we also use the Nethserver as an e-mail server.
The e-mails are forwarded from the commercial servers to the Nethserver e-mail server, e.g. from GMX.
Then we retrieve them from the nethserver via IMAP and/or POP3.
How to configure that the outgoing server can only be used via SMTP authentication?
Or even better, no authentication from the internal LAN (for system emails from other servers) and authentication from the Internet.
Simply sending from the LAN would also be sufficient in terms of security, so that SMTP authentication would not be absolutely necessary.
It’s just that others can’t use our server as an exit server.
It might also be worth mentioning that the network server is a member of an Active Directory 2016.
The authentication when sending e-mails already works like this, I tested it, but it can also be sent without it.
Or is it enough to configure the firewall.
However, other e-mail servers should be able to transmit e-mails to the network server. If I blocked that, no reception would be possible either. Or am I wrong?
In the new cockpit it seems to be this.
I have activated it, but you can still send emails from outside via my server.
I tested it with a smartphone via the mobile network.
Otherwise that’s exactly what I want.
However, I had already seen that.
But maybe I didn’t understand something, and that’s why it doesn’t work.
Tick the “trusted networks”, the LAN of NethServer is always in that group.
You could also add in IP or ranges in above in the box.
Any authenticated user can always send mail, if the can connect.
You could, for example, deactivate ports 587 and 465 on your firewall to disallow external access…
Deactivating auth on Port 25 would then completly disallow external sending through your server.
Note: If you have Webmail activated, external sending is still (theoretically) possible…
Do I understand correctly that your NethServer is NOT your Firewall?
If needed, you need to block the ports 465 and 587 from external access on your external firewall…
This would make it impossible for a external user (even if legitimately authenticated) to send mail.
The possibilities are: Ports 587, 25 or 465.
Port 25 is needed for incoming mail.
You can deactivate auth on Port 25.
So clients - even smartphones - can only send when in the LAN, not from external.
You could use a VPN on external devices like notebooks / smartphones…
(You wouldn’t want to block yourself from sending a mail from external, I suppose?)…
Exactly, the nethserver is a member server.
Ports 25, 110 and 143 are forwarded to the nethserver (NAT & PAT).
Everything has been working fine for a long time.
Only no foreign users should be allowed to use the server from the outgoing server.
Yes, I have two VPN servers, but they don’t help here.
Also, I don’t want to go into the VPN first to do something.
We (family) do not need an outgoing email server for normal end devices.
Notebooks, PCs and smartphones use the GMX server as the outgoing email server.
No emails are accepted from a DHCP range anyway.
We only use the nethserver for POP3 and IMAP.
And the e-mail server accepts the e-mails from outside.
That is also OK.
Internally in the LAN, only other servers send e-mail via the nethserver.
In Switzerland, if possible, we prefer to use own own Mailsystems, to avoid tracking, and misusing data for advertising.
We don’t use clouds if possible, unless it’s your own…
My 2 cents
Andy
PS: I do have similiar settings for some clients, it is working…
Maybe check / double-check all involved systems (Firewall, other NethServers) especially DNS, Mail and maybe also Firewalling…
I once added the whole range of servers.
You could not specify an IP range.
Maybe it only works in this combination?
Maybe I should boot the server?
But, I’m in the right place here in the web interface, it seems.
It could have been that I’m on the wrong track, and that only works here if you set up a real relay server.
I have to test this first.
By the way, I don’t need a smart host.
But that would be even worse, then someone could send spam through my server, which is also accepted.
Now someone can send mails that are not accepted anyway (because of the DHCP area).
I guess I just tested wrong.
If I take an e-mail address from the server, then it works even without an account and password for the outgoing mail server.
Sure, that’s as if another mail server wants to transfer an email.
If I use a third-party e-mail address as the recipient, a message comes up immediately from my mail server that it is not allowed.
If I enter the password and username for the e-mail account, I can send to other “foreign” e-mail addresses.
Everything as desired. At least that’s a quick test.
However, the relay does not work in the local network, but it should also work without a username and password.
But that’s not bad, since I can specify a password for most services.
And where it doesn’t work, I still have a purely internal mail server that can still be used for such purposes.
I fully understand this and I agree Dont get me wrong, clouds have ( sometimes significant ) benefits over traditional infrastructure, but - from security POV - its expressway to disaster.
I think I know which one you are talking about. Im also long-time paying user of this system. There is NO better mail system out there Tested many.