6

I would like to whitelist an IP address on my smtp server so that non-authenticated emails on connections originating from that IP could be routed. I control that other IP, so I can make sure that only the emails I want to originate from it will originate from it and nothing else.

If I do that, can some one leverage this setting, fake the incoming IP address and use my smtp server as an open relay?

There is "open internet" between the two servers.

Andrew Savinykh
  • 1,630
  • 3
  • 14
  • 22

4 Answers4

8

IP spoofing is the term used for forging an IP address, however it's very hard to accomplish with a SMTP connection as it requires an established TCP connection. IP address spoofing works as an attack when you don't need traffic coming back to the sending host. Using an analogy, if I send a letter to an address with a return address other than mine I will not get any response - it will be sent to the return address on the letter. I would not be able to form a correspondence with anyone if I'm forging the return address.

SMTP uses TCP, a protocol that establishes a connection between two hosts and controls the flow of information between them. A system trying to establish a connection using a spoofed IP address will not be able to set up a TCP connection as packets from other host will be routed to a the server which actually owns the IP address.

If someone was able to insert themselves in a point in the network between the two authentic servers they could use Network Address Translation to change the source IP address of packets from a server they control and set up a TCP connection, however this is very sophisticated and extremely unlikely. In any case you could defeat this by using public/private key pairs to verify the sending host. You don't need to be concerned about someone spoofing the IP address of your email server.

GdD
  • 17,291
  • 2
  • 41
  • 63
0

IP Spoofing

Yes,

This is called IP Spoofing

Quote from wikipedia:

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system

Of course, you could replay packet do initiate a DDOS on mail server, but reply packet will never reach source, so full TCP connection will not work (unless attacker are located in one router in the middle between you and real location of spoofed ip.).

But in other way, spoofing IP in mail header could be done too, see this second quote from same origin:

The term spoofing is also sometimes used to refer to header forgery, the insertion of false or misleading information in e-mail or netnews headers. Falsified headers are used to mislead the recipient, or network applications, as to the origin of a message. This is a common technique of spammers and sporgers, who wish to conceal the origin of their messages to avoid being tracked down.

So IP Spoofing for mail forgery is at some different level, but could be too.

F. Hauri - Give Up GitHub
  • 4,597
  • 2
  • 19
  • 32
  • *"The machine that receives spoofed packets will send a response back to the forged source address, which means that this technique is mainly used when the attacker does not care about the response or the attacker has some way of guessing the response"* - So in my case it effectively means "**NO**"? You can't have a meaningful SMTP exchange with a spoofed IP? – Andrew Savinykh Mar 10 '16 at 08:03
  • Thank you, for you edit. My question does not concern email header forgery. I'm asking is it possible to pose as a different IP while executing SMTP protocol. So if I read your response correctly, I should not be worried about IP Spoofing, is there any other concern that could make the described set up a security problem? – Andrew Savinykh Mar 10 '16 at 08:09
  • If you use mail config to whitelist IP, this could be faked by mail header forgery. If you use such a firewall to block ip and whitelist, this could be ok, but from there. non authorized IP could not connect your mail server, even for authentication. – F. Hauri - Give Up GitHub Mar 10 '16 at 08:15
  • *If you use mail config to whitelist IP, this could be faked by mail header forgery.* That's a good point. I need to check my mail server documentation, to see if it's actually the case. Before you mentioned it I assumed that mail filtering and connection filtering would deal with header and connections respectively, after all, how often you specify ip (instead of domain name) in your email headers? But it's implementation dependent I'm guessing, so I'll make sure to check this out. – Andrew Savinykh Mar 10 '16 at 08:18
  • This answer just isn't right, you can't use IP spoofing to establish a TCP connection. – GdD Mar 10 '16 at 08:57
  • @GdD, But not wrong,... Answer edited. – F. Hauri - Give Up GitHub Mar 10 '16 at 09:50
0

You seem to be trying to use the IP address as a means of authentication. As GdD says, IP spoofing is possible - but in practice, difficult across the internet.

Restrictions at the firewall level are good for cutting down the nose, but really you should probably be implementing more specific controls and additional layers of controls. But the more layers, the more complex the task of changing / extending the security controls. Further, basing access on the remote IP address means that the controls only work with fixed IP addresses.

depending on how much security really is required and what your future needs might be, I would suggest you consider a VPN or SSL with client certificates which would handle NAT as well as providing basic authentication - and/or using SMTP AUTH.

Community
  • 1
symcbean
  • 18,278
  • 39
  • 73
0

As stated in the previous answers it seems clear that you can't have a meaningful SMTP conversation if IP is spoofed, since SMTP is a back-and-forth exchange.

I wonder however if that still holds true if your server supports PIPELINING (http://tools.ietf.org/rfc/rfc2920.txt)?

In that mode, all commands are sent at once to reduce the impact of network latency on the multi-step conversation.

There might be a way to exploit this in your scenario.

P_J
  • 21
  • 3
  • You still send EHLO first to the server to get the capabilities (which may or may not include pipelining from client perspective) – Andrew Savinykh Mar 10 '16 at 18:53