Topic: Block sending for unauthenticated internal users to internal users on port25

[Mar]

Dear all,

We have SME 9.2 up and running, everything is working fine.
I have an e-mail question / problem.
Our internal users connect to the e-mail through secure pop / imap.
We are receiving e-mails, relaying to external users is prohibited.
Currently the server accepts mails from internal users to internal users unauthenticated on port 25.
What is the best way to disable this - either enable authentication for internals on port 25 or simply prevent e-mails from the internal domain on port 25, or something completely different.
I have checked the web interface but was not able to figure out how to do this.

Regards

[mmccarn]

Since SME 7.5 the default has been to require authentication for smtp relay - even from internal clients:
https://wiki.contribs.org/Email#Allow_SMTP_relay_of_mail_without_encryption.2Fauthentication

I do not see any way to change these settings in server-manager.

[Mar]

Thanks for reply.
but unfortunate I am able to send on the port 25 without authentication internally.
Regards

[Mar]

Does anyone has an idea about

[Mar]

Hello good morning,
What I think it is qmail configuration so the question is how to change this config to disable un-authenticated internal user to send mails.
I could do it on Smarter mail I have it on another server but here is the question for qmail.
Regards
 

[janet]

Mar

Maybe you missed reading or understanding what mmccarn was trying to tell you.

The behaviour you want should be happening by default.
It seems to me that maybe someone has changed the configuration at the command prompt.

See this
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network

You will need to run the commands referred to to change the configuration back to default settings.

This cannot be changed in server manager.


Also see this for reference
https://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Proxy_settings

[Mar]

Thanks I will check it

[Mar]

Thanks Janet,
I found the mentioned file:
05auth_cvm_unix_local
under the the path:
etc/e-smith/templates/var/service/qpsmtpd/config/peers/local
not under
etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
 with the content:
{
    my $auth_smtp = ($smtpd{Authentication} eq 'enabled') ? 'yes' : 'no';
    my $auth_ssmtp = ($ssmtpd{Authentication} eq 'enabled') ? 'yes' : 'no';

    $OUT = "auth/auth_cvm_unix_local";
    $OUT .= " cvm_socket /var/lib/cvm/cvm-unix-local.socket";
    $OUT .= " enable_smtp $auth_smtp";
    $OUT .= " enable_ssmtp $auth_ssmtp";
}

and it looks from the content that the Authentication is required for LAN clients which is the opposite of reality
is there any advise?
Thanks in advance.
Regards

[janet]

Mar

That template file fragment content looks the same as the base template fragment on my system.
The recommended idea is to leave it unchanged, & copy it to the templates-custom tree & make changes there (typically).
I believe those template fragment updates have been incorporated into sme server many years ago, so you should not need to modify templates.
In your case you may only need to make db changes via command line.

Before doing so, investigate the current config & make a note of it.

What is the output of
config show qpsmtpd

..... it looks from the content that the Authentication is required for LAN clients which is the opposite of reality
is there any advise?

After checking the config as above, if necessary you could run the command shown ie
How do I enable smtp authentication for users on the internal network

config setprop qpsmtpd Authentication enabled
signal-event email-update

Then follow the steps for
How do I disable SMTP relay for unauthenticated LAN clients in the link provided earlier in this thread.
ie
     Enable smtp authentication as shown above
    Disable un-authenticated smtp relay for the local network(s)using:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

    Configure your email clients to use smtps with authentication:

- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server

[Mar]

Thanks  Janet :
"After checking the config as above, if necessary you could run the command shown ie
How do I enable smtp authentication for users on the internal network

config setprop qpsmtpd Authentication enabled
signal-event email-update

Then follow the steps for
How do I disable SMTP relay for unauthenticated LAN clients in the link provided earlier in this thread.
ie
     Enable smtp authentication as shown above
    Disable un-authenticated smtp relay for the local network(s)using:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

    Configure your email clients to use smtps with authentication:

- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server "

I have one concern here: Does the up commands will have any affects on the current user(Current user are using now smtps with port 465 and SSL)? For your advise please.

Thank you in advance
Regards
Martin

[janet]

I have one concern here: Does the up commands will have any affects on the current user(Current user are using now smtps with port 465 and SSL)?

I expect not, they should work as normal.
If these changes are mission critical & you have concerns or do not trust sme server, then you can always set up a test system (eg at home) & see what happens before implementing any changes on a live system.

[Mar]

Dear janet,
Thank you.
unfortunately, I ran all mentioned commands but I am still able to send mail on the port 25 without password between two accounts on the server.
Any help or idea.
Regards
Martin

[janet]

Martin

Time to diagnose & troubleshoot
show us the output of these commands

config show qpsmtpd

cat /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork

show us the various settings you have configured on an email client eg thunderbird (hide password)

show us the proxy setting for mail that is in server manager panel
ie this
https://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Proxy_settings

[Mar]

Martin

Time to diagnose & troubleshoot
show us the output of these commands

config show qpsmtpd
//
Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
    TlsBeforeAuth=1
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=disabled
    access=public
    qplogsumm=disabled
    status=enabled
//

cat /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
//
# SMTP Relay from local network denied by custom template
//
show us the various settings you have configured on an email client eg thunderbird (hide password)

show us the proxy setting for mail that is in server manager panel
ie this
https://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11#Proxy_settings

All settings looks ok.

