Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Connection method audting
  •  
Bud Durland

Messages: 395
Karma: 43
Send a private message to this user
We had a user's account credentials get compromised, and spammers were able to spend qabout 3 hours spewing through my mail server. I've locked down the account, cleaned up the queue, etc. and am now doing some investigation.

As far as I can tell, my firewall does not permit port 25 access to the Kerio server from the the outside world; it all gets forwarded to our spam filter / server. We do permit 465 through so that mobile devices that can't use ActiveSync will work. Looking at the audit log, I see entries like so:

[22/Mar/2017 15:49:58] SMTP: User j.smith<_at_>example.com authenticated  from IP address 12.34.56.78


Does that mean the authentication was through any SMTP port, or would authentication through secure SMTP (port 465) begin with "SSMTP" or some such? I realize that the compromised password makes the port used practically irrelevant, I'm just curious.
  •  
j.a.duke

Messages: 356
Karma: 14
Send a private message to this user
Bud Durland wrote on Wed, 22 March 2017 18:17
We had a user's account credentials get compromised, and spammers were able to spend qabout 3 hours spewing through my mail server. I've locked down the account, cleaned up the queue, etc. and am now doing some investigation.

As far as I can tell, my firewall does not permit port 25 access to the Kerio server from the the outside world; it all gets forwarded to our spam filter / server. We do permit 465 through so that mobile devices that can't use ActiveSync will work. Looking at the audit log, I see entries like so:

[22/Mar/2017 15:49:58] SMTP: User j.smith<_at_>example.com authenticated  from IP address 12.34.56.78


Does that mean the authentication was through any SMTP port, or would authentication through secure SMTP (port 465) begin with "SSMTP" or some such? I realize that the compromised password makes the port used practically irrelevant, I'm just curious.


Bud,

I've closed off 465 externally as it appears to be deprecated for use as a port for clients to utilize. I only have 25 (for server to server) and 587 (client to server) open. I've also forced all my connections to be secure (IMAPS, HTTPS, SMTPS, etc.).

But to answer your question, yes, they can authenticate against any SMTP port, even without being secure (used to auth via plaintext on 25 for some clients as they didn't like 465 or 587).

Cheers,
Jon
Previous Topic: iSCSI 10GB or Fiber 8GB
Next Topic: NEW RELEASE AVAILABLE: Kerio Connect 9.2.2
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 22:30:51 CEST 2017

Total time taken to generate the page: 0.00508 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.