Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Relay restrictions for external IPs
  •  
matthew

Messages: 5
Karma: 0
Send a private message to this user
My SMTP is set up as follows, probably fairly typical:

* Firewall sends traffic on port 25 through to my mail server, so I can get mail

* Relay is allowed only for internal IP addresses, to prevent external relaying etc.

Increasingly, I have folk who want to use eg Mail.app to access their account but who are either too clueless to figure out their ISP's SMTP server, or their ISP is so restrictive as to not allow relaying when the sender is not the ISP's own issued email address.

So I'm trying to offer SMTP relay service to these folks and trying to figure out how best to handle it.

* I could just allow users to send via SMTP auth, but I can't enforce good passwords and am worried that spammers will hammer the server, looking for a username and password that works. (Is this likely?)

* I can't just add to my allowed IPs, since they will likely not have fixed IPs from their ISPs.

* Ideally, I'd like to have them use SSL to relay mail, or else just use a nonstandard port that I can add in services. But I can't see a way to keep port 25 for receiving mail from other servers, but allow relay only on a different port?

* Or perhaps allow relay on a per-user basis, for those who need it and I know have a secure password... but again, I don't think I can do this.

Does anyone have any ideas, or has faced a similar situation? I'm currently still stuck on KMS 6.6.2, but if Connect has something that can specifically address this, I may upgrade.

I suppose the other option would be to set up a VPN server, but that's the only thing I'd need it for, and I don't really want all of folks' traffic going through my network when they are connected from elsewhere.

MTIA!
  •  
jonte

Messages: 29
Karma: -1
Send a private message to this user
You never got a response to this? How did you solve it?

In sweden port 25 is blocked for outgoing traffic since years, which have made all email providers to set up their own relays for their customers. Of course, if you have a portable computer, you change your ISP maybe several times every day. Many email clients can only have one smtp server. you can't tell your customer/user to go in and change smtp settings every time they move their computer. You need a relay.

so the standard is 567, smtp submission port for unencrypted traffic, or the most common is 465 for encrypted traffic. However, I've jsut read that apple doesn't even support 465 as encrypted port in their own OSX Server 10.6 email server (postfix), they claim this was a de facto standard set my Outlook 2000 by micrsoft and the port is registered for other, legitime use.

About the password, i've been hacked once, it was an account named test with the password test. Not too hard to figure out, but it took long time until we found out that someone was using this account to send spam. So basic password recommendation is good - not you name, not the account name, not abc123, not 1234. Smile
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Port 465 was deprecated long ago and was never officially meant to handle SMTP-SSL. MS took some ... ehmm ... liberties when they stole it under the nose of IANA. Apple is right, so don't use it. The implementation is also broken in many MS clients, e.g. the client demands an encrypted channel to set up encryption.

Port 587 (not 567) has been set aside for message submission since at least 2004 and is simply a regular SMTP service which should ONLY do authenticated SMTP (and thus relaying) and don't do any kind of blacklisting. Encryption is optional but very common.

KMS 6.7.3 and KC 7+ has port 587 setup out of the box (if I recall correctly).
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
+1 for port 587!

This port should NOT be blocked by any ISP's, as it's an Authenticated-only port.

That, along with Caller ID + SPF check, makes it impossible for any ISP to handle your SMTP delivery, as there is NO way to dynamically change C.ID or SPF records in DNS as you are on the go..

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
ksg

Messages: 1
Karma: 0
Send a private message to this user
I don't know from your description whether this would necessarily work for you or your users, but I use a virtual SMTP server that lets me send using the https port. I manage all of my email addresses - and I have eight - using Mail.app. I have never found a place (airport, café, hotel, conference room, client's office) where the https port is blocked, so I have always been able to send. Most important for me, my From: address is preserved. The one I use is called Loa PowerTools and I saw it on an Apple support discussion forum on the topic "Mailing with SMTP doesn't work anymore, 10.6.2" (sorry, I can't post a link).
  •  
jonte

Messages: 29
Karma: -1
Send a private message to this user
TorW wrote on Mon, 27 September 2010 21:10
Port 465 was deprecated long ago and was never officially meant to handle SMTP-SSL. MS took some ... ehmm ... liberties when they stole it under the nose of IANA. Apple is right, so don't use it. The implementation is also broken in many MS clients, e.g. the client demands an encrypted channel to set up encryption.

Port 587 (not 567) has been set aside for message submission since at least 2004 and is simply a regular SMTP service which should ONLY do authenticated SMTP (and thus relaying) and don't do any kind of blacklisting. Encryption is optional but very common.

KMS 6.7.3 and KC 7+ has port 587 setup out of the box (if I recall correctly).


Yes of course, 587, sorry. And I haven't found any ISP blocking this port yet. There are some high secured local networks that blocks everything only open port 80 that has problems though. But it's theirs problem.

In OSX 10.6 server apple seems to have problems to run unencrypted on port 587, it always requires ssl even if you try to not use it.
  •  
matthew

Messages: 5
Karma: 0
Send a private message to this user
Many thanks for your replies, some interesting reading! I'd certainly be happy to have users relay with authentication through port 587.

My problem is, that I'd like ONLY that port (or another one, KMS/KC lets me choose ports) to be available for relay. Of course I need port 25 open to receive mail from other servers! But I don't want to open it to relay from external addresses; it seems like too big a potential hole.

But I can't see a way of opening a non-25 for external users to relay, without also letting them relay on 25 anyway, and therefore sort of missing the point?
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
To me, that leaves the user with a choice.

Enfore authentication, and your are safe.
If users can't use port 25, they need to use 587.

If users use Apple Mail, it defaults to 'standard ports' and try 587 first, the 465 & 25.

It's never gonna be 'a potential hole' if your require authentication!
If it is, enforce better passwords on the accounts!

Why use more energy on that?

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
Previous Topic: mails bouncing since migration
Next Topic: Open Directory group mapping problem
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Sep 21 05:21:34 CEST 2017

Total time taken to generate the page: 0.00438 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.