Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SMTP security
  •  
r1sh

Messages: 87
Karma: -4
Send a private message to this user
Hello!

Today we've noticed that any user can access our smtp server via 25 port, and send mail inside our domain without auth.

Furthermore, if I access, for example, gmail, and try do send mail to any user, first it tells me "5.7.0 Must issue a STARTTLS command first. 102sm5524119lft.21 - gsmtp" then it tells me " 5.5.4 Error: send AUTH command first."

How can I force SMTP auth before sending any letter?
  •  
Pavel Dobry (Kerio)

Messages: 5165
Karma: 245
Send a private message to this user
If you want to force authentication for users from your server, enable Sender Policy (and make sure your SMTP is NOT configured as open relay).

But for receiving emails for your users from anyone from the Internet - this is what SMTP is for. This is how you get emails from other users (eg. from Gmail). No authentication required for this.

[Updated on: Mon, 16 November 2015 13:11]


Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
r1sh

Messages: 87
Karma: -4
Send a private message to this user
I want to recieve mail from all users.

But I want auth like in gmail.

It's strange that someone from outside can telnet my smtp server, and send mail inside our domain without auth??
  •  
Pavel Dobry (Kerio)

Messages: 5165
Karma: 245
Send a private message to this user
r1sh wrote on Mon, 16 November 2015 13:26
I want to recieve mail from all users.

But I want auth like in gmail.

It's strange that someone from outside can telnet my smtp server, and send mail inside our domain without auth??



So, I want to send an email to you, what password should I use?? Or you don't want to receive emails from people outside your email domain?

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
r1sh

Messages: 87
Karma: -4
Send a private message to this user
Pavel Dobry (Kerio) wrote on Mon, 16 November 2015 13:49
r1sh wrote on Mon, 16 November 2015 13:26
I want to recieve mail from all users.

But I want auth like in gmail.

It's strange that someone from outside can telnet my smtp server, and send mail inside our domain without auth??



So, I want to send an email to you, what password should I use?? Or you don't want to receive emails from people outside your email domain?


so how does gmail work?

right now we have extreme situation:

we have smtp connections from China, they send spam from out user's mailbox. We've changed password - it didn't help. Why?

[Updated on: Mon, 16 November 2015 14:14]

  •  
Brian Carmichael (Kerio)

Messages: 608
Karma: 61
Send a private message to this user
The mail log will tell you if the message was sent from an authenticated user, so you can track down if you have a compromised user account.
You should set restrictions in the SMTP security settings (e.g. max # messages per hour from one IP) to prevent further damage.
You can use mxtoolbox.com to check if you're an open relay.
Regarding Gmail, probably the option you are referring to with Kerio Connect is in Security -> Sender Policy (user must authenticate...)

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Pavel Dobry (Kerio)

Messages: 5165
Karma: 245
Send a private message to this user
r1sh wrote on Mon, 16 November 2015 14:10

so how does gmail work?

It works correctly. You are probably trying user SMTP gateway, not MX gateway for incoming emails:
pdobry$ telnet gmail-smtp-in.l.google.com 25
Trying 64.233.166.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP oo7si48100253wjc.42 - gsmtp
EHLO kerio.com
250-mx.google.com at your service, [77.48.200.57]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
mail from: <pdobry<_at_>kerio.com>
250 2.1.0 OK oo7si48100253wjc.42 - gsmtp
rcpt to: <someuser<_at_>gmail.com>
250 2.1.5 OK oo7si48100253wjc.42 - gsmtp

Quote:


right now we have extreme situation:

we have smtp connections from China, they send spam from out user's mailbox. We've changed password - it didn't help. Why?


You have probably open relay. Check your mail log.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
r1sh

Messages: 87
Karma: -4
Send a private message to this user
Pavel Dobry (Kerio) wrote on Mon, 16 November 2015 20:42
r1sh wrote on Mon, 16 November 2015 14:10

so how does gmail work?

It works correctly. You are probably trying user SMTP gateway, not MX gateway for incoming emails:
pdobry$ telnet gmail-smtp-in.l.google.com 25
Trying 64.233.166.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP oo7si48100253wjc.42 - gsmtp
EHLO kerio.com
250-mx.google.com at your service, [77.48.200.57]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
mail from: <pdobry<_at_>kerio.com>
250 2.1.0 OK oo7si48100253wjc.42 - gsmtp
rcpt to: <someuser<_at_>gmail.com>
250 2.1.5 OK oo7si48100253wjc.42 - gsmtp

Quote:


right now we have extreme situation:

we have smtp connections from China, they send spam from out user's mailbox. We've changed password - it didn't help. Why?


You have probably open relay. Check your mail log.



what i see:

telnet smtp.gmail.com 25
220 smtp.gmail.com ESMTP j6sm1118165lbl.33 - gsmtp
EHLO mail.rostherm.ru
250-smtp.gmail.com at your service, [37.153.18.13]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
mail from: gmaleev<_at_>rostherm.ru
530 5.7.0 Must issue a STARTTLS command first. j6sm1118165lbl.33 - gsmtp
  •  
Petr Dobry (Kerio)

Messages: 775
Karma: 61
Send a private message to this user
Google uses two sets of servers - one for incoming MX delivery which does not require auth and the second set for end user email clients (smtp.gmail.com) which require auth.

If you use the first set, you can send email only to <_at_>gmail.com (or Google hosted) domain.
If you use smtp.gmail.com with auth, you can send an email to any address (relay). That's why you have to be authenticated as Google user.

[Updated on: Mon, 16 November 2015 21:40]


Petr Dobry
Product Development Manager | Kerio

Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Looking for help ? - http://kb.kerio.com
Previous Topic: Issue with booking a resource with a repeating event
Next Topic: Active Directory Extension for Kerio Connect NOT Install
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Mar 01 18:44:08 CET 2017

Total time taken to generate the page: 0.00949 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.