Problem solve Get help with specific problems with your technologies, process and projects.

Block unauthorized access to SMTP server on your iSeries

If you keep the SMTP server active on your iSeries, you could leave your system open to spammers who could take over the server to relay their spam messages. Rich Loeber tells you what you can do to control SMTP server access.

Many OS/400 shops keep the SMTP server active on their system to support host-based applications that format and send e-mail messages directly from their iSeries-AS/400 system. The problem is, with the SMTP server active, you could leave your system open to spammers who could take over the SMTP server to relay their spam messages. There are steps you can take, however, to control SMTP relay on your system.

First, check to see if SMTP is active on your system by running the following command:

WRKACTJOB SBS(QSYSWRK)

Page up through the list of tasks displayed and look for a series for four or five jobs that start with the name QTSMTPxxxx. If these tasks are there, then the SMTP server is active on your system.

Controlling SMTP mail relay involves two processes. First, you have to set the ALWRLY parameter in the SMTP Attributes on your SMTP server. This is updated using the CHGSMTPA (Change SMTP Attributes) command.

 

If you just want to deny all mail relays, set this value to *NONE and you're all set -- you can stop reading now and move on with your life. However, if you are sending mail from your iSeries using the SNDDST or other program-controlled methods, you cannot leave this setting at *NONE because it will block mail being sent from your system. Simply changing this setting to *ALL is not a good idea either, as it will allow anyone to relay mail through your system. The best choices are one of the following:

 

  • *LIST -- Only IP addresses that match an *ACCEPT SMTP list entry will be allowed or denied
  • *NEAR -- Only IP addresses that match a *NEAR SMTP list entry will be allowed
  • *BOTH -- The system will look at both the *LIST and *NEAR entries

Once you have this part configured and have specified one of the three recommended settings, you then have to update the SMTP list to indicate who can relay mail. You use the ADDMSTPLE (Add SMTP List Entry) command to do that. There are a lot of options for this, but as a simple example let's set up an entry that will permit mail to be relayed from your iSeries. If your system has an IP address of 10.100.2.1, then you would add a relay accept transaction that looks like the following:

ADDSMTPLE TYPE(*ACCEPT) INTNETADR('10.100.1.2')
SUBNETMASK('255.255.255.255')]

 More Information on SMTP

 

This entry will accept all SMTP mail that is sent from the specific IP address indicated in the INTNETADR parameter. The subnet mask used here is coded so that only the specific IP address will be processed. You can also use this command to post a *REJECT or *NEAR entry to the SMTP list to indicate specific IP addresses to be rejected or to define a system to be considered as a *NEAR system. Varying the subnet mask can let you define ranges of IP addresses. (If you need help on how to code these entries, feel free to contact me.)

Once entries have been added to the SMTP list, you can delete them using the RMVSMTPLE (Remove SMTP List Entry) command. It would be nice if IBM provided a WRKSMTPLE command, too, but the test system I work on has no sign of this feature.

If you have been using SMTP list entries for a while, you may need to know what entries are already established on your system. OS/400 provides no support for a review function, but you can review what is already set up by examining the various members in the file anmed QATMADRLST in library QUSRSYS. Each member, which you will find appropriately named, contains the list entries for that type. A simple query report can list the entries, and you can remove unwanted entries as needed.

If you have any specific questions about this topic, you can reach me at rich@kisco.com, I'll try to answer your questions. All e-mail messages will be answered.

---------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.


 

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close