1
Address spoofing using Webmail and local SMTP server (and security related aspects)
Problem reported by Daniele (TDBnet) - 9/19/2024 at 1:27 AM
Submitted
Hello!

On current SmarterMail release, Webmail users have the right to add a SMTP account setting local SmarterMail SMTP server without enabling the authentication and providing any other local or not local email address (also a not-existent fake address) as From address.
SmarterMail allows to send messages from that address through itself without checking if the webmail user is authorized to use it, also if the "Require auth match" is set to "Email address" under the server protocols settings.
So, for example, that webmail user can send a fraud message spoofing itself as the boss of the company, or another work colleague, or anyone else. And if the destination address resides inside the same SmarterMail server, it will be almost impossibile to discover the fraud.

IMHO, if in SmarterMail the "Require auth match" option is enabled (set to "Email address" or "Domain"), this important security policy must be valid also using the Webmail service and not only when the user works with an external email client.

Morover, if "Require auth match" option is set to "Email address", if the address is included in an alias, on current release the alias will be available and usable as "From address" only using webmail, but not using an external client.

My two questions/proposals are:
- it is possible to improve the internal security without bypass the "Require auth match" when a user set local SmarterMail SMTP server as an additional SMTP account?
- it is possible to make the "Require auth match" option able to check and authorize the relay also for the aliases of a user?

Thank you.
Daniele

9 Replies

Reply to Thread
1
Sébastien Riccio Replied
Hello,

Not sure if it helps but have you checked if you have SMTP Auth Bypass enabled for 127.0.0.1 in Settings -> Security > Whitelists ?


If yes, try to disable it.

Kind regards

Sébastien Riccio System & Network Admin https://swisscenter.com
0
Daniele (TDBnet) Replied
Yes, but no effects on webmail...

Daniele
0
Brian Bjerring-Jensen Replied
Have you actually managed to send an email succesfully to an external domain or internal?

I have tried but the recipient is not showing and the mail is not sent.
0
Daniele (TDBnet) Replied
I have tried sending to any domain of the same SmarterMail server (on mine I have 9 domains), both internal and external to my address domain. The From address set on SMTP account can be any address (also a nonexistent domain), the To address can be any address of any smartermail domain on the server.

For example:

1. Login in your mailbox (ie. bad-employee@company.com on the smartermail server mail.myserver.com)
2. Go to your settings, tab Connectivity
3. Set a SMTP Account using the same smartermail server address (ie. mail.myserver.com)
4. set the email address to any email address, if you like also on other domain and server (ie. topboss@holdingofthecompany.com)
5. Do not enable authentication
6. Save, and it will be saved.
7. Now create a new mail and set the From address as topboss@holdingofthecompany.com (or any other you set)
8. Send to another local email (ie. poor-employee@company.com)

Now bad-employee@company.com spoofed its real address and poor-employee@company.com has received an email from topboss@holdingofthecompany.com.
0
Kyle Kerst Replied
Employee Post
Hello TD8net; I believe this scenario you outlined should be covered by our authentication settings. In the domain's settings you'll find a toggle to require SMTP authentication, then within Settings>Protocols>SMTP In you'll find similar settings including one called Require Auth Match setting which you can configure for Email Address and that will force the user to authenticate with whichever account they're trying to send from.
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Daniele (TDBnet) Replied
No, Kyle. I already have that parameter set as you wrote, but it works only with external clients (eg Thunderbird) and not within the webmail when adding a local smartermail smtp account without enabling authentication.

Thank you anyway for your suggestion.
Daniele
0
Kyle Kerst Replied
Employee Post
You're very welcome Daniele. When I mimic this test here my outgoing messages are rejected with authentication is required for relay due to my protocol and domain settings requiring authentication during SMTP. It's possible you may have a whitelist entry somewhere that is overriding that requirement perhaps? I recommend we start a ticket to get to the bottom of this.
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Kyle Kerst Replied
Employee Post
Hi Daniele, just a quick follow up for you on this. Jorel and I looked at this together and we were able to replicate the behavior only when the SMTP address is an external domain not known to SmarterMail, and I think this is likely why the require auth match and other authentication settings don't get engaged. We're not sure how much of this is expected just yet so we're going to discuss further with our development team and we'll get you an update on this as soon as possible. Thanks Daniele!
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
Daniele (TDBnet) Replied
Thank you so much! I really appreciate the attention you and Jorel are paying for me.

I've not whitelisted any IP address and all built-in local address are set without SMTP auth bypass:


Here my SMTP in protocol settings:


I've posted in the ticket followed by Jorel (Possible security issue) a YT video where I show you that I was able to spoof email also for an internal domain known to my smartermail server, as well as from an external domain it doesn't know.

Daniele

Reply to Thread