HIDS 3301

From Atomicorp Wiki
Jump to: navigation, search
Rule 3301
Status Active
Alert Message Attempt to use mail server as relay (client host rejected).


[edit] Description

ASL does not cause this event and does not cause any blocks associated with this event. ASL simply reports when your mail server blocks a relaying attempt. ASL has no control over your mail server.

This rule reports when your systems mail server has rejected a replaying attempt. This is when an attempt to send email through the server to a destination other than the server itself is rejected. For example, if your server accepts mail for "example.com", and a user tries to use the server to send email to "atomicorp.com", this is called "relaying". If your mail server is not setup to allow relaying, then your mail server will reject attempts to use it to send email to another domain.

ASL does not control or configure this behavior in your mail server, it merely reports when this occurs. Therefore, if your mail server is rejecting mail from one of your users you will need to configure your mail server to allow relaying from the user. Please contact your mail server vendor for assistance with configuring your mail server to do this.

Disabling this rule will not allow your users to relay mail. It will simply "silence" the alert in ASL, however the mail will still be rejected by your mail server.

[edit] Troubleshooting

[edit] False Positives


[edit] Tuning Guidance

If you wish to not block these connections, just disable Active Response in the ASL rule manager for this rule.

[edit] Additional Information

[edit] Similar Rules


[edit] Knowledge Base Articles


[edit] Outside References


[edit] Notes

This technique is one of the oldest and most widely used methods to send spam. Systems that allow anyone to relay email through them are called "open relays", and are used by spammers to hide the true location of the spammer and to also "steal" the trust users may have in the server. Open Relays are commonly blocked by other mail servers, so if your system is set up as an open relay mail server you may find that you will not be able to send email to other systems. You should never run your mail server as an open relay, and instead you should authenticate your users and only allow authorized and authenticated users to relay mail through your server.

[edit] Example log messages

hostname postfix/smtpd[15871]: NOQUEUE: reject: RCPT from hostname[]: 554 5.7.1 <hostname[]>: Client host rejected: Access denied; from=<REDACTED> to=<REDACTED> proto=ESMTP helo=<[]>

host postfix/smtpd[1234]: NOQUEUE: reject: RCPT from unknown[]: 554 5.7.1 <someuser@notadomainonthisserver.org>: Relay access denied; from=<spammer@spammer.com> to=<spammer@spammer.com> proto=SMTP helo=

Personal tools