[janet]

Mar

Can you run this again

cat /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork

I get

# SMTP Relay from local network denied by custom template

[janet]

Mar

Also I think you may have missed running this (from an earlier post & link in this thread)

How do I enable smtp authentication for users on the internal network

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update

(note the "." at the end of the 3rd line)
Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication

ie do

config setprop qpsmtpd Authentication enabled
signal-event email-update

[Mar]

Mar

Can you run this again

cat /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
//
# SMTP Relay from local network denied by custom template
//

I get

# SMTP Relay from local network denied by custom template

[Mar]

custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork

# SMTP Relay from local network denied by custom template

[janet]

Mar

I followed all the steps mentioned in this thread & links provided on a test 9.2 sme server & I cannot send locally via the smtp server, unless I use SSL authentication & select port 465
If I configure no authentication & no password & port 25 (in Thunderbird) then sending does not work ie message not sent via smtp server, if I select SSL & normal password & port 25, I also get a message that Relaying not allowed & cannot send locally via smtp server.
If I configure SSL, normal password & port 465 I can send OK.

So I suggest you go through all the steps carefully, checking your work step by step as you go, & try again.

[Mar]

unfortunately,
It still sending even without any authentications and without password under port 25.
I have no idea what is wrong.
Bests

[janet]

Mar

Maybe some mods were done to your server.
Can you tell us the full history of your server, upgrade paths etc, current configuration.

Show output of server manager Review configuration panel

Show output of
/sbin/e-smith/audittools/templates

/sbin/e-smith/audittools/newrpms

/sbin/e-smith/audittools/repositories

[Mar]

The server was running under SME 8 later it was updated into SME 9 and full backup was restored to it.
/sbin/e-smith/audittools/templates

/etc/e-smith/templates-custom/etc/http: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/fail2ban/jail.conf/jail.conf: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/dar/DailyBackup.dcf/41go-into: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/dar/DailyBackup.dcf/45prune: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99allow_url_fopen: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/85SOGoAccess: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/home/sogo/GNUstep/Defaults/.GNUstepDefaults/10defaults: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/05auth_cvm_unix_local: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates/var/service/qpsmtpd/peers/0/05auth_cvm_unix_local: MANUALLY_ADDED




///////
/sbin/e-smith/audittools/repositories
base: enabled
centosplus: disabled
contrib: disabled
dag: disabled
epel: disabled
extras: disabled
fasttrack: disabled
fws: enabled
nethsme: disabled
smeaddons: enabled
smecontribs: disabled
smedev: disabled
smeextras: enabled
smeos: enabled
smetest: disabled
smeupdates: enabled
smeupdates-testing: enabled
sogo: disabled
updates: enabled
///////

/sbin/e-smith/audittools/newrpms
Loaded plugins: fastestmirror, post-transaction-actions, smeserver
Loading mirror speeds from cached hostfile
 * base: centos.turhost.com
 * smeaddons: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: centos.vargonen.com
http://centos.turhost.com/6.10/os/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'centos.turhost.com'"
Trying other mirror.

[Mar]

Unfortunately, with fresh installation for SME 9.2 I could send mail without authentications under port 25

[Jean-Philippe Pialasse]

You have to manually added templates that hide each other.
You should not manually create templates in the template folder.  Templates-custom is intended for that.

/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/05auth_cvm_unix_local: MANUALLY_ADDED, OVERRIDE
/etc/e-smith/templates/var/service/qpsmtpd/peers/0/05auth_cvm_unix_local: MANUALLY_ADDED


The second one is hidden by the first one.

[Mar]

So what is the solution in this case?

[Mar]

Just to be sure that we are on the same wave:
I have 2 users on SME9.2
User1 is able to send mail to user2 without password and any authentications on port 25.
both: the server and the client are now on the same subnet.

[janet]

Mars

Remove or delete this template fragment, it should NOT be there
/etc/e-smith/templates/var/service/qpsmtpd/peers/0/05auth_cvm_unix_local

Then for good measure run
signal-event post-upgrade
signal-event reboot


This one is OK (as it is in templates-custom), it can stay there
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/05auth_cvm_unix_local: MANUALLY_ADDED, OVERRIDE

This one is OK too, it can stay there
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork: MANUALLY_ADDED, OVERRIDE


Test functionality again to see if unauthenticated smtp access is permitted (it should not be).

[janet]

Mar

Also....
You have 2 repos enabled, that should normally (& more safely) be disabled
fws: enabled
smeupdates-testing: enabled

Change them both to disabled

In particular having the smeupdates-testing repo enabled, could allow unstable rpms to be updated during a normal update event & put your system in a bad state.
Only use that repo by invoking it at command line
eg
yum update packagename --enablerepo=smeupdates-testing

[janet]

Mar

/sbin/e-smith/audittools/newrpms
Loaded plugins: fastestmirror, post-transaction-actions, smeserver
Loading mirror speeds from cached hostfile
 * base: centos.turhost.com
 * smeaddons: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: centos.vargonen.com
http://centos.turhost.com/6.10/os/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 6 - "Couldn't resolve host 'centos.turhost.com'"
Trying other mirror.

Try
yum clean all --enablerepo=*

then run command again
/sbin/e-smith/audittools/newrpms

more resolution may be needed.

