Topic: Block sending for unauthenticated internal users to internal users on port25

[mmccarn]

Caveat - I have not read all of every post in this discussion; apologies if this has already been covered.

- The original inquiry is *not* related to SMTP relay - it is related to basic email acceptance -- it is an email server's job to accept email - without unauthentication - for the email accounts hosted on the server.
- If a SME server is able to accept email to the local users from (for example) Ukraine, London, or North Dakota, then it is going to be able to accept email from the local users, too.

Blocking unauthenticated SMTP email *to* local users means blocking access to port 25 from the LAN - which gets tricky as the firewall settings normally apply only to the WAN interface and there are custom bits in place for proxying LAN traffic to outside SMTP servers.

This *might* work:
- Set the SMTP proxy to 'blocked', so that all SMTP access from the LAN is intercepted
- Change the SMTP server itself to another port
- Create a custom service to redirect outside traffic to port 25 to the new port - or have all inbound email delivered to a separate offsite server, then configure SME to get email only from that server.

It is unclear to me if the objective is related to device security (there is an infected device sending unwanted email to local users) or if it is related to personnel management (some user is intentionally spamming his/her co-workers, or spoofing 'from' addresses on emails). 

In the first instance, the objective is presumably to identify and secure the compromised device. 

In the second instance the objective is presumably to identify and dismiss the malicious users.

[mmccarn]

My suggestion above does not work as the smtp proxy transparently redirects any traffic sent to port 25.

I've also tried to customize the masq templates related to SMTPProxy, but I can't find any combination of settings that blocks access to port 25 from the LAN on my network (me SME is in server-only mode, which might be my problem...)

I keep coming back to one of these ideas:

1) If your SPF is configured correctly, enabling SPF on the LAN - by customizing /etc/e-smith/templates/var/service/qpsmtpd/config/peers/local/221spf - may block unauthenticated email delivery from the LAN, since all LAN IPs should fail SPF.

2) Rearrange your network, so that the user workstations are not connected to the SME LAN interface (tricky, depending on what other SME services you use from the LAN)

3) Install a firewall between the SME and your LAN workstations that supports "transparent" mode, then block port 25 there.  Sonicwall, sophos, and ubiquiti can all be configured in 'transparent' mode - although I only have personal experience w/ sonicwall about 20 years ago...

[Mar]

Thank you all,
I think I explained my issue well but I will again explain the case I faced:
one user from outside my company could use my email account and the SMTP of my mail server under the port 25 to send an email to another user inside the company not to email outside my company.
non of our staff did that.
Regards
Martin.

[janet]

Mar

Firstly did you do this as suggested:
Remove or delete this template fragment, it should NOT be there
/etc/e-smith/templates/var/service/qpsmtpd/peers/0/05auth_cvm_unix_local

Then for good measure run
signal-event post-upgrade
signal-event reboot

You need to do the above to correct your system asap.


Now re:

one user from outside my company could use my email account and the SMTP of my mail server under the port 25 to send an email to another user inside the company not to email outside my company

Now that is a different matter than you reported earlier.

Look in server manager, Configuration, Email panel.
Click on
Change e-mail reception settings
For
SMTP authentication
Select
Allow SSMTP (secure)

Save

Change the password of your email account to something strong & not easily guessed

Report back your success or otherwise

[Mar]

Dear Janet,
Thanks for reply.
I think it is the same case. however, I am using the tool to test my server:
https://www.wormly.com/test-smtp-server
below is the result:

https://www.wormly.com/test-smtp-server

Resolving hostname...
Connecting...
Connection: opening to mail.xxxx.com:25, timeout=300, options=array (
                  )
Connection: opened
SERVER -> CLIENT: 220 mail.xxxx.com ESMTP
CLIENT -> SERVER: EHLO tools.wormly.com
SERVER -> CLIENT: 250-xxxx.com Hi tools.wormly.com [96.126.113.160]
                  250-PIPELINING
                  250-8BITMIME
                  250-SIZE 15000000
                  250 STARTTLS
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 220 Go ahead with TLS
CLIENT -> SERVER: EHLO tools.wormly.com
SERVER -> CLIENT: 250-xxxx.com Hi tools.wormly.com [96.126.113.160]
                  250-PIPELINING
                  250-8BITMIME
                  250 SIZE 15000000
CLIENT -> SERVER: MAIL FROM:
SERVER -> CLIENT: 250 , sender OK - how exciting to get mail from you!
CLIENT -> SERVER: RCPT TO:
SERVER -> CLIENT: 250 , recipient ok
CLIENT -> SERVER: DATA
SERVER -> CLIENT: 354 go ahead
CLIENT -> SERVER: Date: Mon, 21 Oct 2019 10:27:58 +0000
CLIENT -> SERVER: To: user1@xxxx.com
CLIENT -> SERVER: From: Wormly SMTP Test
CLIENT -> SERVER: Subject: Wormly SMTP Test Message
CLIENT -> SERVER: Message-ID:
CLIENT -> SERVER: MIME-Version: 1.0
CLIENT -> SERVER: Content-Type: text/plain; charset=iso-8859-1
CLIENT -> SERVER:
CLIENT -> SERVER: This message was sent using the Wormly SMTP testing tool by this user:
CLIENT -> SERVER: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
CLIENT -> SERVER: 111.111.11.11
CLIENT -> SERVER:
CLIENT -> SERVER: .
SERVER -> CLIENT: 250 Queued! 1571653687 qp 3734
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 221 xxxx.com closing connection. Have a wonderful day.
Connection: closed
Message completed successfully.

