Topic: [SOLVED] Local SMTP Authentication

[newburns]

I have a spiceworks install that does not have SSL SMTP Authentication.

My SME is behind a pfSense firewall.
I have my SME Server in server-only mode

As of right now, I believe the only way is to set

Code: [Select]

RelayRequiresAuth disabledI know that it says that is for local networks only, but being in server only mode, would that open my server up to possible attacks. I only have port 25 forwarded through the pfSense firewall to the SME Server

Code: [Select]

# config show qpsmtpd
qpsmtpd=service
    Authentication=enabled
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:dnsbl.ahbl.org:dnsbl-1.uceprotect.net:dnsbl-2.uceprotect.net:psbl.surriel.com:zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    status=enabled

I am already listed on the CBL Spam list for HELO. Not sure what that means, but I can't seem to get off of that list. I want to be sure I'm not making things worse by disabling authentication. From my BASIC understanding it would seem that my port 25 would be wide open to the world, and I don't want that.

[janet]

newburns

Anything connected to the Internet is open to attack.
Your system remains secure by using secure connections, such as SSL, by having strong passwords & implementing wise system practices, such as keeping all aspects of your server & firewall up to date with regular bug fixes & software upgrades, especially for all web based applications running on your server. Watch out especially for cross application vulnerabilities

By having less security you increase the vulnerability of your system & make it easier for attacks to occur.

If port 25 is open on your firewall & forwaded to sme server, then hackers have a direct connection via port 25.
Whether they can make use of that, depends on the security of your whole system, including email passwords etc.
Think carefully before you do what you are saying as you have really introduced a vulnerability.

I am already listed on the CBL Spam list for HELO. Not sure what that means, but I can't seem to get off of that list.

Perhaps an indication that configuration of your sending server does not meet stricter external mail servers guidelines, read the sme server Manual Appendix (re PTR & SPF), & perhaps you should be sending mail via your ISP's smtp server, if you cannot ensure the integrity of your own mail server.

[CharlieBrady]

As of right now, I believe the only way is to set

Code: [Select]

RelayRequiresAuth disabled

The only way to do what? You haven't told us what you are trying to achieve. From the Subject, you are asking something about SMTP Authentication, but what exactly is your question?

[newburns]

I am trying to have my internal Spiceworks server authenticate against SME Mailserver for outgoing email.
The SME server is in server-only mode, and will only accept SSL connections at this point.

Spiceworks does not support SMTP SSL. However it supports TLS.
I am not sure what to do in order to stay secure and authenticate Spiceworks for SMTP.

As for port-forwarding port 25 through firewall to SME, that is so I can receive emails from the outside to my SME server.

Is there a way to disable SSL connection for an internal network address only?
In "Server-Only Mode" does internal network and local network mean the network within the same subnet, or is that specific to SME in Gateway-Server mode? Basically, does http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network still apply for "internal network" if it is in Server-Only mode?

[CharlieBrady]

Spiceworks does not support SMTP SSL. However it supports TLS.

TLS is just SSL 3.1. Did you try SMTP TLS with Spiceworks? If so, what happened?

Basically, does http://wiki.contribs.org/Email#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network still apply for "internal network" if it is in Server-Only mode?

I suspect that whole section is obsolete.

[newburns]

When I connect via SMTP on port 465, I get this is the log files

Code: [Select]

2014-05-08 11:09:47.593960500 16508 Connection from pc-00100.***hidden***.org [10.1.12.100]
2014-05-08 11:09:47.595963500 16508 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2014-05-08 11:09:47.601760500 16508 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2014-05-08 11:09:47.607417500 16508 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2014-05-08 11:10:47.562352500 16508 logging::logterse plugin (deny): ` 10.1.12.100 pc-00100.***hidden***.org tls 903 Cannot establish SSL session msg denied before queued
2014-05-08 11:10:47.562529500 16508 550 Cannot establish SSL session
2014-05-08 11:10:47.562618500 16508 click, disconnecting
2014-05-08 11:10:47.573977500 3622 cleaning up after 16508
When I connect via port 587, this is in the pop3s log file

