Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Tightening SMTP Authentication
  •  
maqattaq

Messages: 7
Karma: 0
Send a private message to this user
Hello,

I want to be able to tighten down SMTP authentication to where all email from an unlisted IP address has to authenticate, even when sending internal to the domain.

Right now, as it stands, I have the IP block 64.18.* (Postini - 64.18.0.0 - 64.18.255.255 address range) set as the only allowed IP block without authenticating via username/password. Everyone else, as I have set it, should use SMTP authentication with username/password.

However, I found in tests (and through recent spam) that people can send to the domains hosted by us (sukinlaw.com and goccsg.com) without authenticating. This really troubles me, as it's defeating my option of SMTP authentication via username/password being turned on.

Proof they are doing this (recipients have been hidden, and I included examples of normal delivery)...

Example 1:
=======================
Return-Path: <anyy<_at_>jlonline.com>
X-Spam-Status: No, hits=3.2 required=9.9
tests=FORGED_MUA_OUTLOOK: 3.2
X-Spam-Level: ***
Received: from jlonline.com ([59.36.135.229])
by elvis.sukinlaw.com (Kerio MailServer 6.1.4)
for ***<_at_>sukinlaw.com;
Tue, 30 May 2006 01:27:29 -0500
From: =?GB2312?B?yOe6ztOmttTFt8PAv827p7Lp0em5pLOnus3KtcqpU0E4MDAws erXvA==?=
<anyy<_at_>jlonline.com>
Subject: =?GB2312?B?yOe6ztOmttTFt8PAv827p7Lp0em5pLOnus3KtcqpU0E4MDAws erXvA==?=
To: ***<_at_>sukinlaw.com
Content-Type: text/plain;charset="GB2312"
Date: Tue, 30 May 2006 14:27:23 +0800
X-Priority: 2
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
=======================

Example 2:
=======================
Return-Path: <sz7474<_at_>126.com>
X-Spam-Status: No, hits=3.4 required=9.9
tests=FORGED_MUA_OUTLOOK: 3.2,FROM_ENDS_IN_NUMS: 0.177
X-Spam-Level: ***
Received: from 126.com ([218.18.33.157])
by elvis.sukinlaw.com (Kerio MailServer 6.1.4)
for ***<_at_>sukinlaw.com;
Mon, 29 May 2006 20:13:47 -0500
From: =?GB2312?B?warMqcq10rU=?= <sz7474<_at_>126.com>
Subject: =?GB2312?B?0bDV0rrP1/e1pc67?=
To: ***<_at_>sukinlaw.com
Content-Type: text/plain;charset="GB2312"
Content-Transfer-Encoding: 8bit
Reply-To: sz7474<_at_>126.com
Date: Tue, 30 May 2006 09:14:56 +0800
X-Priority: 3
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
=======================

Normal Delivery (via Postini):
=======================
Return-Path: <***<_at_>goccsg.com>
Received: from psmtp.com ([64.18.3.116])
by elvis.sukinlaw.com (Kerio MailServer 6.1.4)
for ***<_at_>sukinlaw.com;
Tue, 30 May 2006 08:42:47 -0500
Received: from source ([216.9.248.50]) by exprod8mx16.postini.com ([64.18.7.10]) with SMTP;
Tue, 30 May 2006 09:43:58 EDT
Received: from bda061-cell00.bisx.prod.on.blackberry (localhost.localdomain [127.0.0.1])
by bda061.bis.na.blackberry.com (8.13.4 TEAMON/8.13.4) with ESMTP id k4UDhvT2004548;
Tue, 30 May 2006 13:43:57 GMT
Message-ID: <821216010-1148996637-cardhu_blackberry.rim.net-720406063-<_at_ >bwe020-cell00.bisx.prod.on.blackberry>
Content-Transfer-Encoding: base64
Reply-To: ***<_at_>goccsg.com
References: <260329144-1148995756-cardhu_blackberry.rim.net-1297142215-<_at_ >bwe026-cell00.bisx.prod.on.blackberry> <004401c683ed$f5b6e610$6600a8c0<_at_>***>
In-Reply-To: <004401c683ed$f5b6e610$6600a8c0<_at_>***>
Sensitivity: Normal
Importance: Normal
To: "***" <***<_at_>sukinlaw.com>
Subject: Re: There is an increasing amount of junk getting through my SPAM blocker??...M
From: "***" <***<_at_>goccsg.com>
Date: Tue, 30 May 2006 13:43:57 +0000 GMT
Content-type: text/plain
MIME-Version: 1.0
X-pstn-levels: (S:12.17429/99.90000 LC:95.5390 R:95.9108 P:95.9108 M:96.8350 C:98.4741 )
X-pstn-attach-addresses: from <***<_at_>goccsg.com>
X-pstn-settings: 3 (1.0000:0.0000) s lc gt3 gt2 GT1 lt r p m c
X-pstn-addresses: from <chris.jones<_at_>goccsg.com> forward (org good) [db-null]
=======================

