Topic: SMTP 25 port athentication with no encryption doesnt work after update

[antraxso]

Hi,

yesterday i updated my server, made all the comands as usual (yum update, post-upgrade, reboot etc). But after the update SMTP server doesnt accept connections on port 25 with no encryption and plain authentication. Before the update this worked for more than 1 year and many updated were made.
When users email clients tries to connect to the server, they receive error, that no authentication is supported by server. What is causing this and maybe there is a solution?
TlsBeforeAuth is set to 0
authentication is enabled on qpsmtpd

[bunkobugsy]

recent updates
make sure all email clients send on 465 SSL with authentication
from the lan side clients/apps/copiers can also send on 25 but WITHOUT authentication, TLS is optional

[antraxso]

and there are no ways to disable this? :/
That means that we need to buy SSL certificate from third party, as some devices doesnt accept the self issued certificates.

[bunkobugsy]

and there are no ways to disable this? :/
That means that we need to buy SSL certificate from third party, as some devices doesnt accept the self issued certificates.

Read this https://wiki.koozali.org/Letsencrypt#Rush_jobs

[Jean-Philippe Pialasse]

nothing related  between not using self signed certificate and user auth not available on port 25 by default.



this was a regression to allow auth on port 25 in early 2023 that has been patched recently. You still have choice to enable it in manager but you will face huge amount of bruteforce attack and ddos.

you can accept the self signed certificate  as you have to do for auth on port 25 which uses starttls for port 465.  auth on port 25 does not mean no encryption, just explicit encryption instead of implicit, and most used port with higher amount of kiddie scripts trying to bruteforce

however i do encourage to use let’s encrypt certificate

[ReetP]

and there are no ways to disable this? :/

Only if you want to open yourself to a mountain of hack attempts.

Note that backend authentication systems have been changed as well - this is all to keep you secure.

That means that we need to buy SSL certificate from third party, as some devices don't accept the self issued certificates.

Yup - they are trying to tell you something, and there is a good chance that quite a lot of clients will drop plain unauthenticated connections in due course.... the push for better security is relentless, like it or not. The same will be true for http connections soon. Going the same way the Dodo did.

But you do NOT need to buy a certificate.

Letsencrypt certs are free and SME has had the ability to use them for several years. There is no real excuse not too, unless you run some sort of internal only, airgapped server. Even then there are methods to deploy to it.

You really should not be accepting any authentication on port 25 in 2024. Use 465 and enjoy some more security. If you are in the EU then it possibly even falls under GDPR.

[antraxso]

Thanks to all for help and clarification. Activated the Letsencrypt certificate and all is ok now. Many thanks!