Search Posts:

Prevent VMS MULTINET SMTP Relay Hijacks

SHARE

Return to Threads

  Prevent VMS MULTINET SMTP Relay Hijacks by Bill Degnan - 12/02/2017 14:35
A VAX with VMS 5 that uses the MULTINET TCP/IP stack is vulnerable to third-party SMTP relay hijacks by any Tom-BOT-and-Harry probing around for a port 25 SMTP server. Case in point, my MicroVAX 3100 exposed to the outside Internet would clog up with queued relay messages in a matter of hours putting me at risk of being flagged by my ISP (Comcast). As a result I could not keep the machine online for an extended period. I decided to see if I could solve the problem at the VMS or MULTINET stack level. Yes it would be easier to simply install a modern router or firewall solution but what fun would that be?

Here is an example message from the queue:

$ show queue /full



10 SMTP-RETURN SYSTEM 19 Holding until 2-DEC-2017 12:49
Submitted 2-DEC-2017 12:18 /FORM=DEFAULT
/PARAM=("yahoo.com.hk; Error sending MAIL command to yahoo.com.hk")
/PRIORITY=100
File: _COBUCK$DKA700:[MISSING.VAX_COMMON.MULTINET.SPOOL]SMTP-RETURN.000
/DELETE



Leaving the VAX exposed to the Internet would cause hundreds of these to queue up. The relaying takes CPU and disk space.

I sent a message to cctech to see if anyone had any experience with this problem. I got a useful tip how to disable SMTP altogether:

> >
> > $ MULTINET CONFIGURE /SERVERS
> > SERVER-CONFIG> DISABLE SMTP
> > SERVER-CONFIG> RESTART
> > Configuration modified, do you want to save it first ? [YES]
> >
> > Regards,
> > Peter Coghlan
> >

OK. I can at least turn off the spigot.

Using the commands listed above I disabled the SMTP service. I also cleared the message queue. I was glad to find that no new messages were being relayed. Good, but would disabling SMTP effect legitimate email routing? I ran a test to see if I could send an email out/from the VAX server to one of my email accounts elsewhere (gmail.com). That worked, but when I replied to the VAX's message (from gmail) the VAX blocked it.

Conclusion - I can't leave SMTP disabled entirely or legit inbound emails will be blocked. Initially I guessed out-bound mail would be blocked but I was wrong. MULTINET uses SMTP to route email traffic to VMS mail internally.

I found a MULTINET user group thread from 1997 that seemingly applied to my case:


>>Is there an safe and effective method for preventing third-party
>>relaying mail through the MULTINET SMTP server, while still allowing
>>local deliver of mail and local sending of mail to other hosts.
>>Reject-nets, reject-hosts doesn't really work well because the
>>abusers keep switching origins and it also blocks legitimate mail.

>Yes, there is, and it'll be in the version after V4.0 rev B. We have a
kit available for V3.5 (any revision) and V4.0 (any revision) if you'd
like to install it.

>Please contact me directly if you're interested (dwing-at-cisco.com).

>-Dan Wing

---
Thanks Dan Wing wherever you are. OK..Let's see what version of MULTINET I have running...the command:

$ multinet show/version

Process Software MultiNet V4.1 Rev A, MicroVAX 3100, VAX/VMS V5.5-2


Good. I bet I already have the upgrade Dan was referring to. Searching through MULTINET's ansi-style menu:

$ multinet config /menu

The controls exist. The location is called "SMTP Security Parameters" and one gets there from the main menu via:

->Configure Multinet Server
-->View/Modify an Existing Service
--->SMTP
---->Set Security Options
----->[see below]

I set Reject by Default = TRUE (it was FALSE). I also added my mail server IP in the hosts allowed field. Note that more than one IP is allowed if your separate each IP with a comma.

I returned to the "configure multinet server" menu and restarted the multinet_server process to cause the changes to take effect.

To verify this all worked I sent an email message to the VAX from my mail server. The VAX received it. Success.

It is thus possible to have a MicroVAX running MULTINET facing the external WWW with SMTP enabled that will not also be used as an SMTP relay. Limitation - one has to add the IP(s) of the inbound email server(s) allowed given SMTP traffic is disabled by default.

I created an alias MV3100@buzz1-dot-calm on my modern mail server to route Internet messages .. That's the only "modern" cheat I used. I did not need to block port 25 at any point, set up a fire wall nor do NAT translation.

Testing the alias worked (to from gmail). I replied to the message and that worked too, the cycle is complete.

After many hours of uptime, zero messages became stuck in the mail queue from third-party SMTP relay hijackers. YAY.

Reply
  Apply SMTP security to Vax 4000-200 by Bill Degnan - 12/02/2017 14:35
Updated MULTINET on my VAX 4000-200 to also block SMTP by default except when from my mail server and created a new alias vax4000@buzz1-dot-clam alias to forward all mail to system@vax4000.vintagecomputer-doht-net

Note - if one is running an Internet-facing VMS and MULTINET VAX on simH this technique will work there too.

The 3100 and 4000 are networked internally via DECNet, but that's a separate thread.

Reply

Resources:


Buy a Commodore Computer Poster

Popular Topics and FAQs


Past Issues:


3260 diskdrive front

This image was selected at random from the archive. Click image for more photos and files from this set.