Normal Authenticated Delivery from Internal:
=======================
Return-Path: <***<_at_>sukinlaw.com>
Received: from DG3Q9071 ([64.52.234.2])
(authenticated user ***<_at_>sukinlaw.com)
by elvis.sukinlaw.com (Kerio MailServer 6.1.4)
for ***<_at_>sukinlaw.com;
Tue, 30 May 2006 10:05:16 -0500
From: "***" <***<_at_>sukinlaw.com>
To: <***<_at_>sukinlaw.com>
Subject: NEW CALL/SUE
Date: Tue, 30 May 2006 11:03:35 -0400
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0014_01C683D8.BBC5E100"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
=======================

Note the differences... anyone authenticated says "authenticated user"... Postini won't say that since I have it set as an authenticated IP.

Am I missing something, or is there a serious flaw when it comes to SMTP authentication that anyone can openly send to the domains hosted?

Setting it so that only Postini and other IP addresses can use SMTP is out of the question here, since we have several users (myself included) who do travel or use other ISPs, and we have people who are way too dumb to do this (taking up too much of our time to do this for each person).
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
That's how SMTP works. How are you going to require every server from the outside to authenticate? You would prevent all of your users from getting any mail from outside of your domain.

Scott
  •  
maqattaq

Messages: 7
Karma: 0
Send a private message to this user
I don't think you're understanding or you didn't read the entire message carefully (I know how SMTP works having worked at an ISP/hosting provider with qmail... they do this exact configuration that I am describing).

I want ALL users to authenticate using a username and a password for ALL sending of email (internal and external), with the exemption going to the IP block of Postini.

Right now... it only authenticates for email being sent through the server to external domains. If anything is getting sent through the server to internal domains, it doesn't even bother authenticating, unless the user doesn't exist.

That's the problem I need to resolve.

[Updated on: Tue, 30 May 2006 19:22]

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Right. That's how SMTP works. How would you expect to get mail from an external domain if they had to authenticate with your server? There's no way for your server to authenticate them, so SMTP take everything bound for the local domain, unless you block it with some sort of anti-spam measures.

Scott
  •  
maqattaq

Messages: 7
Karma: 0
Send a private message to this user
Well then... why is it allowing it when the sender email is an external domain (jlonline.com, 126.com... neither of them hosted on our server)?

This is what I would expect for an error in my mail program in cases like that...

=====
The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was '***<_at_>thrillnetwork.com'. Subject 'test', Account: 'Test', Server: 'smtp.thrillnetwork.com', Protocol: SMTP, Server Response: '554 <***<_at_>thrillnetwork.com>: Recipient address rejected: invalid sender domain', Port: 25, Secure(SSL): No, Server Error: 554, Error Number: 0x800CCC79
=====

This is from the SMTP server of a high-traffic mail host that I worked for. Notice the sender is adsf<_at_>asdfadsfgdfsg.com, sending to a legitimate email address on the domain thrillnetwork.com, and this is what I expect on our server.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Quote:

Well then... why is it allowing it when the sender email is an external domain (jlonline.com, 126.com... neither of them hosted on our server)?


What don't you get? SMTP accepts EVERYTHING destined for a valid user at the local domain unless some sort of anti-spam stops it. It doesn't matter who hosts the domain.

Quote:

Recipient address rejected: invalid sender domain


This is an anti-spam measure to insure the remote domain is at least valid. Nothing more. It's called domain verification. All it does is a DNS lookup to see if the domain exists. It's not authenticating anything.

Scott
  •  
maqattaq

Messages: 7
Karma: 0
Send a private message to this user
I should add that I have tested it with several VALID domains (dnsstuff.com, msn.com, aol.com)... got the exact same error when I send through thrillnetwork's SMTP. When I send through the sukinlaw.com, they are allowed.

If you're going to be of no help (and the complete jerk that you have been)... I would like someone from Kerio or someone the least bit civil to respond to this.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I tried to help, but you don't listen, since apparently you know everything. What you describe is how SMTP is supposed to work. I'm done with this.

Scott
  •  
Kerio_ktrumbull

Messages: 597
Karma: 2
Send a private message to this user
Take it easy guys, we don't need to start a flame war.

maqattaq wrote on Tue, 30 May 2006 09:35

I want to be able to tighten down SMTP authentication to where all email from an unlisted IP address has to authenticate, even when sending internal to the domain.

This is impossible. Scott has been giving accurate information, you can not possibly require authentication for inbound messages from external (non-local) domains. If you did that, you would not be able to recieve sent directly to your server.

