Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Hacking local account to relay messages (how to stop?)
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
Hi All,

My organization is currently evaluating Kerio before ordering the latest version.

The version that we use is an old version (7.1).

Problem definition: A local account was hacked (most probably a user mistake) and mail queue was flooded by emails.
Example from security log:
[20/Dec/2015 18:32:45] Recv: Queue-ID: 5676ca1d-0000169d, Service: HTTP, From: <bh9770183@gmail.com>, To: <aspoitou@gmail.com>, Size: 11837, Sender-Host: 41.174.144.155, User: localuser<_at_>ourdomain.com
- Please note that the local user account was used to send an email from a non-local address to another non-local address

What I need to inquire about is the following:
1- Why is this happening while relay is stopped from configuration? What else should be done to avoid using local address in sending messages between two non-local addresses?
2- IT needs to change all email account passwords. For example: new password = current password + employee number + employee birth day. Can this be done by mass-updating all account passwords?
3- I am sure this is available, but is there a document that describes how can we connect Kerio to Active Directory so that user information and credentials are taken from AD?

Thanks a lot,
Ferro

Thanks,
  •  
paduser

Messages: 10
Karma: -1
Send a private message to this user
1- you have an open relay. Else it would't be possible to send from a domain that isn't yours.
2- This is impossible as far as I know.
3- How about this? http://kb.kerio.com/product/kerio-connect/server-configurati on/ldap-and-directory-services/connecting-kerio-connect-to-d irectory-service-1130.html
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
Thanks for your reply.

How can I make sure that I have no open relay?

From the admin site, I am limiting relay to local user group. What else should I do?

Thanks,
Ferro

Thanks,
  •  
ComputerBudda

Messages: 113
Karma: 4
Send a private message to this user
go to mxtoolbox.com and run the tests
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
Thanks for the quick reply.

Will do, but in case I found that I have a problem, what can I do from Kerio Admin site to stop it?

Currently I am limiting relay to local user group, and I assume that this is all what it takes to stop open relay. Am I right?

Thanks,
Ferro

Thanks,
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
ferro wrote on Tue, 22 December 2015 11:40
Thanks for the quick reply.

Will do, but in case I found that I have a problem, what can I do from Kerio Admin site to stop it?

Currently I am limiting relay to local user group, and I assume that this is all what it takes to stop open relay. Am I right?

Thanks,
Ferro

First, you should evaluate latest version Kerio Connect 9.0.1 and not few years old version.

1. It is not a problem of open relay as the attacker knows username and password of our user. Any local user can send an email to anyone else. Latest version has protection called Sender Policy to avoid sender spoofing.
2. Yes. You can use directory service for this or Public API: http://www.kerio.com/learn-community/developer-zone
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
After running SMTP test:
SMTP Banner Check: Reverse DNS does not match SMTP Banner
SMTP TLS: Warning - Does not support TLS.
SMTP Transaction Time: 15.501 seconds - Not good! on Transaction Time
SMTP Reverse DNS Mismatch: OK - xx.xx.xx.xx resolves to mail.xx.xx
SMTP Valid Hostname: OK - Reverse DNS is a valid Hostname
SMTP Connection Time: 0 seconds - Good on Connection time
SMTP Open Relay: OK - Not an open relay.

Is there any other suggestion I can do on admin site or any other way to detect/solve this problem?

Thanks a lot,
Ferro

Thanks,
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
Dear Pavel Dobry,

Quote:

Latest version has protection called Sender Policy to avoid sender spoofing.


So I understand that even if I have no open relay, a compromised account can be used to send emails between two non-local users unless I upgrade to latest Kerio verion (it Kerio 7.0 that has this issue).

Please correct/confirm my understanding.

Also, is there any way to avoid "sender spoofing" through Kerio 7.0 admin configuration or it is completely unavoidable except by the upgrade?

Thanks,
Ferro

[Updated on: Tue, 22 December 2015 12:01]


Thanks,
  •  
ComputerBudda

Messages: 113
Karma: 4
Send a private message to this user
No you don't have to upgrade for that, just fix your compromised account by changing their passwords. BTW, you should upgrade just because it's better.
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
Dear ComputerBudda,

Thanks for your reply. However I understood that it is possible to prevent "sender spoofing" even if an account was compromised in Kerio Connect 9.0.

Is my understanding correct? Is there a way to simulate this solution in version 7.0?

I will upgrade for sure, but I am looking for immediate solution.

Thanks,
Ferro

Thanks,
  •  
ComputerBudda

Messages: 113
Karma: 4
Send a private message to this user
I have no idea, I have not tested 9 and cannot upgrade to to because it doesn't support Outlook 2003 which my customers still use. The immediate solution is to change passwords.....today.
  •  
ferro

Messages: 15
Karma: 0
Send a private message to this user
Dear ComputerBudda,

Thanks for your support.

My question is not about version 9. I am asking if you know a way to stop "sender spoofing" using version 7 capabilities?

Thanks a lot,
Ferro

[Updated on: Tue, 22 December 2015 13:05]


Thanks,
  •  
ComputerBudda

Messages: 113
Karma: 4
Send a private message to this user
I do not. However, changing the password solves the immediate issue
  •  
Bud Durland

Messages: 402
Karma: 45
Send a private message to this user
@ferro -- any anti-spoofing tools are the second layer of defense, the first being SMTP login authentication. That part of your system is compromised, and you need to fix it first by changing the password of the compromised account. I don't recall if version 7 had any anti-spoofing tools. It was updated several years ago, after all.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
ferro wrote on Tue, 22 December 2015 13:04
Dear ComputerBudda,

Thanks for your support.

My question is not about version 9. I am asking if you know a way to stop "sender spoofing" using version 7 capabilities?

Thanks a lot,
Ferro


I am afraid there is no way. Upgrading to Kerio Connect 9 with Sender Policy feature will disallow to send emails with spoofed sender email address. It also has a feature called Password Policy, which forces users to use strong passwords.
Previous Topic: Has anyone ever migrated from Kerio to Google Apps Email?
Next Topic: Kerio Connect 8.5.0
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Nov 23 21:40:12 CET 2017

Total time taken to generate the page: 0.00533 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.