Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x => Topic started by: Michail Pappas on September 13, 2021, 08:26:28 AM
-
Hello everybody,
been painfully busy for the last 10 months, so much in fact that I was not even able to update my single SME 9.2 box. Got it scheduled for the first week of October, provided I have the time to do the mandatory prep reading. But I'm certain all will go well :)
Today I stumbled into the following: one of my users was able to send email using a group email address. Now, this should not have come to me as a surprise, since the ip address this mail was sent from was from the lan side of the network. OTOH, it is quite scary to be able to send email with a different identity!
So I was considering options to limit this down:
1) IIRC, there is always the option to configure SME to ask for credentials during an SMTP transfer, even for local users. However, this would present problems for various systems (ie printers/servers on static ip addresses, sending alerts and stuff).
2) As is, I have a 10.0.16.0/22 subnet on which its lower half (.16.0 - .17.255) hosts my servers/printers etc and the upper half of this subnet (.18.0 - 19.255) hosts the users' systems. So I was wondering if it would be feasible (and wise) to somehow limit trustworthiness to only the lower part of the subnet, making mandatory SMTP authentication of my user's mail submissions in the process.
I'm inclined to (2) above, not sure though if it can be done. And if it can, which option(s) I should change to do so.
-
Simplest is to use a pseudonym.
So I have a number of those that are the email addresses for a group.
So everyone in the group can receive, but none can send from that address as it is only a pseudonym.
Eg accounts, info, sales etc.
KISS :-)
-
1) IIRC, there is always the option to configure SME to ask for credentials during an SMTP transfer, even for local users. However, this would present problems for various systems (ie printers/servers on static ip addresses, sending alerts and stuff).
you can create a custom template and add there all yours devices
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
nano 60myAppliance
and then add all your IPs with such a syntax:
{
$OUT .= "first_ip\n";
$OUT .= "second_ip\n";
}
at the end,
signal-event email-update
used to work in SME9.X, not tested (but should work) in SME10 too
HTH
-
Thanks for your responses. I think I'll go with Stefanos' approach here. Any idea if I can describe subnets (ie x.y.z.w/q) in the OUT statements instead of single IPs?
Furthermore, I presume that in this approach I do have to enforce password authorization for all systems, even LAN ones, correct?
-
https://wiki.koozali.org/Qpsmtpd:relay#relayclients
-
yes you should enforce password, that is best practice, so you do not help propagating spams and viruses in case of an unlikely infected computer on your lan.
-
yes you should enforce password, that is best practice, so you do not help propagating spams and viruses in case of an unlikely infected computer on your lan.
A good reason to generally NOT make these sort of accounts real 'system' accounts unless absolutely necessary - they get forgotten, and hacked.
-
I'm using non-authenticating accounts on stuff like iLO/iDRAC, some printers/copiers, UPS management software for alerts etc.
As for what you've told me and from what I understood after reading the relayclients wiki page, I have more questions. The way I see it, relayclients should contain addresses of hosts allowed to send mail without authentication, whereas norelayclients should contain a subset relayclients, for hosts that should authenticate, is that correct?
1) Atm, on my current 9.2 box relayclients contains only localhost and the ip address of itself. So, how come various devices on my lan are able to send email without authentication?
2) On the same box, norelayclients contains solely the gateway/upstream router ip address (my SME is operating in a server-only mode, without any gateway functionality). Why?
3) After reading the relayclients wiki, I believe I should modify relayclients to include a line 10.0.16.0/22 (my entire LAN range, which includes both normal users as well as devices sending unauthenticated alert emails, like iLO), whereas norelayclients should include 10.0.18.0/23 (since that is the ip range my normal users operate, hence authentication should be required). Did I get the hang of it right?
-
I'd say you have to enforce password and auth policy on all your lan and then use the custom fragment approach to list only the ip addresses of the devices you want to enable.
-
I'd say you have to enforce password and auth policy on all your lan ...
Where exactly is this SMTP functionality configured from?
-
https://wiki.koozali.org/SME_Server:Documentation:Administration_Manual:Chapter13#E-mail_Retrieval
note : this part is to be updated, sme9 has already the fragment no need for tempalte custom (hence sme10)
https://wiki.koozali.org/SME_Server:Documentation:FAQ:Section04#How_do_I_enable_smtp_authentication_for_users_on_the_internal_network
-
That's perfect mate, thank you!
-
Again, considering this is about a 9.2 and not a 10 box, I'd be grateful if you could bear with me.
There's something definitely fishy here. That or I am missing something altogether.
Details again: LAN is 10.128.64.0/22 (part of large 10/8 WAN). SME is on 10.128.65.8 (server only operation).
I've enabled authentication for everything as per:
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update
config setprop qpsmtpd Authentication enabled
signal-event email-update
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update
# cat /var/service/qpsmtpd/config/relayclients
#------------------------------------------------------------
# !!DO NOT MODIFY THIS FILE!!
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at http://www.contribs.org/development/
#
# Copyright (C) 1999-2006 Mitel Networks Corporation
#------------------------------------------------------------
# Format is IP, or IP part with trailing dot
# e.g. "127.0.0.1", or "192.168."
127.0.0.
10.128.65.8
# SMTP Relay from local network denied by custom template
However, trying to send from a NAS device with an ip of 10.210.116.19 (out of my LAN range, definitely not listed in relayclients) succeeds! Specifically I'm sending email from an existing email account of my domain to itself, without doing any authentication at all.
What am I missing here, why isn't this traffic blocked?
FYI:
# config show qpsmtpd
qpsmtpd=service
Authentication=enabled
Bcc=disabled
BccMode=cc
BccUser=maillog
DKIMSigning=enabled
DMARCContactInfo=http://redacted/
DMARCReject=enabled
DMARCReportEmail=admin@redacted
DNSBL=enabled
LogLevel=6
MaxScannerSize=25000000
RBLList=bl.spamcop.net,psbl.surriel.com,zen.spamhaus.org
RHSBL=disabled
RelayRequiresAuth=enabled
SBLList=multi.surbl.org,rhsbl.sorbs.net
TlsBeforeAuth=0
UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
URIBL=disabled
access=public
qplogsumm=enabled
status=enabled
-
again.
this is not needed as sme9 has already the fragment for local and you will just hide it from further updates when you migrate to sme10
mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local
cp /etc/e-smith/templates/var/service/qpsmtpd/config/peers/0/05auth_cvm_unix_local .
signal-event email-update
-
sending mail does not mean relaying mail.
are you sending emails to local users or to a remote email.
with this config sme will still accept email for its own emails like it does from remote server. but will refuse, say device A sending email to gmail using sme
-
Hmmm, got me here! Will think about it and get back mate, thanks!