[janet]

Mar

Here is some useful reading for you

https://wiki.contribs.org/Template_Tutorial

https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section01#Yum_Updates
Read all of section 2

[mmccarn]

Caveat - I have not read all of every post in this discussion; apologies if this has already been covered.

- The original inquiry is *not* related to SMTP relay - it is related to basic email acceptance -- it is an email server's job to accept email - without unauthentication - for the email accounts hosted on the server.
- If a SME server is able to accept email to the local users from (for example) Ukraine, London, or North Dakota, then it is going to be able to accept email from the local users, too.

Blocking unauthenticated SMTP email *to* local users means blocking access to port 25 from the LAN - which gets tricky as the firewall settings normally apply only to the WAN interface and there are custom bits in place for proxying LAN traffic to outside SMTP servers.

This *might* work:
- Set the SMTP proxy to 'blocked', so that all SMTP access from the LAN is intercepted
- Change the SMTP server itself to another port
- Create a custom service to redirect outside traffic to port 25 to the new port - or have all inbound email delivered to a separate offsite server, then configure SME to get email only from that server.

It is unclear to me if the objective is related to device security (there is an infected device sending unwanted email to local users) or if it is related to personnel management (some user is intentionally spamming his/her co-workers, or spoofing 'from' addresses on emails). 

In the first instance, the objective is presumably to identify and secure the compromised device. 

In the second instance the objective is presumably to identify and dismiss the malicious users.

[mmccarn]

My suggestion above does not work as the smtp proxy transparently redirects any traffic sent to port 25.

I've also tried to customize the masq templates related to SMTPProxy, but I can't find any combination of settings that blocks access to port 25 from the LAN on my network (me SME is in server-only mode, which might be my problem...)

I keep coming back to one of these ideas:

1) If your SPF is configured correctly, enabling SPF on the LAN - by customizing /etc/e-smith/templates/var/service/qpsmtpd/config/peers/local/221spf - may block unauthenticated email delivery from the LAN, since all LAN IPs should fail SPF.

2) Rearrange your network, so that the user workstations are not connected to the SME LAN interface (tricky, depending on what other SME services you use from the LAN)

3) Install a firewall between the SME and your LAN workstations that supports "transparent" mode, then block port 25 there.  Sonicwall, sophos, and ubiquiti can all be configured in 'transparent' mode - although I only have personal experience w/ sonicwall about 20 years ago...

[Mar]

Thank you all,
I think I explained my issue well but I will again explain the case I faced:
one user from outside my company could use my email account and the SMTP of my mail server under the port 25 to send an email to another user inside the company not to email outside my company.
non of our staff did that.
Regards
Martin.

[janet]

Mar

Firstly did you do this as suggested:
Remove or delete this template fragment, it should NOT be there
/etc/e-smith/templates/var/service/qpsmtpd/peers/0/05auth_cvm_unix_local

Then for good measure run
signal-event post-upgrade
signal-event reboot

You need to do the above to correct your system asap.


Now re:

one user from outside my company could use my email account and the SMTP of my mail server under the port 25 to send an email to another user inside the company not to email outside my company

Now that is a different matter than you reported earlier.

Look in server manager, Configuration, Email panel.
Click on
Change e-mail reception settings
For
SMTP authentication
Select
Allow SSMTP (secure)

Save

Change the password of your email account to something strong & not easily guessed

Report back your success or otherwise

[Mar]

Dear Janet,
Thanks for reply.
I think it is the same case. however, I am using the tool to test my server:
https://www.wormly.com/test-smtp-server
below is the result:

https://www.wormly.com/test-smtp-server

Resolving hostname...
Connecting...
Connection: opening to mail.xxxx.com:25, timeout=300, options=array (
                  )
Connection: opened
SERVER -> CLIENT: 220 mail.xxxx.com ESMTP
CLIENT -> SERVER: EHLO tools.wormly.com
SERVER -> CLIENT: 250-xxxx.com Hi tools.wormly.com [96.126.113.160]
                  250-PIPELINING
                  250-8BITMIME
                  250-SIZE 15000000
                  250 STARTTLS
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 220 Go ahead with TLS
CLIENT -> SERVER: EHLO tools.wormly.com
SERVER -> CLIENT: 250-xxxx.com Hi tools.wormly.com [96.126.113.160]
                  250-PIPELINING
                  250-8BITMIME
                  250 SIZE 15000000
CLIENT -> SERVER: MAIL FROM:
SERVER -> CLIENT: 250 , sender OK - how exciting to get mail from you!
CLIENT -> SERVER: RCPT TO:
SERVER -> CLIENT: 250 , recipient ok
CLIENT -> SERVER: DATA
SERVER -> CLIENT: 354 go ahead
CLIENT -> SERVER: Date: Mon, 21 Oct 2019 10:27:58 +0000
CLIENT -> SERVER: To: user1@xxxx.com
CLIENT -> SERVER: From: Wormly SMTP Test
CLIENT -> SERVER: Subject: Wormly SMTP Test Message
CLIENT -> SERVER: Message-ID:
CLIENT -> SERVER: MIME-Version: 1.0
CLIENT -> SERVER: Content-Type: text/plain; charset=iso-8859-1
CLIENT -> SERVER:
CLIENT -> SERVER: This message was sent using the Wormly SMTP testing tool by this user:
CLIENT -> SERVER: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
CLIENT -> SERVER: 111.111.11.11
CLIENT -> SERVER:
CLIENT -> SERVER: .
SERVER -> CLIENT: 250 Queued! 1571653687 qp 3734
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 221 xxxx.com closing connection. Have a wonderful day.
Connection: closed
Message completed successfully.