Please the check the attachment the server is already configured but I could send mail using the tool to myself

[janet]

Mar

Congratulations, your smtp mail server is working. If you want to run a mail server that is accessible to other mail servers around thr world, then this is the required result (of the wormly test).

To control access to your smtp mail server for external users etc, you need to configure appropriate settings internally ie in your server configuration.

As your problem description varies, originally you said internal to internal mail sending, now you are saying external to internal mail sending, it is unclear to me what exactly you are trying to achieve.

Please supply a real world example of email sending (identifying the perceived problem) using real email addreses & real domain names.
To disguise yourself, You can create a virtual domain on your sme server, add temporary users & have a domain setup in external records. Domains will cost you $10 or so which is a small amount for you to have to pay compared to the time & cost input of those helping here.

[Mar]

I am sorry, maybe I was not well at explaining my problem. but really that what happened.
However I will get a domain by today to link it to SME server.
Thank you very much

[janet]

Mar

Please also give a detailed description of how your server is configured in your network, eg is it server & gateway mode or server only ?
is it a second server ?

does it connect to the Internet via another gateway device or firewall or directly via a bridged modem etc etc

What else is in your local network, workstations (Windows or other OS?), other devices ?

[janet]

Mar

Please answer, did you remove this template fragment ?
/etc/e-smith/templates/var/service/qpsmtpd/peers/0/05auth_cvm_unix_local

If you did remove it, then did you run
signal-event email-update
afterwards ?

[Mar]

Yes of course I remove it and ran the command
but still as I told u the same case.

[janet]

Martin

Yes of course I remove it and ran the command

If you do not tell us then we do not know !

You also did not respond to the following post, please answer all questions in detail.

Please also give a detailed description of how your server is configured in your network, eg is it server & gateway mode or server only ?
is it a second server ?

does it connect to the Internet via another gateway device or firewall ?

or directly via a bridged modem ?

or some other way ?

What else is in your local network, workstations (Windows or other OS ?), other devices ?

[Mar]

Martin

If you do not tell us then we do not know !
Thanks.

You also did not respond to the following post, please answer all questions in detail.
Actually I was planning to run the test machine first then tell you all details

Please also give a detailed description of how your server is configured in your network, eg is it server & gateway mode or server only ?
It is configured as server and gateway
is it a second server ?
it is standalone server

does it connect to the Internet via another gateway device or firewall ?
it is connected to the internet behind a firewall. it is a mail server located in EU and the local network is in different area.

or directly via a bridged modem ?

or some other way ?

What else is in your local network, workstations (Windows or other OS ?), other devices ?
we have windows server AD, so the workstations are running under windows 10

[janet]

Martin

You say:
Your SME server is configured in server gateway mode & that it is a standalone server.

Then you say:
Your SME server is connected to the internet behind a firewall. it is a mail server located in EU and the local network is in different area.

It is not usual to configure your server in server gateway mode & have it behind another firewall.
In server gateway mode, sme server is acting as a firewall.
So in your scenario you would have 2 firewalls.

Also you need to explain in more detail what you mean about the mail server in EU & local network elsewhere.

This appears to be a non standard use of SME server & it does not surprise me that you are having problems & that our suggestions do not work for you.

You are doing something non standard & the fixes we proposed are probably not appropriate.

Please provide a lot more details.

[Mar]

Martin

You say:
Your SME server is configured in server gateway mode & that it is a standalone server.

Then you say:
Your SME server is connected to the internet behind a firewall. it is a mail server located in EU and the local network is in different area.
Yes it is in a datacenter in EU so it is behind the firewall of the datacenter
and it is configured as gateway and server
It is not usual to configure your server in server gateway mode & have it behind another firewall.
In server gateway mode, sme server is acting as a firewall.
So in your scenario you would have 2 firewalls.
Yes as I mentioned it is a datacenter
Also you need to explain in more detail what you mean about the mail server in EU & local network elsewhere.
Our company is located another area in the time our mail server is in EU which is normal

This appears to be a non standard use of SME server & it does not surprise me that you are having problems & that our suggestions do not work for you.
I dis agree because it is normal to keep your server in datacenter and the datacenter has thier own firewall

You are doing something non standard & the fixes we proposed are probably not appropriate.

Please provide a lot more details.
Hopefully that gave you enough info  about the server

[Mar]

Janet,
The email is an independent function regardless the other network or its location.
What I think it is miss function in qmail.
We will see on the other server which is I am working on.
Regards