Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Open relay allowed even though it is disabled
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
I had a security scan done on my network this weekend and I got a failing score. The ONLY thing that I failed on was the fact that SMTP relay is open on my mail server. The problem with this being that according to the setting on my KMS, it shouldn't be. The attached images show my KMS SMTP settings and the detail for the "Local Clients" group.

I have logged in to my mail server from three different locations and verified that I'm able to relay message with no authentication. I have never failed this particular test before and am wondering if there is a bug in the latest version of KMS.

Can someone try this on their mail server and see if they are able to relay anonymously as well?

Do you see anything in my settings that would allow anonymous relay?

  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
What's the source IP address of other SMTP servers delivering email to your server? Do you have any IP address translation (port mapping)?
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
I have KWF in place forwarding port 25 to my mail server. This is a change in my network that took place about 2 weeks ago. Before that I had my network service provider doing all of the port forwarding.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
What are the IP addresses in your mail log?
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
That must be what's causing the open relay. The IP address of the connection is the IP address of my firewall. Wouldn't requiring authentication sill prevent open relay?
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
I guess my question would be, what is the best way to fix this?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
shtaffa wrote on Mon, 18 January 2010 23:19
I guess my question would be, what is the best way to fix this?


Do not translate source IP address of incoming connections on the firewall.
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
Since it is Kerio Winroute Firewall that I'm using, maybe you could give me a pointer on setting this up. My mail server is not on the same server as the firewall. It is on a server on the LAN side of the firewall.
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
Bump.

Any ideas? If not, I'll open an issue for support.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I already posted a solution in my previous post. Don't do NAT in your port mapping traffic rule.
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
Source NAT is not enabled.

Destination NAT must be enabled for the traffic to reach the mail server.

Am I missing something?

I even experimented with enabling source NAT and all incoming mail connections still appear as if they are on the local network.
  •  
freakinvibe

Messages: 1554
Karma: 63
Send a private message to this user
To troubleshoot, just clear the tick box:

- Allow relay for users from IP Address group Local clients

Then try if you can still relay without authenticating.

Another thing you should do is to look in the mail log, which IP address is actually connecting. You should see something like:

Quote:
[20/Jan/2010 12:57:36] Recv: Queue-ID: 4b56efb0-0001469e, Service: SMTP, From: <alert@uknationallottery.co.uk>, To: <myuser<_at_>mydomain.tld>, Size: 2046, Sender-Host: 169.229.218.146, SSL: yes


The Sender-Host should not be a local IP address.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
The IP address is the IP address of the LAN NIC on my Kerio Winroute Firewall box. So technically, it's in the local clients group. I've opened a ticket regarding this issue. ican't find a way to forward port 25 to my mail server that doesn't change the source IP.

However, I would think that SMTP authentication would still limit open relay. That setting seems to do nothing. It is checked and I am able to telnet to the mail server and send an email without providing any credentials.
  •  
freakinvibe

Messages: 1554
Karma: 63
Send a private message to this user
The three options under "Allow Relay For" are "OR" conditions, meaning as soon as one of them is fulfilled, you can relay. So if you tick the two top ones, you can relay if you are on the loacal LAN or if you authenticate or both.

In your case, I would either clear the check box for the Local clients or modify the local clients address group so it does not include your router's local IP address.

Still, ideally, the public IP address of the connecting server should be reflected, because then you can also use Black Lists like Spamhaus to protect your server against spam. So you have to reconfigure your firewall somehow (but I don't know the Kerio firewall).

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
shtaffa

Messages: 41
Karma: 0
Send a private message to this user
Good to know. I was unaware that those were or conditions. Since they are checkboxes, I figured they were and conditions. Radio buttons would have been a better choice.

Yeah, I realize that I'm losing RBL functionality. Right now, I am really more concerned about the open relay issue since that will cause me to fail my monthly security vulnerability scans.

Thanks for the advice. I'll just uncheck the local client option. Since I thought it depended on both of those conditions, I already have all of my users doing SMTP authentication.

Hopefully I will get a solution out of the KWF team regarding my port forwarding that will resolve all of my issues.

Thanks for your input.
Previous Topic: Receiving Hotmail/Live mails
Next Topic: Can I use the second shortname from OD in Kerio?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 25 01:03:52 CET 2017

Total time taken to generate the page: 0.00531 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.