Preventing VAX running VMS / Multinet from being used as SMTP relay

systems_glitch systems.glitch at gmail.com
Fri Dec 1 07:44:52 CST 2017


Off the cuff, I'd probably stand something else up and have it relay mail
to the VAX (I suspect you've already got machines available for this
purpose, ping me off-list if not). Have the VAX only accept connections
from whatever's doing the relaying. If you can't get VMS or the smtpd to
restrict incoming connections, add a transparent hardware firewall in
between. This is what I typically do when something old and probably
insecure has to be connected to the Internet -- proxy, relay, or otherwise
hide the actual server behind something modern.

Thanks,
Jonathan

On Thu, Nov 30, 2017 at 6:28 PM, Peter Coghlan via cctalk <
cctalk at classiccmp.org> wrote:

> >
> > I have a microvax set up with VMS 5, running MULTINET (and decnet
> > locally).   The server has a FQDN and after a while being exposed to the
> > WWW someone out there started using the server as an SMTP relay.  I can
> > disable and clear the queue, but I'd like to block entirely this from
> > happening in the first place.  I'd like to learn more about how this
> > happens in VMS.
> >
> > Anyone have had this same problem before?  I realize back when VMS 5 was
> > current it was not so much of an issue, but today it is.  I am working
> on a
> > solution.  I can envision a few ways including blocking the smtp relay
> port
> > from the firewall, but if possible I'd like to set up a VMS Multinet
> > solution as a learning exercise.
> >
>
> I had this problem about 25 years ago.  I suspect lots of people did.
>
> In the VMS world, networking stacks are separately packaged from the base
> operating system and it is possible to install one or more of DECnet,
> TCP/IP,
> X25 and various other networking products and have them all running
> simultaneously.
>
> VMS doesn't know or care about SMTP, the issue here is with Multinet which
> seems to be what was installed to provide TCP/IP networking on your
> machine.
> Multinet includes a basic SMTP server which can be used to move mail
> between
> VMS MAIL and the internet.  Very old versions of Multinet came with SMTP
> relaying enabled because this is what the standards required at the time.
> Later versions came with easy ways to disable SMTP relaying.  Later still
> versions shipped with SMTP relaying disabled out of the box when spammers
> targetting open relays became a serious problem.  More recently still,
> Multinet comes with pretty much all of the TCP/IP servers it provides
> disabled
> and requires the installer to enable the services they want, leaving less
> opportunity for surprises when servers are running that nobody knew
> existed,
> except the bad guys targetting them.
>
> The Multinet SMTP server is pretty basic and people who are serious about
> doing SMTP on VMS typically disable it and install a proper mailserver like
> PMDF.  That's my excuse for not knowing how to disable SMTP relaying in
> Multinet.  That and because it probably varies for different versions of
> Multinet and you haven't said what version of Multinet you have.  I used to
> be one of the people supporting Multinet in this part of the world and I
> seem to have inherited a stack of Multinet documentation for different old
> versions so if I knew what version, I could probably look it up.  I think
> the
> documentation for the most recent couple of Multinet versions is on the
> Multinet website:
>
> http://www.process.com/psc/service-support/multinet-support/
>
> Try the Adminstrator's guide or Adminstrator's reference.
>
> I do however know how to disable the SMTP server in Multinet completely:
>
> $ MULTINET CONFIGURE /SERVERS
> SERVER-CONFIG> DISABLE SMTP
> SERVER-CONFIG> RESTART
> Configuration modified, do you want to save it first ? [YES]
>
> Regards,
> Peter Coghlan
>


More information about the cctalk mailing list