If you would like to restrict the SMTP Service to a particular IP address group, such as your Postini IP range, you can do that by editing the SMTP service and clicking on the Access tab. But you can not require authentication for inbound messages sent from external (non-local) domains.

[Updated on: Tue, 30 May 2006 21:42]


Kevin Trumbull
Kerio Technical Support Team Leader
http://support.kerio.com
  •  
maqattaq

Messages: 7
Karma: 0
Send a private message to this user
Restricting IP addresses is not an option, and how come other mailservers can do what I described if it is impossible... specifically the example of a working system I described? Explain that.

Considering an increasing amount of spam is getting through by connecting directly to the mailservers and spamming (while circumventing anything specified in the DNS), this is why I am concerned, especially since SpamAssassin (included with KMS) is nowhere near as good of a mail filter compared to Postini.

[Updated on: Tue, 30 May 2006 21:58]

  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
I think there is a big misunderstanding here. Before I answer, here are some questions, just to make it clear to me:

1) Postini is a company that handles your external mail filtering (like MessageLabs). So you send and receive external mail through their data centers. Their IP address range is 64.18.*., right?

2) You, at your companies premises have a KMS box that gets ALL external mail through Postini. No external incoming Mail is allowed directly from any other host than from the Postini address range, right?

3) You and your co-workers want to send mail through your KMS box. You want to do SMTP authentication for this, right?

I think the point you didn't make clear to Scott and ktrumbull is that all incoming mail is expected to come through Postini.

Let me know if I am right, maybe I have the solution for you.

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
maqattaq

Messages: 7
Karma: 0
Send a private message to this user
Quote:

1) Postini is a company that handles your external mail filtering (like MessageLabs). So you send and receive external mail through their data centers. Their IP address range is 64.18.*., right?


Correct, but we only receive mail from them, and all mail is through them (the MX records for my domain are only Postini, and they have to connect directly to our servers to relay mail down). Sending isn't handled by Postini at all.

Quote:

2) You, at your companies premises have a KMS box that gets ALL external mail through Postini. No external incoming Mail is allowed directly from any other host than from the Postini address range, right?


That is how I have it configured right now. Keep in mind... the server is in a data center... not confined within an organization's LAN. This is because this is a law firm that has more than one location, and the lawyers do roam quite a bit (stray from the office). Since my consulting firm's email is also on there, we also roam (i'm doing work from home right now, for instance) and check with our laptops quite a bit.

Quote:

3) You and your co-workers want to send mail through your KMS box. You want to do SMTP authentication for this, right?


Yes... for all email (sending to both internal emails and external emails). Right now, as it stands, it only seems to authenticate when sending to external email addresses, which is not desirable operation, and hence why spammers discovered they can send mail to users on our domain directly (ignoring the MX records completely), where I am now getting complaints about the increased spam.

Also, as a note: I do have blacklists enabled, where it does check against Spamcop and Spamhaus, and I have implemented a 15 second delay when sending mail.

By the way, thank you for at least taking the time to try to understand what I am looking for here. It is easy to be misunderstood.

[Updated on: Wed, 31 May 2006 15:15]

  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
OK, you can try the following: In the Admin Console, go to

- Configuration > Advanced Options

- Choose the "Security Policy" tab

- Choose "Require Secure Authentication" from the drop down list

- Check "Allow insecure Authentication from Address Group"

- Choose the Address Group which contains the Postini Range

The "Relay Control" Tab doesn't help here as it only controls the users sending mail to external domains.

But you also might want to solve the underlying problem which is that spammer found your mail server although your MX records point to Postini. I checked your A records:

sukinlaw.com. 3H IN A 207.65.89.221

Some mail servers (including the spammers mail servers) lookup the A record for sukinlaw.com. Spammers do this to avoid Postini or MessageLabs. So the best would be if you changed the A record to a different address. Your co-workers could still use a different A record like securemail.sukinlaw.com to send mail.

Spammers will always find mail servers by scanning for port 25 (SMTP), but they will not know which domains it hosts (you should modify your SMTP greeting message so it doesn't contain the domain name).

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
maqattaq

Messages: 7
Karma: 0
Send a private message to this user
Thanks... I've implemented most of this (except for the secure encryption... need to do that over a weekend).

By the way, I would I go about removing the hostname from the SMTP greeting? I have the mailserver version removed, but I can't seem to find it anywhere else. Do I just have to empty the entire hostname?
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
I would change the internet hostname in the "Domains" section to your IP address.

The greeting would the look like

220 207.65.89.221 ESMTP ready

That doesn't tell the spammer more than he already knows.

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Root for adminitration but Webmin access closed
Next Topic: Convert user from internal user database to active directory authentication
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 13:14:24 CET 2017

Total time taken to generate the page: 0.00616 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.