to allow SMTP Relay from the private address blocks?

  • 10.0.0.0/8
  • 127.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

My gut feeling is that it's probably OK, however I'm not sure if that will not make my server susceptible to something like IP-forgery attacks or similar. Basically what are the chances that some black-hats will apply some smart techniques and will fool my MTA into thinking that it has received the envelope from the private address block, effectively turning it into the open relay?

My MTA is running inside the docker container, so I was afraid that all connections (including ones from the remote servers) will be treated as the local connections. However you can see from the following log entry that the MTA was able to work out that incoming connection is remote:

SMTP connection from [xxx.yyy.39.83]:43108 I=[172.18.0.2]:25 (TCP/IP connection count = 1)

In general how do MTAs gather such information, do they take it from the TCP connections, from the SMTP headers, something in between?

NarūnasK
  • 368
  • 4
  • 17

2 Answers2

1

A safer setup would be to generally block unauthenticated SMTP, whitelisting only those few services that are unable to authenticate - which by now should be none or nearly none.

Mikael H
  • 5,031
  • 2
  • 9
  • 18
  • **Un**authenticated hosts, or IPs are **always** a bad idea. Can you say "open relay"? +1 for your assertion Mikael! – somebody Mar 02 '20 at 19:50
0

The IP addresses that an MTA users for allowing relay are usually taken from the TCP session. In this case (TCP and modern systems) they are effectively unforgeable unless the forger has access to the network infrastructure between you and the remote IP. However you should note that:

  • As Mikael H says you should consider authenticated SMTP.
  • Some network load balancers (ELB for example) will rewrite the TCP source address to its own. In that case you need to make sure that your MTA and load balancer agree on a way to communicate the real external IP (search for ELB Postfix "Proxy protocol", which would be your "in between").
  • If you're really set on crossing all the Ts, you may want to restrict private addresses from entering your network and/or restrict the whitelist to IPs that you are actually using.
Law29
  • 3,557
  • 1
  • 16
  • 28
  • When you say `Proxy protocol` I think you bear in mind [HAProxy Proxy Protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)? – NarūnasK Mar 01 '20 at 15:56
  • Yep, developed by HAProxy if I remember correctly, implemented in both ELB and Postfix. – Law29 Mar 01 '20 at 18:51