| ArGoStuff User to User Support Forums |
outbound SMTP relay issue without authentication Last Post 03 Sep 2010 02:35 PM by SaigoLives. 6 Replies. | Sort: |
|  Prev Next | You are not authorized to post a reply. | |
SaigoLives
New Member
Posts:6
 | | 20 Aug 2010 02:48 PM |
| I'm still using a version of Mailserver Plus (1.8.8.8) because of the old (but secure) server running it and not being able to install the components to go with the .net version. Regardless of why I'm doing that, I've just identified a MAJOR security issue that has apparently stayed under the radar to me until troubleshooting a spam relaying issue today. Despite enabling SMTP Authentication in the options, Mailerver Plus does not require authentication when the recipient is local (otherwise...no incoming mail from outside senders). The problem is, as long as ONE recipient in the TO: field IS local, it will still accept it (without authentication of course) and end up relaying it to ALL the recipients in the TO: field. Outlook prompts me for a password, which I cancel, generating an error, but lo-and-behold, an email STILL arrives in my work (local) email inbox AND my personal (Yahoo!) email inbox, from a fictitious email address/domain. And as I said, I never entered a password in the account set up, nor when prompted to do so by Outlook. This is a SERIOUS issue, though my firewall is configured to not allow outgoing SMTP traffic unless a local email address is in the FROM: field. This resulted in over 3700 outbound emails in my server's queue this morning, trying to be re-sent every 10 minutes, effectively taking it down, and if that approach is combined with a cloned header/FROM address to overcome the SMTP proxy in my firewall, then THAT line of defense is useless as well. If anybody can help me out on this one without simply telling me to upgrade to the latest .net version, I'd very much appreciate it. | | |
|
|
Matt -
Forum Moderator
Basic Member
Posts:331
| | 20 Aug 2010 03:11 PM |
| I'm a little confused by your post. We are using 1.8.9.5. I have smtp authentication checked, and "use pop3 usernames...". If someone from outside (non-local from address) was to send an email to our server, where one or more of the "to" email addresses are not local, it fails because they did not authenticate.
Did you say that your email account does not have a password? I'd suspect that you're having a problem because you never set up passwords on the server. Authentication implies a userid AND a password. If you have no password, there is no reason to authenticate, because the server is effectively "open"..
Set passwords everywhere they should be, and see if that resolves the issue.
HTH | | | Matt | |
| Matt -
Forum Moderator
Basic Member
Posts:331
| | 20 Aug 2010 03:13 PM |
| Oh, another thing.. under sender rules, check "relay only if sender has an account on this server".. that should stop the issue you're seeing...
HTH | | | Matt | |
| Martin
New Member
Posts:2
| | 29 Aug 2010 05:42 PM |
| Ok, I've been at this same problem for days now and must conclude that there in fact *is* a problem with unauthorized sending of email. I've setup smtp authentication for sending email using pop3 accounts, used the sender rules, used ptr lookup protectio, spamhouse and what not. It all seems to work: as long as you use POP3 protocol or target non-local emailaddresses! In the log I see traces of colleagues logging in with Outlook and sending email, but also ip-addresses from Brazil and Poland sending email to local users without authentication. As a test I used telnet and was able to successfully send mail to users of the domains within the mailserver *without any authentication*. telnet mail.myserver.com 25 ehlo google.com mail from: eric@google.com rcpt to: localuser@myserver.com data Nothing to say...... . And voila: message sent. Btw: these telnet messages are from memory and might be syntactically incorrect. I do however have logs on a remote server showing it doesn't work as expected. Thoughts, advice or confirmation about this are appreciated. Edit: I was mixing up relay with local delivery. Still there is a problem when someone wants to deliver mail to a local user: you can do so without authentication. | | | |
| Matt -
Forum Moderator
Basic Member
Posts:331
| | 29 Aug 2010 08:37 PM |
| So you are saying that your email server is working as it should, right? Outside servers must be able to send an email to internal users without authenticating... After all, that's how your server is able to send an email to someone else.....(do any of these outside servers know what usernames/passwords are set on your server?)
What is important, is that outside servers cannot pretend to be a local user, relaying email to somewhere else. That's where the authentication comes in.
Rules:
1) If an outside server is sending to a local address, no authentication will occur...
2) if a local address is sending to another local address, no authentication needs to occur..(this is a spam problem)..
3) if a local address is sending to a non-local address, authentication MUST occur...
