On 8/14/2024 8:17 AM, Craig A. Berry wrote:

On 8/13/24 8:25 PM, Richard Jordan wrote:

On 8/13/24 6:28 PM, Stephen Hoffman wrote:

On 2024-08-13 14:54:42 +0000, Richard Jordan said:

Problem identified.  There was an incorrect parameter in the
TCPIP$SMTP.CONF file.

That TCPIP$SMTP.CONF file is all too reminiscent of the recent
CrowdStrike mess.

If that configuration file is missing or empty, OpenVMS SMTP turns
into an open relay, too. No errors.

Yes.  It was unfortunate that drastic SMTP config changes were made in
an ECO to 5.7 that were never really followed up on too.  Or
documented...  Hopefully 6.0 will be better.

6.0 creates the configuration file for you when you enable the SMTP
service and sets relay to false.  I guess that's something. But under
the help for SET CONFIGURATION SMTP I see no mention of SMTPS,[1] SPF,
DKIM, or DMARC,[2] all of which are now necessary to send mail with a reasonable chance of getting through.

[1] https://www.cloudflare.com/learning/email-security/smtp-port-25-587/

[2] https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

VMS has definitely been lacking in this area for years.

But maybe it is not so important any more.

My impression is that email in general is becoming outsourced
as default. Companies outsource all their email. Even many
ISP's outsource all their email.

inbound email - external service

outbound email - external service /
local server forwarding to external service /
specialized bulk email service that expose web service
API and handle all the legal requirements for unsubscribe etc.

Arne

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 8/13/24 8:25 PM, Richard Jordan wrote:

On 8/13/24 6:28 PM, Stephen Hoffman wrote:

On 2024-08-13 14:54:42 +0000, Richard Jordan said:

Problem identified.  There was an incorrect parameter in the
TCPIP$SMTP.CONF file.

That TCPIP$SMTP.CONF file is all too reminiscent of the recent
CrowdStrike mess.

If that configuration file is missing or empty, OpenVMS SMTP turns
into an open relay, too. No errors.

Yes.  It was unfortunate that drastic SMTP config changes were made in
an ECO to 5.7 that were never really followed up on too.  Or
documented...  Hopefully 6.0 will be better.

6.0 creates the configuration file for you when you enable the SMTP
service and sets relay to false. I guess that's something. But under
the help for SET CONFIGURATION SMTP I see no mention of SMTPS,[1] SPF,
DKIM, or DMARC,[2] all of which are now necessary to send mail with a reasonable chance of getting through.

[1] https://www.cloudflare.com/learning/email-security/smtp-port-25-587/

[2] https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-08-14 01:25:48 +0000, Richard Jordan said:

On 8/13/24 6:28 PM, Stephen Hoffman wrote:

On 2024-08-13 14:54:42 +0000, Richard Jordan said:

Problem identified.á There was an incorrect parameter in the
TCPIP$SMTP.CONF file.

That TCPIP$SMTP.CONF file is all too reminiscent of the recent
CrowdStrike mess.

If that configuration file is missing or empty, OpenVMS SMTP turns into
an open relay, too. No errors.

Yes. It was unfortunate that drastic SMTP config changes were made in
an ECO to 5.7 that were never really followed up on too. Or
documented... Hopefully 6.0 will be better.

Or tested, seemingly. Defaulting to an open relay is just spectacularly
stupid. Default an unconfigured mail server startup to a safe
configuration (e.g. local only), and generate appropriate log chatter.

I've cobbled together mail relaying for some installation requirements,
but it's likely safer to disable the SMTP giblets within the grafted-on
IP stack entirely, and modify the apps to access a remote mail server
using either direct or indirect ESMTP access.



--
Pure Personal Opinion | HoffmanLabs LLC

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 14 Aug 2024 19:58:16 -0400, Stephen Hoffman wrote:

Defaulting to an open relay is just spectacularly stupid.

Back in the 1990s, as the spam problem was just gathering steam, there
were some old-school sysadmins who vehemently insisted on their right to continue maintaining open mail relays.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 8/14/24 6:58 PM, Stephen Hoffman wrote:

On 2024-08-14 01:25:48 +0000, Richard Jordan said:

On 8/13/24 6:28 PM, Stephen Hoffman wrote:

On 2024-08-13 14:54:42 +0000, Richard Jordan said:

Problem identified.  There was an incorrect parameter in the
TCPIP$SMTP.CONF file.

That TCPIP$SMTP.CONF file is all too reminiscent of the recent
CrowdStrike mess.

If that configuration file is missing or empty, OpenVMS SMTP turns
into an open relay, too. No errors.

Yes.  It was unfortunate that drastic SMTP config changes were made in
an ECO to 5.7 that were never really followed up on too.  Or
documented...  Hopefully 6.0 will be better.

Or tested, seemingly. Defaulting to an open relay is just spectacularly stupid. Default an unconfigured mail server startup to a safe
configuration (e.g. local only), and generate appropriate log chatter.

I've cobbled together mail relaying for some installation requirements,
but it's likely safer to disable the SMTP giblets within the grafted-on
IP stack entirely, and modify the apps to access a remote mail server
using either direct or indirect ESMTP access.

In this case the VMS system receives no email and has no public
exposure. It can send email 'anywhere' but relays through the company's primary SMTP server. It works fine for current needs; using SENDMAIL
(and TCPIP$SFF) to add the Reply-To header option is a new request, and
led to the discovery of this problem.

Thanks again to those who responded to the initial query; I really
thought a new bug had been exposed, not just a bad config entry.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-08-14, Stephen Hoffman <seaohveh@hoffmanlabs.invalid> wrote:

Or tested, seemingly. Defaulting to an open relay is just spectacularly stupid. Default an unconfigured mail server startup to a safe
configuration (e.g. local only), and generate appropriate log chatter.

At least adding support for actually turning off the open relay was an improvement over what came previously.

I've cobbled together mail relaying for some installation requirements,
but it's likely safer to disable the SMTP giblets within the grafted-on
IP stack entirely, and modify the apps to access a remote mail server
using either direct or indirect ESMTP access.

I was one of the people 20+ years ago trying to get HP to actually give
us an option to turn off the open relay. I think I've talked about this
before, but I got a support person who simply didn't understand the issue
and I had to spend time teaching him about the issue and the implications.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Wed, 14 Aug 2024 19:58:16 -0400, Stephen Hoffman wrote:

Defaulting to an open relay is just spectacularly stupid.

Back in the 1990s, as the spam problem was just gathering steam, there
were some old-school sysadmins who vehemently insisted on their right to >continue maintaining open mail relays.

I was one of them, making the argument that abusers should be dealt with
rather than just hiding the problem. Unfortunately the makeup of the
internet was changing at the time and things were growing to the point
where admins were no longer able to keep track of their users and I think
a lot of us didn't see the impending train wreck and destruction of the community we knew and loved coming.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)