Please the check the attachment the server is already configured but I could send mail using the tool to myself

[janet]

Mar

Congratulations, your smtp mail server is working. If you want to run a mail server that is accessible to other mail servers around thr world, then this is the required result (of the wormly test).

To control access to your smtp mail server for external users etc, you need to configure appropriate settings internally ie in your server configuration.

As your problem description varies, originally you said internal to internal mail sending, now you are saying external to internal mail sending, it is unclear to me what exactly you are trying to achieve.

Please supply a real world example of email sending (identifying the perceived problem) using real email addreses & real domain names.
To disguise yourself, You can create a virtual domain on your sme server, add temporary users & have a domain setup in external records. Domains will cost you $10 or so which is a small amount for you to have to pay compared to the time & cost input of those helping here.

[Mar]

I am sorry, maybe I was not well at explaining my problem. but really that what happened.
However I will get a domain by today to link it to SME server.
Thank you very much

[janet]

Mar

Please also give a detailed description of how your server is configured in your network, eg is it server & gateway mode or server only ?
is it a second server ?

does it connect to the Internet via another gateway device or firewall or directly via a bridged modem etc etc

What else is in your local network, workstations (Windows or other OS?), other devices ?

[janet]

Mar

Please answer, did you remove this template fragment ?
/etc/e-smith/templates/var/service/qpsmtpd/peers/0/05auth_cvm_unix_local

If you did remove it, then did you run
signal-event email-update
afterwards ?

[Mar]

Yes of course I remove it and ran the command
but still as I told u the same case.

[janet]

Martin

Yes of course I remove it and ran the command

If you do not tell us then we do not know !

You also did not respond to the following post, please answer all questions in detail.

Please also give a detailed description of how your server is configured in your network, eg is it server & gateway mode or server only ?
is it a second server ?

does it connect to the Internet via another gateway device or firewall ?

or directly via a bridged modem ?

or some other way ?

What else is in your local network, workstations (Windows or other OS ?), other devices ?

[Mar]

Martin

If you do not tell us then we do not know !
Thanks.

You also did not respond to the following post, please answer all questions in detail.
Actually I was planning to run the test machine first then tell you all details

Please also give a detailed description of how your server is configured in your network, eg is it server & gateway mode or server only ?
It is configured as server and gateway
is it a second server ?
it is standalone server

does it connect to the Internet via another gateway device or firewall ?
it is connected to the internet behind a firewall. it is a mail server located in EU and the local network is in different area.

or directly via a bridged modem ?

or some other way ?

What else is in your local network, workstations (Windows or other OS ?), other devices ?
we have windows server AD, so the workstations are running under windows 10

[janet]

Martin

You say:
Your SME server is configured in server gateway mode & that it is a standalone server.

Then you say:
Your SME server is connected to the internet behind a firewall. it is a mail server located in EU and the local network is in different area.

It is not usual to configure your server in server gateway mode & have it behind another firewall.
In server gateway mode, sme server is acting as a firewall.
So in your scenario you would have 2 firewalls.

Also you need to explain in more detail what you mean about the mail server in EU & local network elsewhere.

This appears to be a non standard use of SME server & it does not surprise me that you are having problems & that our suggestions do not work for you.

You are doing something non standard & the fixes we proposed are probably not appropriate.

Please provide a lot more details.

[Mar]

Martin

You say:
Your SME server is configured in server gateway mode & that it is a standalone server.

Then you say:
Your SME server is connected to the internet behind a firewall. it is a mail server located in EU and the local network is in different area.
Yes it is in a datacenter in EU so it is behind the firewall of the datacenter
and it is configured as gateway and server
It is not usual to configure your server in server gateway mode & have it behind another firewall.
In server gateway mode, sme server is acting as a firewall.
So in your scenario you would have 2 firewalls.
Yes as I mentioned it is a datacenter
Also you need to explain in more detail what you mean about the mail server in EU & local network elsewhere.
Our company is located another area in the time our mail server is in EU which is normal

This appears to be a non standard use of SME server & it does not surprise me that you are having problems & that our suggestions do not work for you.
I dis agree because it is normal to keep your server in datacenter and the datacenter has thier own firewall

You are doing something non standard & the fixes we proposed are probably not appropriate.

Please provide a lot more details.
Hopefully that gave you enough info  about the server

[Mar]

Janet,
The email is an independent function regardless the other network or its location.
What I think it is miss function in qmail.
We will see on the other server which is I am working on.
Regards

[ReetP]

Mar,

Please read this because this is a classic a case : http://xyproblem.info/

You have come here and asked a question because you are stuck and don't know how to fix things and users here are doing their best to assist you. Some of them having been using SME for over 20 years. You should try and trust what they say, and answer their questions precisely. They are not doing this for fun, and most are not getting paid either, unlike you.

You have not been very detailed, consistent, methodical or accurate with your comments and replies which makes it REALLY hard to help you.

