Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SMTP relay settings violated?
  •  
ombwatch

Messages: 31
Karma: -1
Send a private message to this user
We have recently experienced a problem where it appears that a spammer was able to relay dozens of spam emails through our Kerio 8.3.2 server in violation of the SMTP Server settings -- or else the spammer had obtained the password of one of our users and was able to authenticate to SMTP with it, which seems unlikely.

The SMTP server is configured to allow relay only for:

1. Users from the local IP address group (the internal office LAN)
2. Users authenticated through SMTP for outgoing mail

The spam emails originated from several different IP addresses outside of our LAN, which appear to be various servers in Algiers, Turkey and Chile.

The spam emails "spoofed" the email address of one of our Kerio users, using it as a fake "from" address.

Since the SMTP server only allows relay for "authenticated" users, my question is what constitutes "authenticated"? What does the Kerio SMTP server check to determine whether an incoming email is from an authenticated user?

Does it check both the user name AND the IP address? For example, if joeblow<_at_>domain.com has authenticated to SMTP from one IP address, does the SMTP server check BOTH the user name and IP address of incoming emails, and consider only emails from that user AND that IP address to be "authenticated"?

Or does it check ONLY the user name, and relay subsequent emails from that authenticated user, regardless of what IP address they originate from? For example, if joeblow@domain.com has authenticated from his home computer, and while he is authenticated, an email arrives at the Kerio SMTP server from some other IP address purporting to be from joeblow<_at_>domain.com, will Kerio relay it?

In either case, when and how does the Kerio SMTP server determine that the authentication has expired?

If the SMTP server requires that both the user name AND the user's IP address must be authenticated together, then it would seem that the only way this could occur would be for the spammer to obtain the user's Kerio password, and use it to authenticate to the Kerio SMTP server from multiple foreign servers that were sending the spam emails through our server. That's not impossible, but in our case it seems very unlikely.
  •  
Michael Ruffin

Messages: 169
Karma: 4
Send a private message to this user
I'm pretty sure Authentication via SMTP is actually requesting a username and password from one of your users, to send email out.

My guess is that someone has a poor password or one has been guessed.

  •  
freakinvibe

Messages: 1485
Karma: 57
Send a private message to this user
Looks like a guessed password for me as well.

SMTP Authentication means that the sending mail server/client has to authenticate before it can send mails (with user name and password).

You can easily see in the mail log if a specific message was received with authentication. Example (if it says "User: Username", it is authenticated):

Quote:
[11/Aug/2014 10:51:33] Recv: Queue-ID: 53e88415-000025da, Service: SMTP, From: <me@mydomain.com>, To: <external@recipient.com>, Size: 22526, Sender-Host: 178.197.239.225, User: myusername, SSL: yes, Subject: RE: Lunch tomorrow, Msg-Id: <01cd01cfb541$88d49a90$9a7dcfb0$<_at_>mydomain.com>

[Updated on: Fri, 05 September 2014 12:36]


Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
Previous Topic: Unable to synchronize a message!
Next Topic: Problem outlook sync
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Feb 21 22:00:50 CET 2017

Total time taken to generate the page: 0.00858 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.