If you have sender rules set to only "relay only if sender has an account on this server", and smtp authentication set to use pop3 accounts/passwords, you will be properly protected.
HTH
| | | Matt | |
| Martin
New Member
Posts:2
| | 30 Aug 2010 03:10 AM |
| Thank you for clearing things up Matt: much appreciated! | | | |
| SaigoLives
New Member
Posts:6
| | 03 Sep 2010 02:35 PM |
| Thanks for your help everybody - unfortunately I've not been able to repeat the behavior. I understand SMTP authentication is not required for inbound SMTP traffic (otherwise we'd receive no incoming email whatsoever LOL). It seems I was able to get email out to a (my) yahoo account one time by including a local recipient in the To: field (ahead of the yahoo one) to get the server to accept it, and simply ignored the authentication prompt from my Outlook when it popped up (watching the server log, I see #### bytes had already been accepted at that point, which means it had made it to the server, something that wouldn't have happened in the first place if there'd been no local recipient specified). In cleaning up the numerous test emails it looks like I turned bonehead and inadvertently deleted the email that had made it through so I have nothing to work off of, diagnose, etc.
As far as checking to allow only relay if the sender has an account, the version we're using doesn't have that option - I'm guessing because of its age. I'm using SMTP authentication (POP3 names & passwords, and in NO case to I allow passwords to match the user names...a security issue on one prior occasion.) And all the issues I've had along these lines also originate off-shore - my latest batch tracked to a Polish IP address, and interestingly enough TARGETED predominantly foreign TLD's (it, fr, cn, br, jp, etc.)
Also, while I DO suspect compromised account credentials on another issue (and am logging all SMTP commands and exchanges), it is a separate matter from this one.
Eh...as I said...thank you all once again for your help and efforts. We will eventually be migrating our email duties over to a new server, and most likely coming up to speed with the latest version of the email server (if only to get the ability to save sent emails at the server level, something that is becoming more of an issue for off-site people using the web interface) - it is still far-and-away my favorite one.
Jeff | | | |
|
| You are not authorized to post a reply. |
|
|
|  | | Mail Server v1.0.8.3 |
- Added support of STARTTLS (STLS) command for SMTP, POP3, IMAP, and SMTP relay and delivery, which will
allow secure, fully encrypted connections, when possible;
| | 11/6/2011 1:10:34 PM |
| Mail Server v1.0.8.2 |
- Optimized delivery speed. In earlier versions each "tick" which was checking whether messages were
in the outbox queue, was picking up only one message at a time. Now it will attempt to pick MaximumAllowedThreads-ActiveDelivery threads
messages, which should considerably increase deliver speed;
- Optimized SEARCH and STATUS IMAP commands. They appear to be used very extensively by Android, and (not that extensively, but still) by
iPhone. Now users who use mobile phones to access their IMAP accounts will see considerable improvement;
- Optimized STORE IMAP command. Before storing of IMAP flags was occuring one message at a time, which seemed to be fine
with SQL server, but proved to be slow for SQLite... Now it happens with single SQL call.
| | 10/8/2011 7:59:35 PM |
| ArGoSoft Mail Server v1.0.8.1 | -
Fixed a bug: when using IMAP via Firefox with "When I delete a message, move it
to Trash folder" option, marking messages in the trash folder was causing high CPU usage,
and was taking some time, making the server pretty much non-responsive. The problem was
happening only when using SQLite.
| | 6/6/2011 9:33:36 PM |
| ArGoSoft Mail Server v1.0.8.0 |
- Fixed a problem with web interface - was showing only first page of messages, and would not
switch to other pages; In order to fix the web interface, mail server itself has to be updated;
- When installint initially, was still using SQLite, even when SQL was requested;
- There was a problem with switching from SQLite database engine to SQL server database engine:
the SQL database was not being created;
| | 5/23/2011 5:53:55 PM |
| ArGoSoft Mail Server .NET v1.0.7.9 |
- The server no longer requires Microsoft SQL Server. If SQL server is not found, it will use
SQLite engine, which does not require separate installation. If SQL server is found, then user will be
prompted whether he wants to use it;
- Made other improvements, such as, now mailbox rebuild indexes orphaned records, rather then deleting them,
also added an opotion to increment UIDL validity of folder (both on the Mailbox viewer box);
- Made minor improvements on web interface;
| | 4/26/2011 9:47:25 PM |
| |
|  |  | |  |
|