Bugtraq mailing list archives
Re: IIS SMTP component allows mail relaying via Null Session
From: Todd Sabin <tsabin () razor bindview com>
Date: 04 Mar 2002 23:23:02 -0500
"Toni Lassila" <toni.lassila () mc-europe com> writes:
Overview: IIS comes with a small SMTP component. The default settings allow anyone who can authenticate to it to relay email. Because the authentication system supports NTLM, it is possible for anyone to authenticate using null session credentials, and then relay email. Workarounds: Disable the SMTP service. Disable the ability of authenticated users to relay email. Firewall off the SMTP service from untrusted networks.I suspect turning off NTLM authentication and allowing only Basic Authentication (with or without TLS),
I tried this, and it appears to be effective.
or alternatively disabling null session access (details are in many MS KB) from the server are two possible workarounds as well. Disabling null sessions is one of those security features one should do when securing a Windows-based server anyway.
If by "disabling null sessions" you mean setting RestrictAnonymous to 1 or 2, then that is not effective. RestrictAnonymous doesn't disable anonymous access, it just places additional restrictions on it. You can still authenticate just fine with a null session when RA=2, and that's all you need for relaying. Todd -- Todd Sabin <tas () webspan net> BindView RAZOR Team <tsabin () razor bindview com>
Current thread:
- IIS SMTP component allows mail relaying via Null Session Todd Sabin (Mar 01)
- <Possible follow-ups>
- RE: IIS SMTP component allows mail relaying via Null Session Toni Lassila (Mar 04)
- Re: IIS SMTP component allows mail relaying via Null Session Todd Sabin (Mar 05)