Lets go back and remember your ORIGINAL question:

Our internal users connect to the e-mail through secure pop / imap./
Currently the server accepts mails from internal users to internal users unauthenticated on port 25

Now look where we have got to. We finally discover your SME is in server-gateway running its own firewall, and behind a data center firewall, and not a local network in sight:

This appears to be a non standard use of SME server & it does not surprise me that you are having problems & that our suggestions do not work for you.
I dis agree because it is normal to keep your server in datacenter and the datacenter has thier own firewall

Now, you can disagree all you want, but the point you are missing is that SME is designed to be used in certain ways, and if you don't follow the methods then it will not function as you expect, no matter what you do.

Hmmm:

User1 is able to send mail to user2 without password and any authentications on port 25.
both: the server and the client are now on the same subnet.

it is a mail server located in EU and the local network is in different area.

So it is a server in a data center behind a firewall on the same subnet as the clients which are somewhere else entirely.

Really?

The email is an independent function regardless the other network or its location.

You don't understand much about email then. Yes, it is an independent "process". BUT how it works will depend on its network and location and a number of other factors.... as you have discovered.

What I think it is miss function in qmail.

Ok so which function in qmail is that? Or is it part of the xyproblem?

Your problem is not really understanding how SME (and email in general) works in the first place, and if we could "just fix qmail you would be OK".

"User doesn't know how to do X, but thinks they can fumble their way to a solution if they can just manage to do Y."

You have decided what the problem is, and how it can be fixed, without actually understanding any of it. All you want is confirmation bias, not a proper solution. No one here can fix that.

We will see on the other server which is I am working on.

That is entirely dependent on where it is and what you are actually trying to prove.

So, go right back to the start.

I suggest you run this and picpaste the content somewhere where we can look at it:

https://your.server.ip/server-manager/cgi-bin/bugreport

I also suggest you draw a network layout which we can actually see. It might help people to visualize the situation. Server, firewall, subnets, etc etc

Can you also post the output of:

Code: [Select]

cat /var/service/qpsmtpd/config/peers/local |grep -n cvm-unix
This is where Authentication should be set, not qpsmtpd:

Code: [Select]

config show smtpd

Code: [Select]

config show ssmtpd
Thank you.

[Mar]

Mar,
Dear ReetP, thanks,
Please read this because this is a classic a case : http://xyproblem.info/
I didn't mean to be in such case but may be unintentionally that happened. I'm sorry fro this but it happened I will try to avoid that in future

You have come here and asked a question because you are stuck and don't know how to fix things and users here are doing their best to assist you. Some of them having been using SME for over 20 years. You should try and trust what they say, and answer their questions precisely. They are not doing this for fun, and most are not getting paid either, unlike you.

You have not been very detailed, consistent, methodical or accurate with your comments and replies which makes it REALLY hard to help you.
First, thank you so much for help and it was and still much appreciated from my side. of course I didn't mean not to describe my problem well, but maybe I wasn't good to describe it well

Lets go back and remember your ORIGINAL question:

Now look where we have got to. We finally discover your SME is in server-gateway running its own firewall, and behind a data center firewall, and not a local network in sight:

Now, you can disagree all you want, but the point you are missing is that SME is designed to be used in certain ways, and if you don't follow the methods then it will not function as you expect, no matter what you do.

Hmmm:

So it is a server in a data center behind a firewall on the same subnet as the clients which are somewhere else entirely.
The server is running its own firewall but the datacenter firewall is just redirecting the traffic to SME mail server this is exactly how it is

Really?
Here there is miss understanding or .. however the original email server is in a data-center but the test environment I made was on a local network so the test SME server an the client are on the same subnet

You don't understand much about email then. Yes, it is an independent "process". BUT how it works will depend on its network and location and a number of other factors.... as you have discovered.

Ok so which function in qmail is that? Or is it part of the xyproblem?
I mean block sending emails between users on my server without authentication using port 25

Your problem is not really understanding how SME (and email in general) works in the first place, and if we could "just fix qmail you would be OK".
Yes, of course

"User doesn't know how to do X, but thinks they can fumble their way to a solution if they can just manage to do Y."

You have decided what the problem is, and how it can be fixed, without actually understanding any of it. All you want is confirmation bias, not a proper solution. No one here can fix that.
"hold on -  am not fighting am really searching to find a solution for my problem"

That is entirely dependent on where it is and what you are actually trying to prove.

So, go right back to the start.

I suggest you run this and picpaste the content somewhere where we can look at it:

https://your.server.ip/server-manager/cgi-bin/bugreport

I also suggest you draw a network layout which we can actually see. It might help people to visualize the situation. Server, firewall, subnets, etc etc
The server is Datacenter in EU and it is working as email server only. users are in another country with different subnet and different type of firewall so the users are totally can't reach it from LAN and they use it only as email server so they are not reaching the server from LAN they connect to the server VIA internet.
Can you also post the output of:

Code: [Select]

cat /var/service/qpsmtpd/config/peers/local |grep -n cvm-unix///
14:auth/auth_cvm_unix_local cvm_socket /var/lib/cvm/cvm-unix-local.socket enable_smtp no enable_ssmtp yes
////

This is where Authentication should be set, not qpsmtpd:

Code: [Select]

config show smtpd////
smtpd=service
    Authentication=disabled
    Instances=40
    InstancesPerIP=5
    MaximumDateOffset=0
    PatternsScan=disabled
    Proxy=blocked
    TCPPort=25
    TCPProxyPort=25
    VirusScan=enabled
    access=public
    status=enabled
    tnef2mime=enabled
////

Code: [Select]

config show ssmtpd////
ssmtpd=service
    Authentication=enabled
    Instances=10
    TCPPort=465
    access=public
    status=enabled
////
Again, many thanks, and I am really read 10th of pages how about qmail is working and how SME also is working.
thanks
Thank you.

