PEN test results
Question asked by Lakshan Salgado - 6/19/2020 at 6:53 AM
Unanswered
Now that we are 'official' on the SM release  we need to dot our 'i's and cross our 't''s. Part of the process is to validate our vendors can demonstrate their products are secure. Can SM provide a Pen test result to us either privately or publicly?
I know in the past there were two significant issues reported that SM addressed very quickly and i suspect there may have been more, a nature of software dev as a whole.. That said, this is quite a jump from earlier versions and it is appropriate to ask the SM leadership team to provide results to limit our legal liability. For the benefit of all of us I am asking publicly how is this handled as others may have the same question. Tim U? Derek C ?

8 Replies

Reply to Thread
0
John Marx Replied
Being able to provide that this has been done for our clients would definitely help us with overall confidence.
1
Douglas Foster Replied
To get a high grade, SM would neex to fix the problem with submission ports accepting unauthenticated SMTP., 

That issue was discussed at rhe end of this topic.
1
echoDreamz Replied
Douglas, We had this issue brought up a few days ago from a law firm we provide email hosting for. Their IT guys brought it up with us. We unfortunately had to move them off of SmarterMail to our Linux systems as their security software they used to test their website etc. was complaining of this. It believed our server is an open-relay server because 587 was accepting unauthenticated mail.

Would be great if there was either per-port setting (probably best) to require SMTP authentication (unless the IP is whitelisted).
0
Lakshan Salgado Replied
The open relay subject  probably needs moved to a separate thread so SM can either put it on their list or at least respond. As a side bar, we just went through it and moved the customer to 0365.
The original thread was a penetration test result to test the server as a whole for security vulnerabilities. While it has been few days, this is a SM unmonitored community post and they have no obligation to comment here, it would be nice to know where we all stand. Pen testing is standard on this type of software. I'm pretty sure no SM admin wants to know a hacker found a possible preventable software vulnerability and can drop to c:\ or walk all over the system or worse, crypto encrypt the drive.
0
Nathan Y Replied
Perhaps raise a support ticket then report back findings?
1
Lakshan Salgado Replied
I did of sorts. About 6 months ago our mail server got crypto'd. As a part of RCA we dug into how the breach occurred. It was a VM, disconnected from the internal network, secure passwords and disabled RDP. We did open a ticket. This was the info that was conveyed then. pen test information was available to SM but will most likely not be shared by the leadership team due to concerns of what is contained and exposing potential risk on unsupported versions. While I disagreed, since we were on 15.7 unsupported and Windows 2008 we left it at that. Fast forward 2020, current release is prod ready, we are on Server 2019 and now a pen test results from a external auditable third party are relevant and should be available upon request. I was hoping SM will respond to this for the benefit of all. As we move to a current version prod upgrade, we will address with them directly if the answer is not here by then.
0
Jade D Replied
Are you pentesting only the software or entire service (server, os, iis and smartermail)?
1
Lakshan Salgado Replied
I was hoping SM had done that on their hosted platform. I care about the SM part of it though a full OS/system pen test would be ideal but that has variables out of SM control. Testing in the US tends to cost a bit of USD$ and our customer base does not justify the cost. However, the SM hosted platform should will be a good candidate and one I would assume they would test against anyway for their hosted customers as a security assessment.

Reply to Thread