1 (edited by bananafish 2013-06-28 01:52:29)

Topic: SMTP Allowed via telnet 25?

==== Required information ====
- iRedMail version: 0.8.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian 7
- Related log if you're reporting an issue:
====

I had a user of my mail server today inform me that he was able to telnet to port 25 externally to my mail server and send mail from any address to any of my users.  I was able to test this as well and he was correct. 

There was no prompt for authentication when connecting to postfix on 25 via telnet and as long as I was sending to anyone on the mail server it went through.  Is this correct? It does not seem secure to me as anyone can telnet and spam my users.

I realize it is somewhat secure as it will not allow me to telnet in and send to external hosts so it is not an open relay. 

Can someone tell me if this right or I need to lock it down more?

Thanks!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by camel1cz 2013-06-28 04:12:06)

Re: SMTP Allowed via telnet 25?

This is the idea of email exchange... anyone can send email to your users. No authentication required. It's correct behavior.

Authentication is required only when:
- you want to send email AS (= from) any of your users OR,
- you want to send email to address NOT hosted on your server (it's called relaying of email)

3

Re: SMTP Allowed via telnet 25?

Could you please show us output of command "postconf -n"?

4 (edited by bananafish 2013-06-29 02:52:43)

Re: SMTP Allowed via telnet 25?

camel1cz wrote:

This is the idea of email exchange... anyone can send email to your users. No authentication required. It's correct behavior.

Authentication is required only when:
- you want to send email AS (= from) any of your users OR,
- you want to send email to address NOT hosted on your server (it's called relaying of email)

I started to think about it and yeah I guess that would have to work like that.

postconf -n

root@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = emacs.in
myhostname = mail.emacs.in
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = mail.emacs.in
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

just so we are clear the address in the conf is a different one of mine, in case it turns out my server is vulnerable.

5

Re: SMTP Allowed via telnet 25?

Is it possible for you to ask your user to show you all commands he/she used to reproduce this issue? Paste us all output of the smtp session with telnet.

6

Re: SMTP Allowed via telnet 25?

this is exactly what the user and myself follwed to succesfully do what I mentioned:

http://www.yuki-onna.co.uk/email/smtp.html

7

Re: SMTP Allowed via telnet 25?

Could you please type them and paste us the commands you typed and the output message  with telnet? This is what we need.

8

Re: SMTP Allowed via telnet 25?

...also the email addresses used in MAIL FROM and RCPT TO and configuration of your domains in iRedMail is important.

Let us also know if any of addresses used is configured as local