Code: [Select]

2014-05-08 11:13:56.391229500 tcpsvd: info: status 2/40
2014-05-08 11:13:56.391310500 tcpsvd: info: pid 17260 from 10.1.12.100
2014-05-08 11:13:56.391396500 tcpsvd: info: concurrency 17260 10.1.12.100 1/4
2014-05-08 11:13:56.391397500 tcpsvd: info: start 17260 0:10.1.12.2 ::10.1.12.100:11103 ./peers/10.1.12
2014-05-08 11:13:56.500336500 tcpsvd: info: end 17260 exit 1
2014-05-08 11:13:56.500338500 tcpsvd: info: status 1/40
2014-05-08 11:13:56.500545500 sslio[17260]: info: bytes in: 627
2014-05-08 11:13:56.500546500 sslio[17260]: info: bytes ou: 1670
I'm not sure what other logs to look at.
Spiceworks error shows connection refused on port 587

[CharlieBrady]

When I connect via SMTP on port 465, I get this is the log files ...

And what do you see in spiceworks?

[mmccarn]

1. My spiceworks allows me to select authentication and to specify the port number to use.  I suspect that setting the port to 465 will convince spiceworks to use smtp over ssl instead of TLS.

2. Here's an old post describing a way (that may still work) to allow open relay from a single host IP:
http://forums.contribs.org/index.php/topic,48244.msg239623.html#msg239623

[newburns]

Thanks for trying everyone.
I just went with gmail SMTP.
I don't like having my server less secure just because Spiceworks does not support SSL.
Even though I added the IP to the /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients it did not allow it to pass unauthenticated. It still required SSL for port 465. And connection refused for port 587.

Port 465 showed in log file

Code: [Select]

2014-05-09 08:51:49.194609500 24337 Accepted connection 0/10 from 10.1.12.100 / pc-00100.***hidden***.org
2014-05-09 08:51:49.194749500 24337 Connection from pc-00100.mtrosemedia.org [10.1.12.100]
2014-05-09 08:51:49.196640500 24337 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2014-05-09 08:51:49.202567500 24337 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2014-05-09 08:51:49.208046500 24337 tls plugin (init): ciphers: HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
2014-05-09 08:52:49.171265500 24337 logging::logterse plugin (deny): ` 10.1.12.100 pc-00100.***hidden***.org tls 903 Cannot establish SSL session msg denied before queued
2014-05-09 08:52:49.171367500 24337 550 Cannot establish SSL session
2014-05-09 08:52:49.171538500 24337 click, disconnecting
2014-05-09 08:52:49.191517500 3622 cleaning up after 24337Spiceworks shows
"Connection timeout on port 465"

[CharlieBrady]

Even though I added the IP to the /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients it did not allow it to pass unauthenticated.

Did you try port 25?

But if you can use gmail then you don't have a problem, right?

[newburns]

I could not use port 25.
Same SSL issue.

But now that I'm using gmail, I no longer have an issue. Thanks
I was even able to forward all emails from gmail to my SME user, and change reply from to the SME user.


THANKS!!! 

[CharlieBrady]

I could not use port 25.
Same SSL issue.

In that case Spiceworks was using STARTTLS.  Perhaps spiceworks doesn't like a self-signed certificate.

If Spiceworks is sending mail to a local user account, it should be able to do so in plaintext (i.e. non-SSL) and unauthenticated.

Have you asked on a Spiceworks forum? WIthout knowing what Spiceworks is objecting to (or doing wrong), we can't fix it. Is there something in SME server which needs to be fixed? Who can say.

[newburns]

I will keep at this, and ask on the spiceworks forum.
I'll try to get to the bottom of it, and document the findings here.