SMTP Relay Audit

Discussion forum for Enterprise Edition.
Post Reply
hicla
Posts: 8
Joined: Tue Sep 25, 2018 4:18 pm

SMTP Relay Audit

Post by hicla »

For unknown reasons we have mailenable configured to allow relay for authenticated senders.
2018-10-01 11_11_32-ext mail5 - RD Tabs.png
2018-10-01 11_11_32-ext mail5 - RD Tabs.png (21.54 KiB) Viewed 13396 times
This is getting abused by spammers when they manage to compromise an account credentials.

I'd like to disable this, but I'm not sure if customers are using it for legitimate reasons.
Is there a way to audit when outgoing emails are sent with a From address that is different from the email address used to authenticate? (we are using the ME authentication)

If that is disabled, my understanding is that authenticated users will only be able to send from addresses listed in their Addresses list. Is this the case?
2018-10-01 11_21_36-ext mail5 - RD Tabs.png
2018-10-01 11_21_36-ext mail5 - RD Tabs.png (10.55 KiB) Viewed 13396 times
Thanks

PeteBatin
Posts: 22
Joined: Fri Jan 22, 2016 9:32 am

Re: SMTP Relay Audit

Post by PeteBatin »

You need to have this setting enabled for most cases, it's not this setting that is the problem it's the configuration you have in place running alongside it.

You can read more about relay here.
https://www.mailenable.com/kb/content/a ... D=ME020001

If your passwords are being compromised too frequently then you need to up your password complexity/length requirements.

hicla
Posts: 8
Joined: Tue Sep 25, 2018 4:18 pm

Re: SMTP Relay Audit

Post by hicla »

thank you for your reply, I realized the idiocy of what I asked a few minutes after posting my question, but as a new user of this forum the question went to moderation for approval and I couldn't delete/edit it.

Having established that "Allow relay for authenticated senders" is essential to allow users to send email after after logging in, are you aware of any setting that limits users to send only from the aliases configured for them and not arbitrary addresses?

> If your passwords are being compromised too frequently then you need to up your password complexity/length requirements.
agree, luckily it has been a pretty rare event so far but I'm ready to revisit the password policy

PeteBatin
Posts: 22
Joined: Fri Jan 22, 2016 9:32 am

Re: SMTP Relay Audit

Post by PeteBatin »

Hi,

Yes, there is a setting to force that users are only able to send from addresses within their mailbox

SMTP > Properties > Security > Authenticated senders must use address from their postoffice.

This will work for aliases also, however beware if you have any clients sending as a forwarding addresses but SMTP login is the original mailbox credentials they will not be able to send (we have a few mailboxes like that on one of our servers).

On the same Security tab, click the Address Spoofing button and select the option "Authorised connections can spoof sender addresses".

Also you'll want to disable any catch-alls (I'm not 100% sure if having this enabled will allow sending from any address @domain.com but it will help rule it out).

hicla
Posts: 8
Joined: Tue Sep 25, 2018 4:18 pm

Re: SMTP Relay Audit

Post by hicla »

Thank you!
We already had "Authenticated senders must use address from their postoffice" checked, but then in address spoofing we had "Anyone can spoof sender addresses" selected.
beware if you have any clients sending as a forwarding addresses but SMTP login is the original mailbox credentials they will not be able to send (we have a few mailboxes like that on one of our servers).
how do you handle this? We have clients that use their mailboxes as an auto-forward. I don't see a way to override this for a specific mailbox/postoffice

PeteBatin
Posts: 22
Joined: Fri Jan 22, 2016 9:32 am

Re: SMTP Relay Audit

Post by PeteBatin »

beware if you have any clients sending as a forwarding addresses but SMTP login is the original mailbox credentials they will not be able to send (we have a few mailboxes like that on one of our servers).

how do you handle this? We have clients that use their mailboxes as an auto-forward. I don't see a way to override this for a specific mailbox/postoffice
There's no easy way other than to reorganise (which we haven't got round to yet). We have two servers running MailEnable, the newest one has been correctly configured additional domains are added as alias domains. On our older server, we inherited lots of ancient accounts/domains that were a mess (some still are).

There are historical mailboxes which contain lots of mail but the domain is no longer primary, the primary forwards to the ancient one and they advertise the email addresses as the new domain. In an idea world the new domain would have been added as an alias (which would have solved everything) but instead the new domain had it's own mailboxes added to it and the staff who had accounts on the old domain have their mail forwarded from the new to old domain and they send from the old mailbox with the new domain as spoofed From address. So if we switch on that setting, the old accounts can't send emails. At some point, we have alot of housekeeping to do to tidy up the mess, migrate accounts and mail to the new domains and add the old domains as aliases!!

Post Reply