Mail from local network

Mastermind · October 15, 2024, 11:39pm

Hi @ all,

I can send emails via port 587 without authentication and without encryption. Also via port 25. Is that correct?

Next question: I have an old IP-cam (in the same local network) and the cam should send mails via port 465 with TLS. But the certificate of the cam is old an there is no way to update that. So I get the error “TLS certificate verification failed: self signed certificate” on the cam. Is it possible to switch off the certificate check for one mail user?

Thanks

Greetings

davidep · October 16, 2024, 6:46am

No, that’s not generally correct unless you’ve configured IP-based relay for the entire LAN (see: IP-based relay configuration), which is not recommended.

Relaying to external domains should only be allowed with SMTP authentication over TLS. However, if the recipient domain is handled by the Mail service itself, this can be acceptable.

If you’re certain the TLS error is caused by the camera, and you can configure it to send emails without TLS, you could use the IP-based relay policy just for the camera IP, as mentioned earlier.

Mastermind · October 16, 2024, 7:36am

Thanks for your answer @davidep .

No, that’s not generally correct unless you’ve configured IP-based relay for the entire LAN

I have no IP-based relay configured but I can send emails via port 587 without authentication and without encryption. Also via port 25. So is this a bug that I can do this?

If you’re certain the TLS error is caused by the camera, and you can configure it to send emails without TLS, you could use the IP-based relay policy just for the camera IP, as mentioned earlier.

Thanks. I think this will help. The mail from the cam should not leave the server.

Only for clarify: An authentication without TLS / STARTTLS is not possible, right?

Regards

davidep · October 16, 2024, 7:56am

I hope not, but it would be wonderful if you can tell how to reproduce it!

Authentication is offered only on encrypted channels. Mail — NS8 documentation

Mastermind · October 17, 2024, 7:51am

Hi @davidep

thanks for your answer.

I hope not, but it would be wonderful if you can tell how to reproduce it!

I simply use the Windows PowerShell with this command on an pc in the local network:

Send-MailMessage -From x@x.x -To (name on NethServer)@(domain on NethServer) -Subject Test -SmtpServer (IP from NethServer) -Port 587 “Test”

or

Send-MailMessage -From x@x.x -To (name on NethServer)@(domain on NethServer) -Subject Test -SmtpServer (IP from NethServer) -Port 25 “Test”

And the mail reaches the recipient on the NethsServer.

Kind regards

davidep · October 17, 2024, 8:03am

This is the standard MTA-transfer behavior. SMTP authentication is not required if the recipient domain is handled by the server you’re talking to.

To test SMTP authentication and relay policy, you may send a message to an external domain, like nethserver.org.

Mastermind · October 17, 2024, 11:57pm

Thanks @davidep for your answer.

SMTP authentication is not required if the recipient domain is handled by the server you’re talking to.

This is a fact that I was not aware of.

Regards