1 Topic by kzkggaara

  • kzkggaara
  • kzkggaara
  • Member
  • Offline
  • Registered: 2012-10-11
  • Posts: 12

Topic: My server is vulnerable on port 25 (SMTP with out auth)

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian Squeeze
- Related log if you're reporting an issue:
====

Using port 25 and telnet from my server anyone could send emails without the need to login, that is, anyone could send emails pretending to be someone else.

How I can I avoid this.

Thanks for all, I hope someone can help me.
Best regards.

PS: Sorry for my english, it's not my primary language.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

kzkggaara's Website

2 Reply by time4e

  • time4e
  • time4e
  • Member
  • Offline
  • Registered: 2012-08-12
  • Posts: 48

Re: My server is vulnerable on port 25 (SMTP with out auth)

Not exactly, If I telnet to my server and issue "mail -v test test@test.com" command I get the following

"MUST ISSUE A STARTTLS command first"

Knowing what I know about the IRedMail project there is no way the developers would have had the script configure a server as an open smtp relay.

I found this article that goes over how to test SMTP auth over telnet. http://www.petri.co.il/smtp-authentication.htm



Thanks
-Tim

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: My server is vulnerable on port 25 (SMTP with out auth)

Hi @kzkggaara,

*) Please show us how you test it with telnet, all commands you type and the output.
*) iRedMail is configured to enable SMTP AUTH for sending emails by default.