Best Way to Control Relaying?

Tue May 16 23:44:33 IST 2006

John Rudd escribió:
> Uh, that's not what it means to be an "open relay".  An open relay is 
> a relay which doesn't restrict who uses it.  Specifically, it is a 
> relay that allows 3rd parties (ie. not the server's proper users (the 
> customers), nor people sending to the proper users, but a third group 
> which is neither proper users nor people sending to the proper 
> users).  If only his customers can relay through is sever, then it's 
> not an open relay.  Therefore, being an "open relay to his customers" 
> is a meaningless phrase.  It's like saying "it's a 2 way door if and 
> only if you open it from the inside".  If you can only open it from 
> the inside, it's not a 2 way door.
>
>
> I can see arguments for requiring authentication (it's certainly a 
> good goal, and should be a 'best practice'), but it's still perfectly 
> normal and valid for a site to allow relaying for/by the 
> network/hosts/users it is responsible for.  That doesn't make them an 
> "open relay".  It makes them a "relay".  There's nothing wrong with 
> being a "relay".
>
It's good to know that we agree on what a relay is, although we disagree 
on the use of the word "open" as a description of the behaviour we are 
talking about, depending on the conditions.

I don't believe the phrase is meaningless in the sense that, expanding 
it a little more, the hypothetical ISP in question is a relay that is 
sufficiently open to abuse in such a way that entities not necessarily 
under its control are able to use it as a relay to cause harm to others. 
In your definition, "entities not under his control" are SMTP clients on 
networks not directly managed by this ISP. In my definition, which is a 
bit stricter, "entities not under his control" includes everybody, 
everywhere, unless they have authenticated. So in both our definitions, 
an "open relay" is a relay that doesn't restrict who uses it. The way I 
see it, however, implies that, to a compromised/infected/rogue/spammer 
machine inside an ISP's network legitimately (the user is a subscriber) 
or not (the user is hijacking another computer or using an open wifi 
spot), there is no *practical* difference between such an "open" ISP 
"relay" and a more completely "open" relay, in the fuller sense of the 
term that you imply.

I just got off the phone with a sysadmin friend of mine whose server was 
being listed in RBL's, whose CPU usage was going through the roof... 
etc. - you probably know what I'm talking about. We shut off the "allow 
relay by address" options, turned on SMTP AUTH and made it mandatory. 
Problem solved.

Most ISP's in my country are making SMTP AUTH mandatory; they're doing 
it to address the problem of being, for all practical purposes, "open 
relays" to machines in their networks.

So although we may have different views on what "open" means, depending 
on where you're standing, I'm glad we agree that allowing relay without 
some sort of control or accountability is usually a Bad Thing ;-)