Back to Community Threads
1
Address spoofing using Webmail and local SMTP server (and security related aspects)
Problem reported by TDBnet - Today at 1:27 AM
Submitted
Hello!

On current SmarterMail release, Webmail users have the right to add a SMTP account setting local SmarterMail SMTP server without enabling the authentication and providing any other local or not local email address (also a not-existent fake address) as From address.
SmarterMail allows to send messages from that address through itself without checking if the webmail user is authorized to use it, also if the "Require auth match" is set to "Email address" under the server protocols settings.
So, for example, that webmail user can send a fraud message spoofing itself as the boss of the company, or another work colleague, or anyone else. And if the destination address resides inside the same SmarterMail server, it will be almost impossibile to discover the fraud.

IMHO, if in SmarterMail the "Require auth match" option is enabled (set to "Email address" or "Domain"), this important security policy must be valid also using the Webmail service and not only when the user works with an external email client.

Morover, if "Require auth match" option is set to "Email address", if the address is included in an alias, on current release the alias will be available and usable as "From address" only using webmail, but not using an external client.

My two questions/proposals are:
- it is possible to improve the internal security without bypass the "Require auth match" when a user set local SmarterMail SMTP server as an additional SMTP account?
- it is possible to make the "Require auth match" option able to check and authorize the relay also for the aliases of a user?

Thank you.
Daniele

8 Replies

Reply to Thread
1
Sébastien Riccio Replied
Today at 3:27 AM
Hello,

Not sure if it helps but have you checked if you have SMTP Auth Bypass enabled for 127.0.0.1 in Settings -> Security > Whitelists ?


If yes, try to disable it.

Kind regards
Sébastien Riccio System & Network Admin https://swisscenter.com
0
TDBnet Replied
Today at 3:47 AM
Yes, but no effects on webmail...

Daniele
0
Brian Bjerring-Jensen Replied
Today at 6:35 AM
Have you actually managed to send an email succesfully to an external domain or internal?

I have tried but the recipient is not showing and the mail is not sent.
0
TDBnet Replied
Today at 8:59 AM
I have tried sending to any domain of the same SmarterMail server (on mine I have 9 domains), both internal and external to my address domain. The From address set on SMTP account can be any address (also a nonexistent domain), the To address can be any address of any smartermail domain on the server.

For example:

1. Login in your mailbox (ie. bad-employee@company.com on the smartermail server mail.myserver.com)
2. Go to your settings, tab Connectivity
3. Set a SMTP Account using the same smartermail server address (ie. mail.myserver.com)
4. set the email address to any email address, if you like also on other domain and server (ie. topboss@holdingofthecompany.com)
5. Do not enable authentication
6. Save, and it will be saved.
7. Now create a new mail and set the From address as topboss@holdingofthecompany.com (or any other you set)
8. Send to another local email (ie. poor-employee@company.com)

Now bad-employee@company.com spoofed its real address and poor-employee@company.com has received an email from topboss@holdingofthecompany.com.
0
Kyle Kerst Replied
Today at 12:18 PM
Employee Post
Hello TD8net; I believe this scenario you outlined should be covered by our authentication settings. In the domain's settings you'll find a toggle to require SMTP authentication, then within Settings>Protocols>SMTP In you'll find similar settings including one called Require Auth Match setting which you can configure for Email Address and that will force the user to authenticate with whichever account they're trying to send from.
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
TDBnet Replied
Today at 1:04 PM
No, Kyle. I already have that parameter set as you wrote, but it works only with external clients (eg Thunderbird) and not within the webmail when adding a local smartermail smtp account without enabling authentication.

Thank you anyway for your suggestion.
Daniele
0
Kyle Kerst Replied
Today at 3:39 PM
Employee Post
You're very welcome Daniele. When I mimic this test here my outgoing messages are rejected with authentication is required for relay due to my protocol and domain settings requiring authentication during SMTP. It's possible you may have a whitelist entry somewhere that is overriding that requirement perhaps? I recommend we start a ticket to get to the bottom of this.
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Kyle Kerst Replied
Today at 4:59 PM
Employee Post
Hi Daniele, just a quick follow up for you on this. Jorel and I looked at this together and we were able to replicate the behavior only when the SMTP address is an external domain not known to SmarterMail, and I think this is likely why the require auth match and other authentication settings don't get engaged. We're not sure how much of this is expected just yet so we're going to discuss further with our development team and we'll get you an update on this as soon as possible. Thanks Daniele!
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management
Migrate an Account From Another Service into SmarterMailSmarterMail > Domain/User Configuration and Management
Configure POP for iPhone, iPad or iPod TouchSmarterMail > Desktop and Mobile Synchronization
SmarterMail HIPAA/FINRA/SOX ComplianceGeneral Topics