[Mar]

Dear ReetP,
Any updates or further solutions?
Regards

[ReetP]

I have been in holiday and this is not my 'job'. I'll reply as and when I can. You don't need to nag me.

Dear ReetP,
Any updates or further solutions?
Regards

Yes. I'd like you to square this circle.

Topic:

Topic: Block sending for unauthenticated internal users to internal users on port25

Statement in you last quote:

users are in another country with different subnet and different type of firewall so the users are totally can't reach it from LAN and they use it only as email server so they are not reaching the server from LAN they connect to the server VIA internet.

So you have no internal users.

Until you can actually figure out exactly what problem you are trying to solve I am not sure anyone can help you.

Note your test setup does NOT replicate your real setup so your results will vary and cannot be used as a strict test.

I also said run a bug report and paste it and draw a rough network layout and paste it for us to see.

I suggest you do what you are asked, not what you think you have been asked.

Thanks.

[Mar]

Thanks for reply,
The issue I faced exactly, one of the users received an email from some one outside the company that is clear from the message header and it seems from South America, but and the message looks like if the user send the email to him self. so the sender and receiver are the same which is the user himself.
but of course the user didn't send an email to himself.
Below part of the message:
"Hello!
As you may have noticed, I sent you an email from your account.
This means that I have full access to your device.I've been watching you for a few months now. " until end of the message.
this exactly what I'm facing.

Below is the report:
/////////////////////////////////
Configuration report created Sun 27 Oct 2019 10:18:28 AM CET

==================
Base configuration
==================

SME server version: 9.2
SME server mode:    servergateway
Running Kernel:     2.6.32-754.15.3.el6.x86_64



===========================
New RPMs not in base system
===========================
       
Loaded plugins: fastestmirror, post-transaction-actions, smeserver
Loading mirror speeds from cached hostfile
 * base: centos.bio.lmu.de
 * smeaddons: mirrors.mab974.re
 * smeos: mirrors.mab974.re
 * smeupdates: mirrors.mab974.re
 * updates: ftp.rz.uni-frankfurt.de
Extra Packages
DCC.x86_64                           1.3.145-25.el6.sme      @smeupdates-testing
clamav.x86_64                        0.100.2-6.el6.sme       @smeupdates-testing
clamav-db.x86_64                     0.100.2-6.el6.sme       @smeupdates-testing
clamd.x86_64                         0.100.2-6.el6.sme       @smeupdates-testing
e-smith-backup.noarch                2.4.0-45.el6.sme        @smeupdates-testing
e-smith-base.noarch                  5.6.0-36.el6.sme        @smeupdates-testing
e-smith-formmagick.noarch            2.4.0-3.el6.sme         @smeupdates-testing
e-smith-lib.noarch                   2.4.0-18.el6.sme        @smeupdates-testing
e-smith-manager.noarch               2.6.0-25.el6.sme        @smeupdates-testing
hddtemp.x86_64                       0.3-0.20.beta15.el6     @smecontribs       
initscripts.x86_64                   9.03.61-2.el6.sme       @smeupdates-testing
kernel.x86_64                        2.6.32-696.23.1.el6     @smeupdates       
libmcrypt.x86_64                     2.5.8-9.el6             @smecontribs       
openvpn.x86_64                       2.4.2-1.el6             @smecontribs       
perl-CGI-FormMagick.noarch           0.93-6.el6.sme          @smeupdates-testing
perl-Geography-Countries.noarch      2009041301-1.el6.sme    @smeupdates-testing
perl-`-Country.noarch               2.28-1.el6.sme          @smeupdates-testing
perl-Net-Ident.noarch                1.24-1.el6.sme          @smeupdates-testing
perl-Quota.x86_64                    1.7.0-1                 @fws               
perl-Session-Token.x86_64            1.503-1.el6.sme         @smeupdates-testing
perl-rrdtool.x86_64                  1.4.7-1.el6.rfx         @smecontribs       
php-fedora-autoloader.noarch         1.0.0-1.el6             @smecontribs       
php-php-gettext.noarch               1.0.12-1.el6            @smecontribs       
php-tcpdf.noarch                     6.2.13-1.el6            @smecontribs       
php-tcpdf-dejavu-sans-fonts.noarch   6.2.13-1.el6            @smecontribs       
phpMyAdmin.noarch                    4.0.10.19-1.el6         @smecontribs       
pkcs11-helper.x86_64                 1.11-3.el6              @smecontribs       
qmail.x86_64                         1.03-23.el6.sme         @smeupdates-testing
rrdtool.x86_64                       1.4.7-1.el6.rfx         @smecontribs       
smeserver-crontab_manager.noarch     2.4-3.el6.sme           @smecontribs       
smeserver-locale-bg.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-da.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-de.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-el.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-es.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-et.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-fr.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-he.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-hu.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-id.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-it.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-ja.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-nb.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-nl.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-pl.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-pt.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-pt_BR.noarch        2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-ro.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-ru.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-sl.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-sv.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-th.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-tr.noarch           2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-zh_CN.noarch        2.4.0-30.el6.sme        @smeupdates-testing
smeserver-locale-zh_TW.noarch        2.4.0-30.el6.sme        @smeupdates-testing
smeserver-openvpn-s2s.noarch         0.2-6.el6.sme           @smecontribs       
smeserver-password.noarch            1.2.0-10.el6.sme        @smecontribs       
smeserver-phpmyadmin.noarch          4.0.10.2-3.el6.sme      @smecontribs       
smeserver-sme9admin.noarch           1.5-25.el6.sme          @smecontribs       
smeserver-updates.noarch             1.4-2.el6.sme           @smecontribs       
smeserver-userpanel.noarch           1.2-3.el6.sme           @smecontribs       
smeserver-userpanels.noarch          1.1-5.el6.sme           @smecontribs       
smeserver-vacation.noarch            1.1-25.el6.sme          @smecontribs       
spamassassin.x86_64                  3.4.2-2.el6.sme         @smeupdates-testing
sysstat.x86_64                       9.0.4-33el6_9.1         @updates           
 



