Open Relay, Open Ziti

Actieve
6 min readJul 1, 2024

--

In the world of email servers, security is paramount. However, there are times when the convenience of an open relay server trumps the intricacies of strict security measures. As someone who is admittedly too lazy to properly secure an open relay server, I’ve found a comfortable middle ground by sharing it via localhost using an Open Ziti Tunnel. This approach allows me to enjoy the benefits of an open relay without the hassle of securing it in the traditional sense…. and quite frankly, I don’t have the time and/or energy to try and remember how to secure it, or learn how to secure it today as opposed to yesterday from whatever new “hack” may be out.

First off, what the hell is an Open Relay Server?

An open relay server is a mail server configured to allow anyone on the internet to send emails through it. While this setup is generally discouraged due to the potential for abuse by spammers, it offers unparalleled convenience for certain use cases. In my scenario, I use an open relay server regularly to enable white-labeled applications to send emails from non-authorized and not well-defined sources. This flexibility is crucial for applications that need to send emails on behalf of various clients without the overhead of strict email server configurations…. I first realized what this was circa 1998 when I sent an email from the CEO of my company to everyone on staff on April first with the content of…

“You’re Fired, please pack up your things and leave by the end of the day”

If anyone is reading this and remembers the aftermath of when that occurred and how I never fessed up, consider this my confession, and my formal “HaHa April Fools!”.

Easy Setting, LocalHost Only

Sharing an open relay server to localhost simplifies the process significantly. By restricting the relay to localhost, I mitigate some security risks by ensuring that only local applications can interact with the relay server. This setup is straightforward and allows me to maintain a level of control over the email sending process without delving into complex security configurations. Prior to OpenZiti, I used to install an SMTP Server on everyone of my application servers because it was super easy to have it there running on localhost and not worrying about cross server access…

...and yes, I agree, that was stupid, but it worked and it was easy and required very little attention on my behalf.

Serve me up a plate of Ziti and make it Open!

With my belly full of delicious carbohydrates I can surely figure out an even simpler way to accomplish my task of having only one server running SMTP as an Open Relay.

Create the SMTP Service in OpenZiti:

  1. Log into the Ziti Admin Console
    (I Use the original Node Version because I despise the overhead of Angular and because a super handsome man wrote it).
  2. Navigate to the “Services” section.
  3. Click on “Create Service.”
  4. Fill in the service details:
  5. Name: SMTP_Service
  6. Protocol: tcp
  7. Ports: 25, 587, 465 (or the specific ports your SMTP service uses)
  8. Address: Internal IP address of your SMTP server.

Configure the SMTP Service Policies:

  1. Under the “Services” section, find SMTP_Service and select it.
  2. Go to the “Policies” tab.
  3. Create a new “Bind Policy”:
  4. Name: SMTP_Bind_Policy
  5. Select the SMTP service.
  6. Define the identities (applications/users) that can bind to this service.

Configure Access Policies for Application Servers

  1. Create a new “Dial Policy”:
  2. Name: SMTP_Dial_Policy
  3. Select the SMTP service.
  4. Define the identities that can dial into this service (typically your white-labeled applications).

Create Identities for White-Labeled Applications:

  1. Go to the “Identities” section.
  2. Click on “Create Identity.”
  3. Fill in the details for each white-labeled application:
  4. Name: App_Identity_<ApplicationName>
  5. Type: Device or Service as applicable.
  6. Download the identity files (JSON format) for each application.

Distribute Identity Files to Applications:

  1. Provide the downloaded identity JSON files to the respective white-labeled applications.
  2. Ensure the applications are configured to use these identities to connect to the OpenZiti network.

Set Up Open Relay Configuration on SMTP Server:

  1. Configure your SMTP server to allow relay for the localhost IP Address.
  2. Ensure the SMTP server is secured and only accepts connections from localhost.

Install OpenZiti SDK/Edge Client on White-Labeled Applications:

  1. On each white-labeled application, embed the OpenZiti SDK in your application or install the server specific Edge Client.
  2. Import the provided identity JSON file into the SDK/Edge Client.

Connect White-Labeled Applications to Open Ziti Network:

  1. Configure the applications to use the OpenZiti network for SMTP communication.
  2. Update the SMTP configuration in the applications to use the OpenZiti service endpoint.

Big Brother is a big giant bully!

Enter the NSA Audit and thorough investigation of all of my software service and blah blah blah, go screw I am not a spy.

Personally, I don’t even understand why I have to explain all of my software to the NSA and how the hell they have the right to audit what I have published but whatever, this isn’t Live PD, “I aint got nothing to hide and I aint understand no double negatives neither”.

Actually the process was super easy, the comversation for each item went something like this….

NSA: “Do you utilize [ENTER Service Name]”

Me: “Yes”

NSA: “What settings do you do to secure the service?”

Mich: “Open Ziti”

NSA: “Yeah but, do you use firewall rules, or IP Access Rules, etc”

Ek: “No”

NSA: “Well how do you prevent hacking”

ʻO wau: “Its only accessible to Localhost”

NSA: “How do you use it on different servers then? Do you expose it to just your local network”

Nekem: “No, only localhost”

NSA: “Ummm errr”

Ja: “OpenZiti, go read up on Zero Trust”

NSA: “Oh, I have heard of Zero Trust”

My Sarcastic whisper “Kind of sounds like you haven’t”

NSA: “What?”

Moi: “Nothing”

NSA: “What about multi factor authentication for the service”

ME: “By its very definition, OpenZiti is Multifactor”

How do I benefit by this?

If I have not made it obvious, there is some major benefits I have come out with.

  1. I no longer need 72 SMTP Services running on every app server and I can actually have SMTP Service as a micro service on one or two servers as needed.
  2. I can shut up Security officers (AKA Nerds) pretty easily which has always been a pet passion of mine.
  3. I can be even lazier than I was before, Open Ziti feeds my unyielding commitment to doing the bare minimum and keeping everything super simple!

Side Note

I am so lazy I tried to get Open AI to write this for me and it did an awful job with snark and sarcasm…. Get better Open AI!

--

--