Preventing VAX running VMS / Multinet from being used as SMTP relay
dougatdoughq at gmail.com
Sat Dec 2 04:48:26 CST 2017
Without sounding super negative (my day job as a security consultant let's
me do that enough...) I would be especially wary of connecting anything
with a 10 year old stack to the modern internet. The range of automatic
attacks based on what the state of the OS was when it was last patched is
Can you NAT it behind something to not expose it directly? Can you run
proxies in front of it?
On 2 Dec. 2017 8:34 pm, "Camiel Vanderhoeven via cctech" <
cctech at classiccmp.org> wrote:
> On 11/30/17, 9:26 PM, "cctech on behalf of william degnan via cctech"
> <cctech-bounces at classiccmp.org on behalf of cctech at classiccmp.org> wrote:
> >I have a microvax set up with VMS 5, running MULTINET (and decnet
> >locally). The server has a FQDN and after a while being exposed to the
> >WWW someone out there started using the server as an SMTP relay. I can
> >disable and clear the queue, but I'd like to block entirely this from
> >happening in the first place. I'd like to learn more about how this
> >happens in VMS.
> >Anyone have had this same problem before? I realize back when VMS 5 was
> >current it was not so much of an issue, but today it is. I am working on
> >solution. I can envision a few ways including blocking the smtp relay
> >from the firewall, but if possible I'd like to set up a VMS Multinet
> >solution as a learning exercise.
> >I am open to suggestions, and once I find the solution I'll post it.
> >I understand that this kind of thing is not cookie cutter, there are
> >different levels one could address something like this. I have a comcast
> >business router, and one of the 5 IPs I have is NAT assigned to the
> >internal 10.1.10 port of the microvax.
> >This is the same machine I wrote about previously as with then, thanks for
> >your help. I find the best way to learn is on the actual hardware warts
> >and all.
> Look at the SMTP_SERVER_REJECT file example here:
> It¹s a set of rules that decide whether a message gets rejected (rule
> ending in ³y²) or let through (rule ending in ³n²). You¹d normally set
> this up to first let through those emails you want, then reject everything
> else at the end of the rules file.
More information about the cctalk