===========================
Custom and modified templates
===========================
/etc/e-smith/templates-custom/etc/http: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/fail2ban/jail.conf/jail.conf: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/dar/DailyBackup.dcf/45prune: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/dar/DailyBackup.dcf/41go-into: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/85SOGoAccess: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99allow_url_fopen: MANUALLY_ADDED, ADDITION
/etc/e-smith/templates-custom/home/sogo/GNUstep/Defaults/.GNUstepDefaults/10defaults: MANUALLY_ADDED, ADDITION




===========================
Modified events
===========================
/etc/e-smith/events/pseudonym-delete/S55email-assign: MODIFIED e-smith-qmail-2.4.0-8.el6.sme
/etc/e-smith/events/bootstrap-console-save/S55email-assign: MODIFIED e-smith-qmail-2.4.0-8.el6.sme
/etc/e-smith/events/pseudonym-create/S55email-assign: MODIFIED e-smith-qmail-2.4.0-8.el6.sme
/etc/e-smith/events/user-delete/S55email-assign: MODIFIED e-smith-qmail-2.4.0-8.el6.sme
/etc/e-smith/events/user-create/S55email-assign: MODIFIED e-smith-qmail-2.4.0-8.el6.sme
/etc/e-smith/events/pseudonym-modify/S55email-assign: MODIFIED e-smith-qmail-2.4.0-8.el6.sme
/etc/e-smith/events/user-modify/S55email-assign: MODIFIED e-smith-qmail-2.4.0-8.el6.sme




=======================
Additional repositories
=======================

base: enabled
centosplus: disabled
contrib: disabled
dag: disabled
epel: disabled
extras: disabled
fasttrack: disabled
fws: enabled
nethsme: disabled
smeaddons: enabled
smecontribs: disabled
smedev: disabled
smeextras: enabled
smeos: enabled
smetest: disabled
smeupdates: enabled
smeupdates-testing: enabled
sogo: disabled
updates: enabled
         

DONE!
/////////////////////////////////////
Regards
Mar

[ReetP]

Bit of a mess then. You have been having fun hatcheting it.

Strongly suggest you don't use testing repos unless you absolutely have to. The 'testing' bit gives the game away....

No idea what you have done modifying 'events'. Presumably trying to fix your 'problem'

The issue I faced exactly, one of the users received an email from some one outside the company that is clear from the message header and it seems from South America, but and the message looks like if the user send the email to him self. so the sender and receiver are the same which is the user himself.

So you've got a spam/spoofed mail....?

Please post the email headers. Did I mention pastebin??

[Mar]

Yes, it looks like mail spam/spoofing:

Subject: [SPAM] High level of danger. Your account was under attack.
"
User Agent:Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
Received :(qmail 14185 invoked by alias); 24 Sep 2019 22:59:49 -0000
X-Spam Details

*  3.6 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL    *      [201.254.83.255 listed in zen.spamhaus.org]    *  0.7 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL    *  0.0 FSL_HELO_NON_FQDN_1 No description available.    *  0.0 SPF_NONE SPF: sender does not publish an SPF Record    *  1.1 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date    *  0.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP    *      address    *      [201.254.83.255 listed in dnsbl.sorbs.net]    *  2.2 HELO_NO_DOMAIN Relay reports its domain incorrectly    *  2.5 BITCOIN_SPAM_02 BitCoin spam pattern 02    *  3.0 BITCOIN_DEADLINE BitCoin with a deadline    *  2.9 BITCOIN_MALWARE BitCoin + malware
"
Authentication-Results mydomain.com; auth=none; spf=none smtp.mailfrom=mydomain.com; dkim=none
Here the smpt is not my mail smtp it is wrong

Received-SPF none (mydomain.com: No applicable sender policy available) receiver=telnet.mydomain.com; identity=mailfrom; envelope-from="user1@mydomain.com"; helo="[201.254.83.255]"; client-ip=201.254.83.255

Hopefully, I answered your questions.

[ReetP]

Yes, it looks like mail spam/spoofing:

Yes it rather looks like does, doesn't it? Not sure we need to fix qmail now....... 

Subject: [SPAM] High level of danger. Your account was under attack.

So, Spamassassin tagged it as [SPAM], but you still ignored it?? No one here can help that problem I'm afraid.

