Topic: Block sending for unauthenticated internal users to internal users on port25

[Mar]

Dear all,

We have SME 9.2 up and running, everything is working fine.
I have an e-mail question / problem.
Our internal users connect to the e-mail through secure pop / imap.
We are receiving e-mails, relaying to external users is prohibited.
Currently the server accepts mails from internal users to internal users unauthenticated on port 25.
What is the best way to disable this - either enable authentication for internals on port 25 or simply prevent e-mails from the internal domain on port 25, or something completely different.
I have checked the web interface but was not able to figure out how to do this.

Regards

[mmccarn]

Since SME 7.5 the default has been to require authentication for smtp relay - even from internal clients:
https://wiki.contribs.org/Email#Allow_SMTP_relay_of_mail_without_encryption.2Fauthentication

I do not see any way to change these settings in server-manager.

[Mar]

Thanks for reply.
but unfortunate I am able to send on the port 25 without authentication internally.
Regards

[Mar]

Does anyone has an idea about

[Mar]

Hello good morning,
What I think it is qmail configuration so the question is how to change this config to disable un-authenticated internal user to send mails.
I could do it on Smarter mail I have it on another server but here is the question for qmail.
Regards
 

[janet]

Mar

Maybe you missed reading or understanding what mmccarn was trying to tell you.

The behaviour you want should be happening by default.
It seems to me that maybe someone has changed the configuration at the command prompt.

See this
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network

You will need to run the commands referred to to change the configuration back to default settings.

This cannot be changed in server manager.


Also see this for reference
https://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Proxy_settings

[Mar]

Thanks I will check it

[Mar]

Thanks Janet,
I found the mentioned file:
05auth_cvm_unix_local
under the the path:
etc/e-smith/templates/var/service/qpsmtpd/config/peers/local
not under
etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
 with the content:
{
    my $auth_smtp = ($smtpd{Authentication} eq 'enabled') ? 'yes' : 'no';
    my $auth_ssmtp = ($ssmtpd{Authentication} eq 'enabled') ? 'yes' : 'no';

    $OUT = "auth/auth_cvm_unix_local";
    $OUT .= " cvm_socket /var/lib/cvm/cvm-unix-local.socket";
    $OUT .= " enable_smtp $auth_smtp";
    $OUT .= " enable_ssmtp $auth_ssmtp";
}

and it looks from the content that the Authentication is required for LAN clients which is the opposite of reality
is there any advise?
Thanks in advance.
Regards

[janet]

Mar

That template file fragment content looks the same as the base template fragment on my system.
The recommended idea is to leave it unchanged, & copy it to the templates-custom tree & make changes there (typically).
I believe those template fragment updates have been incorporated into sme server many years ago, so you should not need to modify templates.
In your case you may only need to make db changes via command line.

Before doing so, investigate the current config & make a note of it.

What is the output of
config show qpsmtpd

..... it looks from the content that the Authentication is required for LAN clients which is the opposite of reality
is there any advise?

After checking the config as above, if necessary you could run the command shown ie
How do I enable smtp authentication for users on the internal network

config setprop qpsmtpd Authentication enabled
signal-event email-update

Then follow the steps for
How do I disable SMTP relay for unauthenticated LAN clients in the link provided earlier in this thread.
ie
     Enable smtp authentication as shown above
    Disable un-authenticated smtp relay for the local network(s)using:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

    Configure your email clients to use smtps with authentication:

- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server

[Mar]

Thanks  Janet :
"After checking the config as above, if necessary you could run the command shown ie
How do I enable smtp authentication for users on the internal network

config setprop qpsmtpd Authentication enabled
signal-event email-update

Then follow the steps for
How do I disable SMTP relay for unauthenticated LAN clients in the link provided earlier in this thread.
ie
     Enable smtp authentication as shown above
    Disable un-authenticated smtp relay for the local network(s)using:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

    Configure your email clients to use smtps with authentication:

- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server "

I have one concern here: Does the up commands will have any affects on the current user(Current user are using now smtps with port 465 and SSL)? For your advise please.

Thank you in advance
Regards
Martin

[janet]

I have one concern here: Does the up commands will have any affects on the current user(Current user are using now smtps with port 465 and SSL)?

I expect not, they should work as normal.
If these changes are mission critical & you have concerns or do not trust sme server, then you can always set up a test system (eg at home) & see what happens before implementing any changes on a live system.

[Mar]

Dear janet,
Thank you.
unfortunately, I ran all mentioned commands but I am still able to send mail on the port 25 without password between two accounts on the server.
Any help or idea.
Regards
Martin

[janet]

Martin

Time to diagnose & troubleshoot
show us the output of these commands

config show qpsmtpd

cat /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork

show us the various settings you have configured on an email client eg thunderbird (hide password)

show us the proxy setting for mail that is in server manager panel
ie this
https://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Proxy_settings

[Mar]

Martin

Time to diagnose & troubleshoot
show us the output of these commands

config show qpsmtpd
//
Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
    TlsBeforeAuth=1
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=disabled
    access=public
    qplogsumm=disabled
    status=enabled
//

cat /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
//
# SMTP Relay from local network denied by custom template
//
show us the various settings you have configured on an email client eg thunderbird (hide password)

show us the proxy setting for mail that is in server manager panel
ie this
https://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Proxy_settings

All settings looks ok.

[janet]

Mar

Can you run this again

cat /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork

I get

# SMTP Relay from local network denied by custom template