Chris-Linfoot.net

At your Domino console, issue a command "sho stat smtp", or use the Domino Administrator client to open your inbound SMTP server and look in the Statistics tab.

The sample to the right is typical of one of our servers after it has been up for c. 24 hours or so. Can we learn anything by looking at these stats?

1. Spamware and malware often use HELO, not EHLO

The total of HELO and EHLO here is 9,903 yet the number of messages accepted and placed on the local delivery queue is 4,076 or well under half of that number. Any well behaved, contemporary MTA delivering a real message will tend to use EHLO (RFC SHOULD) and so it is reasonable to assume that a high proportion of those HELOs are from spamware or self propagating malware (the kind that uses its own SMTP implementation and propagates direct-to-MX).

Disabling HELO is not an option however - a) Domino will not permit any tailoring of responses to HELO and b) supporting HELO is mandatory (RFC MUST).

2. Some spamware will attempt to use unimplemented ESMTP features

The sample here is from a Domino server with most ESMTP extensions turned off. Exceptions are SIZE and STARTTLS.

Note that single attempt to use VRFY to find a local email address. Not spamware probably, but someone up to no good.

Note also that non-zero number for "Command / Invalid". This is where spamware is assuming support for command pipelining and attempting to deliver an entire spam in a single packet containing EHLO, MAIL, RCPT, DATA and QUIT without waiting for any responses. Where the connecting IP is blacklisted, Domino will issue a 554 after MAIL and where a local recipient doesn't exist, a 550 after RCPT. In both cases DATA will not be accepted and any message data subsequently dumped into the input buffer will elicit a response like 500 Syntax error, command "Subject: Your Meds" unrecognized. These will be recorded in the stats as SMTP / Command / Invalid.

It is illegal to use pipelining in this way anyway and if pipelining is enabled at your server this type of abuse can cause a partial denial of service condition by tying up one of your SMTP inbound handlers for an extended period. This is why I generally recommend turning off command pipelining.

3. Has anyone even heard of transport layer security?

The figures in the sample are typical here. Of 4,076 messages accepted only 541 were delivered over a secure channel (it is reasonable to assume that most of these 541 were accepted). That is a rate of about 13%.

Many organisations implement disclaimers bearing dire warnings about the security of Internet mail along with a raft of other measures designed to enhance security - examples: invalid or missing rDNS accompanied by an IP literal in HELO/EHLO and firewall "fixup". The security benefits of all of these are without exception wholly illusory.

And yet one simple and easily implemented feature which actually does convey some security benefit is simultaneously overlooked. *

I just want to know, why?


* If there's sufficient interest I may publish a Domino SMTP TLS howto.

Update: SMTP TLS howto now published.

Category: Domino: Administration
Technorati: Domino: Administration

1. john wylie12/01/2006 14:07:38

Chris - I think the Howto document you mentioned would be a superb idea.
A lot of admins like to have the benefit of somones experience when setting up a feature which you probably consider easy.

---

2. Peter Stockel12/01/2006 14:27:20
Homepage: http://thor.pyttemjuk.nu/

Chris, I would definately like to read that howto document. count me in please.

---

3. Stephan H. Wissel12/01/2006 15:53:56
Homepage: http://www.wissel.net/

I second that. TLS is an excellent topic.
stw

---

4. Chris Siebenmann13/01/2006 05:13:32
Homepage: http://utcc.utoronto.ca/~cks/space/blog/

There are still mailers out there on the Internet that do SMTP only and don't support ESTMP (we run some of them, and see a number of them connecting to us). These mailers will never EHLO, just HELO, so I suspect that a certain amount of the HELOs you're seeing are legitimate mailers.

(Not supporting ESMTP is not particularly crippling for MTAs, so there is little motivation to replace working and carefully tuned configurations.)

---

5. Chris Linfoot13/01/2006 08:28:25

I know. This is why I said "a high proportion" and not "all".

In fact, from a sample of spam in my traps and non-spam in my own mailbox, I can see that roughly 50% of spam that is actually delivered though usually trapped by server side rules (as opposed to bounced due to DNSBL hits and the like) is from SMTPs using HELO and 50% is from SMTPs using EHLO. I have no way of knowning what proportion of rejected sessions were using HELO but I suspect it is somewhat higher.

By contrast, 33% of non-spam here comes from SMTPs that say HELO with 67% from SMTPs that say EHLO. That proportion is probably truly representative.

I agree there is little point in replacing working and carefully tuned configurations, save to note again that where EHLO is not used, TLS is not an option.

---

6. Steve DIonne13/01/2006 13:32:47
Homepage: http://www.canamgroup.ca

I'm always ready to read recommendation to set up a new thing or improve security on a Domino Server.

Please Go ahead with your idea...

---

7. Mary Whalley14/01/2006 04:04:38

Me too! I'd love to read it.

---

8. Jari Riihimäki17/01/2006 07:54:16

I'm also very interested to see TLS howto. There are general interest from few of our cusomers to establish TLS, so all info from The Expert is more than welcome

---

9. Mike Gagnon28/01/2006 15:13:55

Note that as of Domino 6.0.3, you can use SMTPErrorLimit to cause the SMTP session to be broken by Domino after some number of failed commands. The error count includes failures for valid commands (e.g. a 550 response to a RCPT TO command), as well as invalid commands such as those that occur in your "pipelining" example above.

---

10. Chris Linfoot28/01/2006 15:17:38

Useful tip Mike. Thanks.

---