Suggest you turn on some email filtering because it looks like you have it all turned off.

config show qpsmtpd

//
Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled << Should be enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=disabled << Should be enabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
    TlsBeforeAuth=1
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=disabled << worth trying to enable
    access=public
    qplogsumm=disabled
    status=enabled
//

https://wiki.contribs.org/Email
https://wiki.contribs.org/Qpsmtpd
https://wiki.contribs.org/GeoIP
https://wiki.contribs.org/Xt_geoip

Etc.

Look at spamassassin, DNSBL, RHSBL, URIBL, GeoIP.

I'd also ask yourself why you need any rpms from updates-testing and disable that repo to save yourself from any other disasters.

And last I would look at each and every modification you have made and ask yourself two questions.

Do I really know what I am doing?
Do I really need to do this?

[Mar]

Yes it rather looks like does, doesn't it? Not sure we need to fix qmail now....... 

So, Spamassassin tagged it as [SPAM], but you still ignored it?? No one here can help that problem I'm afraid.
yes it is spam , but the issue  here is, I'm afraid if someone from outside the company use it to send mail on behalf of someone else with some orders or something like that

Suggest you turn on some email filtering because it looks like you have it all turned off.

https://wiki.contribs.org/Email
https://wiki.contribs.org/Qpsmtpd
https://wiki.contribs.org/GeoIP
https://wiki.contribs.org/Xt_geoip

Etc.

Look at spamassassin, DNSBL, RHSBL, URIBL, GeoIP.

I'd also ask yourself why you need any rpms from updates-testing and disable that repo to save yourself from any other disasters.

And last I would look at each and every modification you have made and ask yourself two questions.
I didn't do a lot of modifications just I increased the spam filter to be high and ssmtp is enabled

Do I really know what I am doing?
Not clear what do you mean but I'm trying to understand what I do before I do
Do I really need to do this?
As I mentioned before, I am afraid of bad behavior of someone, so at least I'm trying to prevent that so yes I need to do, or at least I need to notify the user that something wrong please be aware or take attention

[ReetP]

yes it is spam , but the issue  here is, I'm afraid if someone from outside the company use it to send mail on behalf of someone else with some orders or something like that

Yup - that is always a risk that someone can forger your address, but there is evidence to show your server has been hacked or misused.

Someone has sent you an email probably via a hacked email server with a forged 'From' address which is very easy to do. You made the wrong assumption about the problem without properly checking logs, emails etc.

The mail was just Junk. Please go and read about mail spoofing/forgery etc etc so you understand the problems with it (which is why email is going to die eventually)

Please enable some proper junk/spam filtering after reading all the manuals here. Then you will not receive these mails at all.

[Mar]

Yup - that is always a risk that someone can forger your address, but there is evidence to show your server has been hacked or misused.
Thanks, I don't think the server was hacked, I think the sender used an external email server with forged 'from' to send mail, exactly as if I am trying to send to my gmail account using another SMTP but the mail from and to are same but at the end it is not gmail smtp . it is mostly email spoofing. I don't know if this issue has a solution.


Someone has sent you an email probably via a hacked email server with a forged 'From' address which is very easy to do. You made the wrong assumption about the problem without properly checking logs, emails etc.

The mail was just Junk. Please go and read about mail spoofing/forgery etc etc so you understand the problems with it (which is why email is going to die eventually)
I will

Please enable some proper junk/spam filtering after reading all the manuals here. Then you will not receive these mails at all.
Thanks that is what am trying to do
Tank you so much

[janet]

Mar

Make this change immediately, it should result in blocking (rejecting) mail coming from servers that have been identified as spam sources
config setprop qpsmtpd DNSBL enabled RHSBL enabled
signal-event email-update

For further info see
https://wiki.contribs.org/SME_Server:Documentation:FAQ:Section04#Real-time_Blackhole_List_.28RBL.29

Personally I would also advise you to use more conservative lists as many of the default lists are too agressive.
ie so as well as the commands I advised above, also do

config setprop qpsmtpd RBLList zen.spamhaus.org
signal-event email-update

config setprop qpsmtpd SBLList dbl.spamhaus.org
signal-event email-update

Also to fix the issue with smeupdates-testing repo being enabled, do

db yum_repositories setprop smeupdates-testing status disabled
signal-event yum-modify

Note that the smeupdates-testing repo SHOULD NOT have a status of enabled (on production servers), it is for use ONLY on a test server, or for installing & testing particular packages (on a production server) to see if they fix a specific issue, while you are monitoring the outcome or effect of having installed that one off test package.
You should not normally install all rpm packages that are in smeupdates-testing repo as they may have unwanted effects & cause your server to become unstable or insecure.

It seems there may be a bit of correction work to do on your server as you do have a lot of packages installed from smeupdates-testing repo, some of them could be causing you to have undesired issues (???), I leave that for another time.

You should do the same for the fws repo

db yum_repositories setprop fws status disabled
signal-event yum-modify

[Mar]

Thanks all,
I will do it this weekend.
Thanks so much

[janet]

Mar

Please note the additions edit I just did to my previous post.

[Mar]

Mar

Please note the additions edit I just did to my previous post.

Great, I'm really thankful for you all for your kind support

[janet]

Mar

I will do it this weekend.

Resolved now ?

[Mar]

Mar

Resolved now ?
Not yet, I was pushed to travel to another location