"Toni Lassila" <toni.lassila@mc-europe.com> writes: > > Overview: > > IIS comes with a small SMTP component. The default settings allow > > anyone who can authenticate to it to relay email. Because the > > authentication system supports NTLM, it is possible for anyone to > > authenticate using null session credentials, and then relay email. > > > > Workarounds: > > Disable the SMTP service. > > Disable the ability of authenticated users to relay email. > > Firewall off the SMTP service from untrusted networks. > > I suspect turning off NTLM authentication and allowing only Basic > Authentication (with or without TLS), I tried this, and it appears to be effective. > or alternatively disabling > null session access (details are in many MS KB) from the server > are two possible workarounds as well. Disabling null sessions is > one of those security features one should do when securing a > Windows-based server anyway. If by "disabling null sessions" you mean setting RestrictAnonymous to 1 or 2, then that is not effective. RestrictAnonymous doesn't disable anonymous access, it just places additional restrictions on it. You can still authenticate just fine with a null session when RA=2, and that's all you need for relaying. Todd -- Todd Sabin <tas@webspan.net> BindView RAZOR Team <tsabin@razor.bindview.com>
