Koozali.org formerly Contribs.org

Security check state: Anonymous authentication is allowed on the remote SMTP ser

Hello!

We had a security check and they reported that "Anonymous authentication is allowed on the remote SMTP server."

I investigated the problem in question and after some digging found out what the problem is. If I telnet to my SME server through port 25, from outside my company, I can send emails form users to users on the SME server. It is not possible to send e-mails to people outside SME server, so it is not a open rely server.

I cant find a soluttion to this problem. Can anyone help, please?


Thanks for the reply.

I Ihave already tryed this:

How do I enable smtp authentication for users on the internal network

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update

(note the "." at the end of the 3rd line)
Authentication for the local network will now follow the setting of config::qpsmtpd::Authentication

ie do

config setprop qpsmtpd Authentication enabled
signal-event email-update

How do I disable SMTP relay for unauthenticated LAN clients

http://forums.contribs.org/index.php?topic=38797.msg176490#msg176490

    Enable smtp authentication as shown above
    Disable un-authenticated smtp relay for the local network(s)using:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

    Configure your email clients to use smtps with authentication:

- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server

prior to post here. Still the same problem.

I have to mention that you can not connnect to SME with a mail client through 25 port unautenticated. I have only secured ports an SSL authenticattion allowed.

The problem is only from outside my network on port 25.

Any sugesttions?


Offline ReetP

  • *
  • 2,789
Quote
Any sugesttions?

Yup. Read why you would accept unauthenticated external connections to port 25 from external mail servers.

This is an XY problem. You don't understand the situation so are trying to fix an issue that doesn't exist.

If you disable incoming unauthenticated connections, any remote mail server trying to send mail to your users will not be able to do so unless they have a login.

Which they can't have. So it will fail and you will get no mail.

The same issue occurs in reverse if your mail server operates in standalone mode (not using say a ISP mail relay).

Your server connects to theirs on port 25. It may try and upgrade to SSL/TLS. But it will not need a login on THEIR server to send the mail to their local users. It should of course be blocked by their server from sending to other users - unauthenticated relay.

That's how mail transport works. It is seriously flawed by 21st Century standards (don't start me on encrypted mail server connections) because it was designed in the halcyon days before spam existed. The best thing to do is deprecate it. Make it the next 'fax'.

So, the issue is the test, not the server.

Of course, yes force your users to use secure authentication everywhere. But that isn't what you are trying to 'fix'.

And yes employ DKIM, DMARC etc which are there to help block illegitimate traffic.

But if you try and block this you will have no mail (plenty of mail servers do not use SSL/TLS to send).

I strongly suggest you remove all the damage, have a good read, and start again.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline netrs

Thanks a lot for the explanattion and for the time to write it.

I tested google and it did the same as my SME.

Thanks again.

Offline ReetP

  • *
  • 2,789
No worries!!

Catches lots of people.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation