7
"Enable Domain's SMTP auth setting for local deliveries" at SERVER LEVEL is too strict. Some customers need this option enabled and some others need it disabled.
Problem reported by Gabriele Maoret - SERSIS - 9/29/2021 at 9:24 AM
Submitted
"Enable Domain's SMTP auth setting for local deliveries" (see image below) at SERVER LEVEL is too strict.


Some customers need this option enabled and some others need it disabled.

An example of a customer (with @DOMAIN.COM mail domain) that need it disabled is one that use MailGun to send mail from his website and want to use an existing email address as a sender and want a copy of the mail in his inbox.

The SPF is configured to allow MailGun to send mail for @DOAMIN.COM (like the SmarterMail Server is), but the interna user in SmarterMail can't receive his copy beause of this setting.


Is there a way to enable/disable this setting per domain?


An alternate solution is to bind this setting with SPF check to permit local delevery without SMTP auth if the sender IP fulfill SPF request.
Gabriele Maoret - SERSIS - Head of SysAdmins
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)

12 Replies

Reply to Thread
1
Gabriele Maoret - SERSIS Replied
Hint: it would also be interesting to add an option to bypass this control for mail servers that are explicitly present in the domain SPF list.
Gabriele Maoret - SERSIS - Head of SysAdmins
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
1
Sabatino Replied
I did some tests because a user needed it

If you have this on a general level
and set this on the domain
the effect is just that.

They can send without authentication to all local users but authentication is required to relay


However, I find the solution partial and in any case at risk


In fact, by doing this, if the sender of an email is from the domain on which the option has been disabled, it can send to any user of the server.

I wish it could only ship to the domain on which this option has been enabled.

Sabatino Traini
      Chief Information Officer
Genial s.r.l.
Martinsicuro - Italy

0
Sabatino Replied
I forgot to add that an unauthenticated local submission does not seem to be within the limits and functionality provided by

Priority and Throttling

So if someone discovers a sender / domain on which the local authentication option has been disabled they can spam server users
Sabatino Traini
      Chief Information Officer
Genial s.r.l.
Martinsicuro - Italy

3
Gabriele Maoret - SERSIS Replied
@Sabatino: this is not a valid solution because it exposes you to risks of spoofing/phishing
Gabriele Maoret - SERSIS - Head of SysAdmins
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
1
Sabatino Replied
Yes. as I have in fact also highlighted it is not a good solution but the only one possible at this moment. unless you combine it with spf ... but sm is apparently ignoring us. yet many web servers have this problem ... at least that's my experience.
Sabatino Traini
      Chief Information Officer
Genial s.r.l.
Martinsicuro - Italy

0
Sabatino Replied
I'm discussing with kyle (luckily there is otherwise we would have to invent it :)) via
ticket about the problem.

I wanted to share my latest observation with everyone

hi kyle
I have been thinking about the problem

The problem stems from the fact that smarteremail considers messages arriving from external emails differently than those present on the server.

I try to explain myself better with an example


Suppose I have a xtest.com domain on my sm server

with an email info@xtest.com configured


Now, an email arrives from test@gmail.com, antispam, spf, dkim etc. is applied. etc.


Instead, an email arrives from an external ip: xx.xx.xx.xx which has as sender info@xtest.com
and recipient info@xtest.com or any other email on the server

sm in the basic configuration asks the user for authentication. If I disable the auth for local users it creates a security problem

In my opinion it should behave the same way as it does if the email is not on the server

That is to apply the rules of antispam and so on normally, in particular the spf

And so if the score is high it ends up in spam

In this way I can safely put the client's web server IP in the SPF, because it does not create a security problem


Sabatino Traini
      Chief Information Officer
Genial s.r.l.
Martinsicuro - Italy

0
Gabriele Maoret - SERSIS Replied
Is there any news on that?
Gabriele Maoret - SERSIS - Head of SysAdmins
Currently manages 3 SmarterMail installations (1 in cloud for SERSIS which provides service to a few hundreds 3rd party Mail Domains + 2 on premise to customers)
1
Vince Replied
I am also having a problem, I think with this exact situation.

I have an auto dealership that uses software at their dealership to email documents, the software is sending from the software providers email server, they have given us an entry for spf record to allow the software providers email server to send on behalf of the dealers domain, but when anyone at the dealership tries to send from the software to another person in the dealership (any email account in their domain) it gives a relay error. Their software uses a return address and a sending address of the dealership domain. example) sender@thisdomain.com to receiver@thisdomain.com. They do this quite often for important documents that are generated. 

I should also add that they also send to external addresses as well. so the return address needs to be at their domain.

Is there anyway to allow this to work without compromising smartermail?


0
Proto Replied
Vince:
Please don't shoot me if I'm wrong, I'm on the run and don't have time to confirm but, from memory, I think that if you go to Settings | Security you will see a TAB for Whitelist.  It's gotten a lot more flexible in recent versions but I am pretty sure you will see an option there to bypass SMTP authentication based on IP address.  IF the server has a fixed IP address this shouldn't be too risky.  CIDR notation is supported so if there were a small range of address the server might use you could accommodate that without increasing the risk too badly and you woudl know specifically the IP addresses that would need to be spoofed.
Just a thought.
SmarterMail(tm)
MAPI over HTTP - Let's flesh it out for Outlook with a full set of Exchange like features!
1
Vince Replied
Thanks Proto for the advice.

The email servers the software provider uses do not always have the same ip addresses.

So I don't think this will work. 

There has to be another way, website forms would have the same problem.
0
Proto Replied
Vince:
You could put a very wide range of addresses there and they may not have anything larger than a CLASS C.  Opening up doesn't mean you will necessarily see a lot of spam or abuse of the server.   Another party would need to know that there is, essentially, an open relay at that address and then know enough to spoof that address to exploit it.
You may find that upgrading the web hosting plan to include a fixed IP address could be done at very low cost.  We provide it for almost all sites at no extra cost to improve their Internet identity and lessen the chances of something that slips by on one web server tarnishing the reputation of other clients. We use dedicated IP address for email domains for the same reason.  When I last looked even someone like GoDaddy would upgrade for about $2 a month and there are other ways to make a business case for doing it.  Some I've seen recently are charge 8 or 10 bucks but it is still money well spent for an organization that cares about it Web presence and reputation there.
If you can get it down to one, fix the problem, don't tell anyone so that it is an enigma.  Not great techy or security advise I know but a practical solution for a customer that just expects that you can make it all work and allow them to run with a non-complaint outbound mail configuration.

I don't think I will be able to find it to send a copy to you but the crux of your problem is that the mail code running on the server doesn't include the ability to authenticate with a login to the SMTP service you are providing.  Without ever having looked at PHP before, I was able to tear apart the plugin used on one clients wordpress site and add authentication to it.  It was a simple and reasonably short project because there was not user interface for setting that kind of thing up.  I just hard coded the account and the password into the PHP for the site and then, knowing how to send email from a prompt using TELNET, added those parts of the dialog between the sending end and the receiving end.

It sounds like it might be a tall order for ST to modify something to accept a specific sender wen the IP address may change.  I suppose you could do something with Dynamic DNS at a server and use a URL but with that level of access to the server there would probably be ways to eliminate this completely.  ST have been at this a long time though, maybe someone there will scratch their head and come up with something.

SmarterMail(tm)
MAPI over HTTP - Let's flesh it out for Outlook with a full set of Exchange like features!
0
Vince Replied
Hi Proto,

OK, I'm going to give that a try.

Thanks for your help.
Vince

Reply to Thread