Koozali.org: home of the SME Server

[SOLVED] Requiring SMTP authentication from a specific LAN sub-range?

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Hello everybody,

been painfully busy for the last 10 months, so much in fact that I was not even able to update my single SME 9.2 box. Got it scheduled for the first week of October, provided I have the time to do the mandatory prep reading. But I'm certain all will go well :)

Today I stumbled into the following: one of my users was able to send email using a group email address. Now, this should not have come to me as a surprise, since the ip address this mail was sent from was from the lan side of the network. OTOH, it is quite scary to be able to send email with a different identity!

So I was considering options to limit this down:
1) IIRC, there is always the option to configure SME to ask for credentials during an SMTP transfer, even for local users. However, this would present problems for various systems (ie printers/servers on static ip addresses, sending alerts and stuff).

2) As is, I have a 10.0.16.0/22 subnet on which its lower half (.16.0 - .17.255) hosts my servers/printers etc and the upper half of this subnet (.18.0 - 19.255) hosts the users' systems. So I was wondering if it would be feasible (and wise) to somehow limit trustworthiness to only the lower part of the subnet, making mandatory SMTP authentication of my user's mail submissions in the process.

I'm inclined to (2) above, not sure though if it can be done. And if it can, which option(s) I should change to do so.

« Last Edit: September 17, 2021, 08:05:25 AM by Michail Pappas »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #1 on: September 13, 2021, 10:33:12 AM »
Simplest is to use a pseudonym.

So I have a number of those that are the email addresses for a group.

So everyone in the group can receive, but none can send from that address as it is only a pseudonym.

Eg accounts, info, sales etc.

KISS :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #2 on: September 13, 2021, 12:18:23 PM »

1) IIRC, there is always the option to configure SME to ask for credentials during an SMTP transfer, even for local users. However, this would present problems for various systems (ie printers/servers on static ip addresses, sending alerts and stuff).


you can create a custom template and add there all yours devices
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
nano 60myAppliance

and then add all your IPs with such a syntax:
Code: [Select]
{
    $OUT .= "first_ip\n";
    $OUT .= "second_ip\n";
}

at the end,
Code: [Select]
signal-event email-update

used to work in SME9.X, not tested (but should work) in SME10 too
HTH

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #3 on: September 13, 2021, 01:19:17 PM »
Thanks for your responses. I think I'll go with Stefanos' approach here. Any idea if I can describe subnets (ie x.y.z.w/q) in the OUT statements instead of single IPs?

Furthermore, I presume that in this approach I do have to enforce password authorization for all systems, even LAN ones, correct?
« Last Edit: September 13, 2021, 01:20:55 PM by Michail Pappas »


Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #5 on: September 13, 2021, 01:47:04 PM »
yes you should enforce password, that is best practice, so you do not help propagating spams and viruses in case of an unlikely infected computer on your lan.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #6 on: September 13, 2021, 04:07:04 PM »
yes you should enforce password, that is best practice, so you do not help propagating spams and viruses in case of an unlikely infected computer on your lan.

A good reason to generally NOT make these sort of accounts real 'system' accounts unless absolutely necessary - they get forgotten, and hacked.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #7 on: September 14, 2021, 06:46:19 AM »
I'm using non-authenticating accounts on stuff like iLO/iDRAC, some printers/copiers, UPS management software for alerts etc.

As for what you've told me and from what I understood after reading the relayclients wiki page, I have more questions. The way I see it, relayclients should contain addresses of hosts allowed to send mail without authentication, whereas norelayclients should contain a subset relayclients, for hosts that should authenticate, is that correct?

1) Atm, on my current 9.2 box relayclients contains only localhost and the ip address of itself. So, how come various devices on my lan are able to send email without authentication? 

2) On the same box, norelayclients contains solely the gateway/upstream router ip address (my SME is operating in a server-only mode, without any gateway functionality). Why?

3) After reading the relayclients wiki, I believe I should modify relayclients to include a line 10.0.16.0/22 (my entire LAN range, which includes both normal users as well as devices sending unauthenticated alert emails, like iLO), whereas norelayclients should include 10.0.18.0/23 (since that is the ip range my normal users operate, hence authentication should be required). Did I get the hang of it right?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #8 on: September 14, 2021, 11:29:15 AM »
I'd say you have to enforce password and auth policy on all your lan and then use the custom fragment approach to list only the ip addresses of the devices you want to enable.

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #9 on: September 16, 2021, 01:32:20 PM »
I'd say you have to enforce password and auth policy on all your lan ...
Where exactly is this SMTP functionality configured from?


Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Requiring SMTP authentication from a specific LAN sub-range?
« Reply #11 on: September 17, 2021, 08:05:02 AM »
That's perfect mate, thank you!

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: [SOLVED] Requiring SMTP authentication from a specific LAN sub-range?
« Reply #12 on: September 17, 2021, 12:24:18 PM »
Again, considering this is about a 9.2 and not a 10 box, I'd be grateful if you could bear with me.

There's something definitely fishy here. That or I am missing something altogether.

Details again: LAN is 10.128.64.0/22 (part of large 10/8 WAN). SME is on 10.128.65.8 (server only operation).

I've enabled authentication for everything as per:
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update

config setprop qpsmtpd Authentication enabled
signal-event email-update

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

Code: [Select]
# cat /var/service/qpsmtpd/config/relayclients

#------------------------------------------------------------
#              !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
# Format is IP, or IP part with trailing dot
# e.g. "127.0.0.1", or "192.168."
127.0.0.
10.128.65.8

# SMTP Relay from local network denied by custom template

However, trying to send from a NAS device with an ip of 10.210.116.19 (out of my LAN range, definitely not listed in relayclients) succeeds! Specifically I'm sending email from an existing email account of my domain to itself, without doing any authentication at all.

What am I missing here, why isn't this traffic blocked?

FYI:
Code: [Select]
# config show qpsmtpd

qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DKIMSigning=enabled
    DMARCContactInfo=http://redacted/
    DMARCReject=enabled
    DMARCReportEmail=admin@redacted
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,rhsbl.sorbs.net
    TlsBeforeAuth=0
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=disabled
    access=public
    qplogsumm=enabled
    status=enabled
« Last Edit: September 17, 2021, 12:27:02 PM by Michail Pappas »

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: [SOLVED] Requiring SMTP authentication from a specific LAN sub-range?
« Reply #13 on: September 17, 2021, 01:07:28 PM »
again.
this is not needed as sme9 has already the fragment for local and you will just hide it from further updates when you migrate to sme10

Code: [Select]
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: [SOLVED] Requiring SMTP authentication from a specific LAN sub-range?
« Reply #14 on: September 17, 2021, 01:11:01 PM »
sending mail does not mean relaying mail.


are you sending emails to local users or to a remote email.

with this config sme will still accept email for its own emails like it does from remote server.  but will refuse, say device A sending email to gmail using sme