EMail Server Relay Check: Difference between revisions

From MediaWiki
Jump to navigationJump to search
 
(36 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Overview ==
== Overview ==


The eMail Server Relay Check Tool is a simple security tool designed for testing email servers for signs of misconfiguration. It is designed to be useful for ISPs and server administrators performing security audits on their networks. Instead of having to visit multiple web pages, you will get a lot of information with one click.
The eMail Server Relay Check is a "swiss army knife" security tool designed for one-click testing of eMail servers for signs of misconfiguration or abuse. It is intended to be useful for ISPs performing security audits on their networks; and especially for server administrators who may be having problems delivering eMail to the Internet. If you have an eMail server facing the public Internet, there may be a wealth of information publicly available if you know where to look; instead of having to perform telnet, and nslookup (or dig) sessions, and visit multiple web pages, you can perform multiple tests and queries with one click using the eMail Server Relay Check Tool. Port 25 outbound must be open for this tool to work.


The tool checks for the following:
The tool checks for the following:
Line 7: Line 7:
* SMTP banner - reverse DNS mismatch
* SMTP banner - reverse DNS mismatch
* Open Relay
* Open Relay
* Bounce Messages or Non-Delivery Reports (NRS's)
* Bounce Messages or Non-Delivery Reports (NDR's)
* Listings on DNS-based Realtime Blacklists
* Listings on DNS-based Realtime Blacklists
* DNS zone file MX and SPF lookups
* DNS zone file MX and SPF lookups
Line 19: Line 19:
== Configuration ==
== Configuration ==


The config file for Relay Check is /usr/share/relaycheck/cgi-bin/relaycheck.conf. Values need to stay in single quotes.
The config file for Relay Check is /usr/share/relaycheck/cgi-bin/relaycheck.conf. Values need to stay in single quotes. You can change values from the web GUI interface by clicking on the link on the main page of the Relay Check tool.


(The next revision will allow for config values to be changed from the web GUI interface.)


In order for the tool to work correctly, you will need to change the default email to your own email address.  
In order for the tool to work correctly, you will need to change the default email to your own email address.  
Line 42: Line 41:
== Usage ==
== Usage ==


The Relay Check tool is designed to be very easy to use.  Type the hostname or IP address of the target server into the box and hit enter. You will immediately see diagnostic information on the output page:
The Relay Check tool is designed to be very easy to use.  Type the hostname or IP address of the target server into the box and press Enter. You will immediately see diagnostic information on the output page:


* If the target server is accepting connections on port 25 (SMTP) you will see output of three SMTP transactions.  
 
* If the target server is accepting connections on port 25 (SMTP) you will see output of three SMTP transactions.  


* if the server is an [http://en.wikipedia.org/wiki/Open_relay open relay], you will receive a test message sent to your email inbox.
* if the server is an [http://en.wikipedia.org/wiki/Open_relay open relay], you will receive a test message sent to your email inbox.


* if the server is delivering bounce messages outside its internal organization,  you will receive a bounce message. See [http://en.wikipedia.org/wiki/Backscatter_(e-mail) Backscatter.]
* If the server is delivering bounce messages outside its internal organization,  you will receive a bounce message. See [http://en.wikipedia.org/wiki/Backscatter_(e-mail) Backscatter.]


* If the IP address is blacklisted on public Internet [http://en.wikipedia.org/wiki/DNSBL#Terminology blacklists], that information will be shown, along with a link to verify blacklisting at mxtoolbox.com.
* If the IP address is blacklisted on public Internet [http://en.wikipedia.org/wiki/DNSBL#Terminology blacklists], that information will be shown, along with a link to verify blacklisting at mxtoolbox.com.
Line 54: Line 54:
* The tool will attempt to guess the email domain from the reverse DNS record of the target IP address, as well as from the the SMTP banner, and will make an educated guess as to which domain might be used for sending and receiving email.  
* The tool will attempt to guess the email domain from the reverse DNS record of the target IP address, as well as from the the SMTP banner, and will make an educated guess as to which domain might be used for sending and receiving email.  


   Side note: A more correct term for a "domain" such as ''yahoo.com,'' is actually "zone,"  
   Side note: A more correct term for a "domain" such as ''yahoo.com,'' is actually "zone," since a domain refers to the Top Level
  since a domain refers to the Top Level Domain (TLD) such as .com, .edu, .min, etc.
  Domain (TLD) such as .com, .edu, .net, etc. The information for a zone is stored in an a "DNS zone file" on the authoritative  
  The information for a zone is stored in an a "DNS zone file" on the authoritative DNS server.  
  DNS server. For more information about the structure of DNS, refer to [http://en.wikipedia.org/wiki/Domain_name Wikipedia]
  For more information about the structure of DNS, refer to [http://en.wikipedia.org/wiki/Domain_name]


* MX and SPF record lookups will be performed on the zone that is found (if any).
* MX and SPF record lookups will be performed on the zone that is found (if any).


* To see the location of the target server on a world map using NST's GeoIP functionality, click the map It button the diagnostic output page.
* To see the location of the target server on a world map using NST's GeoIP functionality, click the '''Map It''' button the diagnostic output page. You must first [http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Setup_The_NST_System_To_Geolocate_Data set up GeoIP] on the NST server for this to work.
 
*  If you choose to check for open relay plus portscan, the server will also be tested for public- facing open [http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP NETBIOS] ports. Use caution when selecting this option. Port scanning can be a precursor to attack and is forbidden by some ISP's. ''NETBIOS ports are used by Microsoft computers for printer and file-sharing on a Local Area Network (LAN) and should never be open facing the public Internet because of inherent security vulnerabilities. Unpatched XP and Windows 2000 machines are particularly vulnerable. NETBIOS ports 139 and 445 are two of the most frequently targeted ports on the Internet by hackers, and having these ports open can lead to an attacker taking full control of the target machine.''
 
== Interpreting Output ==


* If you choose to check for open relay plus portscan, the server will also be tested for public- facing open [http://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP NETBIOS] ports. Use caution when selecting this option. ''NETBIOS ports are used by Microsoft computers for printer and file-sharing on a Local Area Network (LAN) and should never be open facing the public Internet because of inherent security vulnerabilities, especially unpatched XP machines. NETBIOS ports, especially 139 and 445, are the most frequently targeted ports on the Internet by hackers, and can lead to an attacker taking full control of the target machine.''
* If you see an error '' ::: failed to connect: No route to host'',  port 25 outbound may be blocked on your network.


* Urgent messages are in red
* Warnings are in orange
* Positive messages are in blue




'''(this documentation is currently under development)'''
'''(this documentation is currently under development)'''
== Feedback ==
If you see errors, undocumented features (bugs), or have a feature request, you can contact me at bob <at> bob3 <dot> net.

Latest revision as of 12:31, 5 February 2020

Overview

The eMail Server Relay Check is a "swiss army knife" security tool designed for one-click testing of eMail servers for signs of misconfiguration or abuse. It is intended to be useful for ISPs performing security audits on their networks; and especially for server administrators who may be having problems delivering eMail to the Internet. If you have an eMail server facing the public Internet, there may be a wealth of information publicly available if you know where to look; instead of having to perform telnet, and nslookup (or dig) sessions, and visit multiple web pages, you can perform multiple tests and queries with one click using the eMail Server Relay Check Tool. Port 25 outbound must be open for this tool to work.

The tool checks for the following:

  • SMTP banner - reverse DNS mismatch
  • Open Relay
  • Bounce Messages or Non-Delivery Reports (NDR's)
  • Listings on DNS-based Realtime Blacklists
  • DNS zone file MX and SPF lookups
  • GeoIP lookup for host under test
  • Optional NETBIOS port scan

You can access the eMail Server Relay Check page by selecting

 NSTWUI > Network > email > eMail Server Relay Check

Configuration

The config file for Relay Check is /usr/share/relaycheck/cgi-bin/relaycheck.conf. Values need to stay in single quotes. You can change values from the web GUI interface by clicking on the link on the main page of the Relay Check tool.


In order for the tool to work correctly, you will need to change the default email to your own email address.

 my email address = 'change-me@some.domain.com' 

Change this to your actual email address, it is where test messages will be sent.

You can also change server timeout values.

Enter your preferred timeout value in seconds for an initial connection to the target server. Default value is 5 seconds.

initial timeout = '5'

Enter your preferred timeout value for individual SMTP commands EHLO, MAIL FROM, RCPT TO, etc. Default value is 20 seconds.

individual smtp command timeouts = '20'

Usage

The Relay Check tool is designed to be very easy to use. Type the hostname or IP address of the target server into the box and press Enter. You will immediately see diagnostic information on the output page:


  • If the target server is accepting connections on port 25 (SMTP) you will see output of three SMTP transactions.
  • if the server is an open relay, you will receive a test message sent to your email inbox.
  • If the server is delivering bounce messages outside its internal organization, you will receive a bounce message. See Backscatter.
  • If the IP address is blacklisted on public Internet blacklists, that information will be shown, along with a link to verify blacklisting at mxtoolbox.com.
  • The tool will attempt to guess the email domain from the reverse DNS record of the target IP address, as well as from the the SMTP banner, and will make an educated guess as to which domain might be used for sending and receiving email.
 Side note: A more correct term for a "domain" such as yahoo.com, is actually "zone,"  since a domain refers to the Top Level
 Domain (TLD) such as .com, .edu, .net, etc.  The information for a zone is stored in an a "DNS zone file" on the authoritative 
 DNS server.  For more information about the structure of DNS, refer to Wikipedia
  • MX and SPF record lookups will be performed on the zone that is found (if any).
  • To see the location of the target server on a world map using NST's GeoIP functionality, click the Map It button the diagnostic output page. You must first set up GeoIP on the NST server for this to work.
  • If you choose to check for open relay plus portscan, the server will also be tested for public- facing open NETBIOS ports. Use caution when selecting this option. Port scanning can be a precursor to attack and is forbidden by some ISP's. NETBIOS ports are used by Microsoft computers for printer and file-sharing on a Local Area Network (LAN) and should never be open facing the public Internet because of inherent security vulnerabilities. Unpatched XP and Windows 2000 machines are particularly vulnerable. NETBIOS ports 139 and 445 are two of the most frequently targeted ports on the Internet by hackers, and having these ports open can lead to an attacker taking full control of the target machine.

Interpreting Output

  • If you see an error  ::: failed to connect: No route to host, port 25 outbound may be blocked on your network.
  • Urgent messages are in red
  • Warnings are in orange
  • Positive messages are in blue


(this documentation is currently under development)

Feedback

If you see errors, undocumented features (bugs), or have a feature request, you can contact me at bob <at> bob3 <dot> net.