Diasbled domain still allows connections for Apple products
Problem reported by Jay Altemoos - November 12, 2015 at 8:50 AM
Resolved
Hello everyone.
 
I have a bug that I found in SmarterMail 14.1.5675. I uncovered a bug in SmarterMail that I am not sure the devs know about or not. So if this has been addressed in a newer update please let me know.
 
Here's the situation, we have a domain that is currently being migrated to another service. Under instruction of their tech team I disabled the domain on our mail server so that the users would be forced to log into the new mail service as opposed to using our mail server. They don't want to have the domain removed yet off our server. They might want to migrate their history if they need it.
 
So all is well, I selected to have the domain disabled on our server. That would stop any new email and any from user logging in. I checked the stats this morning on that domain and I see successful user login for today. Not all accounts but about 7 of them. I disabled the domain yesterday. So looking through my POP logs I found that the accounts that have last login activity are all using Apple products,  the log lists APOP for successful login. I see login attempts for another user that got rejected. Most likely another email client. Which is what I would expect to see. But why did SmarterMail allow the Apple login?
 
Here's a snippet of my POP log from this morning: (mind you the domain has been disabled for half of a day already)
 
[2015.11.12] 00:00:14 [73.XXX.66.XXX][14585249] connected at 11/12/2015 12:00:14 AM
[2015.11.12] 00:00:14 [73.XXX.66.XXX][14585249] USER user1@XXXXXXXXXX.com
[2015.11.12] 00:00:14 [73.XXX.66.XXX][14585249] PASS XXXX
[2015.11.12] 00:00:14 [73.XXX.66.XXX][14585249] -ERR UserName or Password is incorrect
[2015.11.12] 00:00:14 [73.XXX.66.XXX][14585249]  login failed
[2015.11.12] 00:00:31 [73.XXX.66.XXX][14585249] disconnected at 11/12/2015 12:00:31 AM
[2015.11.12] 00:04:05 [70.XXX.66.XXX][18118454] connected at 11/12/2015 12:04:05 AM
[2015.11.12] 00:04:05 [70.XXX.66.XXX][39484429] connected at 11/12/2015 12:04:05 AM
[2015.11.12] 00:04:05 [70.XXX.66.XXX][18118454] APOP user2@XXXXXXXXXX.com ce0f070989caa222d03f72350e71ab7d
[2015.11.12] 00:04:05 [70.XXX.66.XXX][18118454] user2@XXXXXXXXXX.com logged in
 
So user1 is most likely using a email client either on a PC or a different device other than an Apple product and got the rejection notice. Which is what I would expect to see because of the disabled domain. Now user2 is using a Apple product and is allowed the connection, even though the domain is disabled.
 
So why was the connection for user2 allowed?
 
What I am going to do as a workaround is disable those accounts, but I wanted to bring this forward in case the devs are not aware of it. This definitely needs to be addressed.

5 Replies

Reply to Thread
0
Richard Frank Replied
pop can't see if it is an apple device
 
did disabling per user account help?
 
 
0
Jay Altemoos Replied
Nope! I checked the last activity date and the POP logs this morning, same users are able to log in without issues. If you look at the log snippet I posted above, APOP is the Apple POP connector. So while the POP log can't tell me the exact device, SmarterMail is still allowing connections in. The domain is disabled and the specified user accounts are also set to disabled. So SmarterMail should not accept any connections for these accounts regardless of the device or email client.
 
This is a HUGE security hole. The seriously needs to be addressed by the development team ASAP. I am taking an additional step this morning and completely changing the passwords of those accounts. I am submitting a ticket to Support this morning to have them address this issue. So my recommendation to anybody disabling accounts in their SmarterMail interface is to change the password as well.
0
Tim Uzzanti Replied
Employee Post
Jay,
 
Thanks for opening a ticket with our support team so we can take a look at it.  We need to verify your settings and ensure that there isn't a legitimate reason.  As Richard states, there is no way for POP to know its an Apple device or any kind of device. Also, there could be situations where the connection already existed prior to disabling etc.  It needs some evaluation and we can help you understand what is going on with your ticket with our support team.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
CLEBER SAAD Replied
This is a BUG. If you disable a user or a entire domain and try to login via POP using USERNAME/PASSWORD it's fail. But, If you try to login using APOP the connection it's fine and the user can download the messages.
 
 
1
Tim Uzzanti Replied
Employee Post
Install the latest version of SmarterMail 14.x and it is resolved.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread