Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Sending to local users with authentication
  •  
baxtersoup

Messages: 1
Karma: 0
Send a private message to this user
I've just installed Kerio on trial with 3 domains. Each domain is a different customer.

SMTP is restricted to require authentication so if the user is sending out their mail client has to authenticate before sending. But I've found a worrying 'feature'...

If customer1.com tries to send to an external user they HAVE to authenticate, but if then send to a local domain, ie customer2.com then they don't....

I can't see anyway round this and if this is the case, what is there to stop a spammer pretending he is customer1 and sending through my server to customer2 without any authentication.

I must be missing something as this seems a huge problem...

Regards,

Craig
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Barring anti-spam measures, your server has to accept mail addressed to valid mailboxes on it even if it's unauthenticated. If the server didn't, nobody outside of your domain would be able to send you mail. Think about mail coming in from other domains, like yahoo or gmail. How would they deliver mail to you if your server required local account authentication before accepting it? SMTP works the same way if the connection is a mail client or another server.

That's where anti-spam measures come in. One way to do it is to set up an SPF record. You can specify what servers can send mail on behalf of your domains. When your server gets a message from user<_a.t_>customer1.com, it will check the SPF record you published for customer1.com and see if the IP address the message came from is allowed to send mail for that domain. So, if you only put your 1 server in the record, mail with a from address <_a.t_>customer1.com from any other source will get rejected - unless it was sent using authentication.


Scott
  •  
Scotty85

Messages: 4
Karma: 0
Send a private message to this user
Quote:

If customer1.com tries to send to an external user they HAVE to authenticate, but if then send to a local domain, ie customer2.com then they don't....


I would think that regular authentication would STILL ask for a password even when sending mail from customer1.com to customer2.com. Why does it not work this way? Is there a way to block it if there's no authentication, or force it to USE it? What if customer1 is on a dynamic IP? You can't just put their IP in SPF and expect it to work.


Regards,
Scotty
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Nope. No way to force it, that's how SMTP works. If the mail is addressed to a domain on the server, there isn't any sort of challenge or rejection, so if it's not provided beforehand, authentication isn't required.

You shouldn't be running a mail server on a dynamic IP anyway. Aside from problems receiving mail, many servers won't accept mail from dynamic IP addresses, so you hobble your ability to even send mail if you don't have a static address.

Scott
  •  
Scotty85

Messages: 4
Karma: 0
Send a private message to this user
I wasn't referring to the SERVER being on a dynamic IP..... but the USERS.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
It sounded like you were talking about the domains - customer1.com and customer2.com. If it's a user, then there shouldn't be a problem. The SPF record will cause the server reject the mail if authentication isn't used.

Scott
  •  
Scotty85

Messages: 4
Karma: 0
Send a private message to this user
Yes, but don't you need to provide an IP for that? And if the user is dynamic, how can you?
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
It's for the server, not the user. See http://www.openspf.org/.

Scott
  •  
bigmountain

Messages: 116

Karma: 0
Send a private message to this user
Maybe I am missing something here, but it sounds like what you are talking about is defined under the SMTP Server options that you can manage under the administration console. Go to the SMTP settings and in the Relay Control tab make sure that you have the box checked "Users authenticated through SMTP for outgoing mail". If you have the top box checked "Users from IP address group", then it is possible to allow relay for users coming from a particular IP address without them authenticating. Uncheck this box. That should take care of your problem. Everything else you are referring to here is outside mail coming in, which has nothing to do with your users sending outgoing mail.

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com
  •  
Scotty85

Messages: 4
Karma: 0
Send a private message to this user
I think what everyone's missing here, is that "users authenticated through SMTP" is checked. Nothing else. If a user sends mail from customer1.com to customer2.com, the system isn't requiring authentication. He says it's passing mail without it, but only between the domains. Anything going to any other domain outside that server is required to authenticate like normal. I only brought up the dynamic IP thing because if the users at customer1.com are dynamic, then you can't put their IP in SPF.... or anywhere else for that matter. So, like he said, "what is there to stop a spammer pretending he is customer1 and sending through my server to customer2 without any authentication."?

Maybe I just don't understand SPF. Sad

Scotty

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I think some things need to be clarified:
* anyone can send email to users in local domain (customer1 and customer2) without authentication. This is a basic principle of email delivery.
* user authenticated on the server can send email to any domain, including another local domain on the same server
* if you want to block emails from spammers who are forging sender address as customer1, configure SPF in your DNS records and set it to the IP address (or MX or A record) of the server who is authorized to send emails of users in domain customer1.
* if users in customer1 domain are using dynamic IPs, they still have to use server with static public IP address for sending emails. This is the same server which is receiving emails for domain customer1.

[Updated on: Fri, 22 August 2008 21:14]

  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
There are two separate issues here that I think are being confused. The first is delivery without authentication, the second is SPF. In this scenario they work together, but we should talk about them individually first before we use them together to "solve" this problem.

First, authentication can't be required for local mail delivery. As others have pointed out, that's how SMTP works. Anybody can send email to either customer1 or customer2 without authenticating, including spammers. That also includes email between customer1 and customer2 when hosted on the same box; since anyone can already send email to customer2 unauthenticated, there's no need (and it would be wrong) to require customer1 to authenticate to send mail to customer2.

Enter SPF. As Scott pointed out, SPF is applied to the mail server, not the clients. SPF indicates which mail servers are authorized to send mail for that domain. Since they're both hosted on the same server, if you create strict SPF records for customer1.com and customer2.com that contain only the IP of KMS, non-authenticated email from customer1 to customer2 will fail because when KMS looks up the SPF record for customer1.com, it'll see its own IP instead of the dynamic IP of the user so the check will fail and the mail will be rejected. Limitations of SPF aside, this is how you prevent spammers from pretending to be customer1 regardless of who they're sending to, including customer2.

So the solution is to use both authentication and SPF. With strict SPF records, the only way for customer1 to send email to customer2 is to authenticate. Authenticated users bypass the SPF check and can send email freely to customer2. If they don't authenticate, then their email is rejected. Remember too that authentication is an option that needs to be enabled on the clients, and if its enabled, the client will always authenticate, even in those scenarios where its not required. Authentication is also required for relaying mail through the server, so chances are they already have it enabled anyway so the addition of the SPF record to prevent spoofing won't be an issue for them.

-Elias
Previous Topic: read a different email.
Next Topic: Need to import CA certificate
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 02:41:53 CEST 2017

Total time taken to generate the page: 0.00539 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.