Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » How to verify the sender?
  •  
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
I have installed the version 6.6.2 build 7165.

I made two user, user1 with password 123 and user2 with password 321.

If I use telnet to connect with kerio mail server, I can send emails from user1 to user2 without password or any check.

Example: telnet kerioserverip smtp

220 kerioserver Kerio MailServer 6.6.2 ESMTP ready
ehlo
250-kerioserver
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-PIPELINING
250-ETRN
250-DSN
250 HELP
mail from: user1<_a.t_>mydomain.com
250 2.1.0 Sender <user1<_a.t_>mydomain.com> ok
rcpt to: user2<_a.t_>mydomain.com
250 2.1.5 Recipient <user2<_a.t_>mydomain.com> ok
data
354 Please start mail input.
text
.
250 Mail queued for delivery.

The mail arrive.

I can so use a fake user:

220 kerioserver Kerio MailServer 6.6.2 ESMTP ready
ehlo
250-kerioserver
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-PIPELINING
250-ETRN
250-DSN
250 HELP
mail from: fakeuser<_a.t_>mydomain.com
250 2.1.0 Sender <fakeuser<_a.t_>mydomain.com> ok
rcpt to: user2<_a.t_>mydomain.com
250 2.1.5 Recipient <user2<_a.t_>mydomain.com> ok
data
354 Please start mail input.
fake text
.
250 Mail queued for delivery.

The mail arrive.

Can I check if my sender exist before to send email?

Regards
Trenti Fabio
  •  
jshaw541

Messages: 471
Karma: 0
Send a private message to this user
ftrenti wrote on Tue, 24 March 2009 10:21

I have installed the version 6.6.2 build 7165.

I made two user, user1 with password 123 and user2 with password 321.

If I use telnet to connect with kerio mail server, I can send emails from user1 to user2 without password or any check.

Example: telnet kerioserverip smtp

220 kerioserver Kerio MailServer 6.6.2 ESMTP ready
ehlo
250-kerioserver
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-PIPELINING
250-ETRN
250-DSN
250 HELP
mail from: user1<_a.t_>mydomain.com
250 2.1.0 Sender <user1<_a.t_>mydomain.com> ok
rcpt to: user2<_a.t_>mydomain.com
250 2.1.5 Recipient <user2<_a.t_>mydomain.com> ok
data
354 Please start mail input.
text
.
250 Mail queued for delivery.

The mail arrive.

I can so use a fake user:

220 kerioserver Kerio MailServer 6.6.2 ESMTP ready
ehlo
250-kerioserver
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-PIPELINING
250-ETRN
250-DSN
250 HELP
mail from: fakeuser<_a.t_>mydomain.com
250 2.1.0 Sender <fakeuser<_a.t_>mydomain.com> ok
rcpt to: user2<_a.t_>mydomain.com
250 2.1.5 Recipient <user2<_a.t_>mydomain.com> ok
data
354 Please start mail input.
fake text
.
250 Mail queued for delivery.

The mail arrive.

Can I check if my sender exist before to send email?

Regards
Trenti Fabio



RTFM

The KMS manuals are available on www.kerio.com. You will want the Administrator's Guide.

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
Before write this post I had read the online manual more time but sorry I don't find this setup.

Can you tell me the manual page where there is the check?

I find in the smtp server session the check "User authenticated trough SMTP for outgoing mail" but with my test the email don't run out the server so I have the same problem.

Regards
Trenti Fabio
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Anyone can send mail to any account on the mail server. That's how it's supposed to work. How else would you receive mail?

If the feature is enabled, KMS will check if the domain of the sender exist, but it won't check if the actual sending address exists. The latter is often called "callback verification" and is somewhat controversial. Imagine what happens when the sending mail server also does callback verification. Nothing will ever be delivered.

However, sending mail from an external account to another external account is called relaying, and that's not possible unless you authenticate first.
  •  
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
Right, kerio block relay if the sender and/or recipient is the external account.

But without "callback validation" any pc connect in my lan, with a simple batch file, can send a lot of emails to internal user with fake identity.

I'm not agree only the autenticated user can send email.

The "callback validation" is present in the most important mail server such as MDaemon to prevent internal hacker attack.

Maybe for Kerio this isn't a problem.

