SMTP protocol needs better configuration controls
Idea shared by Douglas Foster - 3/10/2021 at 10:45 AM
Recently, I had my incoming gateway scanned for PCI DSS compliance. One of the objections was that it allowed SMTP authentication using cleartext clinics. I will be able to dispute this because there are no valid SMTP logins for the site, and I use authentication failures as a honeytrap to create IDS blocks.

However, this objection raises a general design issue. There should be a way to control the allowed SMTP modes:
- current: on or off
- needed: authenticated, unauthenticated, both, neither
And authentication encryption:
- required
- optional 
This has been logged with Support as a feature request.
They always prefer to see community discussion and voting to see if the request has general support.

3 Replies

Reply to Thread

This lack of SMTP ports options is actually one of the reason why we use incoming gateways (postfix+different tools like rspamd for filtering) for port 25, with authentication disabled. Only the gateways are allowed then to access SmarterMail to port 25.
Sébastien Riccio
System & Network Admin

(This update posted to my case.)
(3/15/2021:   Corrected first item to say that we can require all logins to use encryption.   The problem is whether logins are alowed at all.)

After reviewing other posts in the community, I realize several things:
1) We already have the ability to prevent unencrypted login.   This is on the System Adminsitration login, Settings... Protocols... [SMTP In] section.  My mistake.

2) There is a great deal of confusion about making TLS mandatory on a particular port binding.   My understanding is this:
    -- Setting a port to SSL makes encryption mandatory but enables SSLv3.
    -- Setting a port to TLS disables SSLv3 but enables STARTTLS, making encryption optional.
    -- To make encryption mandatory without enabling SSLv3, set the port to SSL and set the system Security Protocols to anything other than SSL 3.0.   (Found on System Administrator... Settings... Protocols... [Security Protocols] section.)
control whether or not authenticated login is required.   This is on the System Admnistrator login,
that this is really just a restatement of longstanding issues.  If this is correct, it needs to be clearly documented.  If it is incorrect, the correct answer needs to be clearly documented.

3) There have been many posts requesting the ability to prevent authe4nticated and unauthenticated logins on the same port, so my request is really old news.  It is time to get this fixed.   One of the consequences is that, if a submission port is enabled or authenticated users, then spammers can use that port to bypass any incoming gateway and its filters by using the submission port.   A security problem this large should have been addressed promptly.

This is related to forcing authenticated and unauthenticated traffic onto separate ports.

This post documents the fact that unauthenticated traffic is allowed on port 587, which means that if IMAP+SMTP or POP3+SMTP is enabled, then attckers can bypass any incoming gateway by using the submission port.   Submission ports should require authentication.

This post requests the ability to disable inbound authenticated SMTP, so that outbound email must use webmail.

This post is about spammers bypassing an incoming gateway and submitting email directly to the SmarterMail server.

This post requests the ability to disable authenticated SMTP on port 25.

Another request to disable Authenticated SMTP on port 25.

I've been begging for this... We need the ability to make SMTP ports auth only (with whitelisted exceptions).

Reply to Thread