Regards
Trenti Fabio
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
Checking if the sender exists will nor solve your problem. It may exist but the mail from address may not be the source of your email. That is why we have sender verification methods,. Kerio can use SPF and Caller-ID. It involves the sender setting up SPF/Caller-ID records in their DNS definitions. Not all senders have done this so you can only detect counterfeit emails claiming to come from sources that have SPF/Caller-ID configured properly. The rest (those that did not set it up and those that set it up improperly) you just have to accept unless you want to stop most of the email world from sending you email.



  •  
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
Yes SPF/Caller-ID work properly, but Kerio don't use this method to chek mail send trought the same ip lan and domain.

If you want you can download this simple tools http://caspian.dotconf.net/menu/Software/SendEmail/
and install it in your pc.
Now you can send email with kerio server from fakeuser to your CEO mailbox or other your domain mailbox without problem.
If you prefer you can use a telnet command, the result is the same, but with this tool is more simple.

But if it is normal for you ....

Regards
Trenti Fabio
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Sending email with falsified email addresses is a side-effect of the SMTP protocol. There is no set, standardized way to check the existence of the address in the envelope from-address, although you'll probably find a lot of companies claiming they can sell you the boxed silver bullet/magic potion/snake oil with regard to sender verification.

This is not a real security hole, and it is a fairly straightforward job to discover who actually sent the mail (from the inside, that is), even if the from-field is faked. Just look at the headers and pull out the IP address of the originating machine. If you use KOC or KOFF, it's even simpler: the senders real KMS username will show up in the headers.

That being said, you should consider demonstrating "fake mail" to you CEO. That way, he's in on the game and knows about the possibilities. No point in keeping you CEO in the dark just because he/she is the CEO Wink
  •  
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
The callback verification or Sender Verification are defined with standard RFC therefore there is a way to check the existence of sender.

If my pc send regular mail or fake mail has always the same ip and I don't find difference in the log.
If your mail server send/recive about 200 mails/hours like mine how many time I will find to verify the log?

KOC and KOFF are simple if you use outlook but If you use standard pop3/smtp client mail?

Usually there are two setup to define like this:
Authentication is always required when mail is from local accounts
and
Authentication credentials must match those of the email sender
and the hole disappears.

I'm not the CEO but him pay me and my IT test. Cool

Regards
Trenti Fabio
  •  
sgongola

Messages: 109
Karma: 0
Send a private message to this user
ftrenti:
It may be my fault but I don't really understand the situation or what you want. Are you concerned about spamming coming from the internet? Are you concerned about a local machine being hijacked for spam and sending to other local machines or to the internet? Someone hijacking a machine can just as easily use the correct email address and no method would work.
How would KOC/KOFF/IMAP/SMTP/POP make any difference?

  •  
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
The problem his between machine that send email in the same lan.

KOC/KOFF/IMAP/SMTP/POP use a different way to connect with the mail server, different service and tcp port so the response are different.

In this particular case I would like suggestions about smtp/pop3 protocol.

If you don't believe me, you can try with yours kerio mail server.

I hope that the telnet command and sendmail utility don't work so you will tell me wich parameters you are using to verify sender.

Regards
Trenti Fabio
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Do you want to require authentication for every single client on the LAN? That's not possible until Kerio starts supporting message submission on port 587 properly. Requiring everyone who connects to port 25 to authenticate is meaningless.

Or, do you want to place more than one mail server on the LAN? Problems with NAT?
  •  
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
Yes I would like require authentication for every single client.

Most internal mail server check if all user that use its smtp protocol can do it.
If is meaningless becasue they do it ?
Maybe the pc connected with the ip lan are always fine ...

Unfortunately the internal hacking there is.

Regards
Trenti Fabio
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Aha. Are you going to use KMS as an internal mail relay only, using an external smarthost to deliver mail externally? In that case, requiring authentication for everyone (except the smarthost) is doable.

However, if KMS is connected to the internet directly (i.e. it is the MX for a domain), you can't require auth on port 25. Nobody will be able to deliver mail to you if you do.
ftrenti

Messages: 13
Karma: 0
Send a private message to this user
Yes I will use KMS as an internal mail relay but it is too much relay Smile

You are right "is doable" but KMS don't check Sad

Regards
Trenti Fabio
Previous Topic: Delivery to local folders
Next Topic: Kerio WebMail Standard Settings
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Sep 23 03:56:06 CEST 2017

Total time taken to generate the page: 0.00542 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.