Spam mail from external user

security
webtop
spam
v6
mailserver

(Paolo) #1

NethServer Version: 6.9
Module: webtop

Hello everyone, we are using nethserver as mail server, recently we had some spam issues due to hacked password from an external user.
The strange thing is that this external user was capable of sending mail from a fake domain not present in our nethserver. how is it possible? how can i disable my server sending mail from unknown domains?
(Obviously i changed the password of the hacked user and we have no more spam)

Thanks


(Stefano Zamboni) #2

well… if you can authenticate yourself you can easily use any sending domain you want: AFAIK there’s no such a restriction


(Paolo) #3

so you are telling me that if i know the password of a user, i can send mail from any other account? for example if a tecnician knows the password of his user account, then he can send mail from also the administration department or every other user account?


(Jeroen Visser) #4

Nice catch … this should not be possible.

I edited my SOGo email settings like so:
From: someone@microsoft.com
Reply-to: someone@microsoft.com

The result after sending a mail to myself:
afbeelding

But what’s worse, is that I can, as is suggested above, enter ANY adres I like, including that of the CEO, and pretend I have send mail from there. If I edit my personal details to mach, there is no good way to see this was done.

This is a HUGE issue of you ask me.

This means I can in


(Stefano Zamboni) #5

the “issue” has nothing to do with SOGo, but just with how the smtp is configured

for example, I create often an account in my servers to be used as auth smtp smarthost for some customers…


(Jeroen Visser) #6

I should not be able to impersonate another address on the same server.


(Stefano Zamboni) #7

maybe, but this is the way things are working now


(Saito Benkei) #8

Yes.

There’s a discussion opened here:

https://community.nethserver.org/t/check-authenticated-user-identity-before-sending/7576


(Jeroen Visser) #9

So, it might be that I have been too long in a Microsoft world, as this is indeed default behaviour on the few mailservers I tested this on just now.

It looks pretty WTF if you are not aware of this, and have been living in an Outlook-Exchange-world.

Can anybody school me on how they prevent JohnDoe@mydomain sending mail as if it was from hrm@mydomain.com or emergency@mydomain.com with links to malicious content? Is this just no concern to people ? Am I still missing something ?


(Stefano Zamboni) #10

well… exchange-outlook and email-server in the same sentence is an oxymoron :slight_smile:


(Jeroen Visser) #11

…I know, I know … try to tell that story in userland :frowning:

I used to be able to …
On exchange I could just …

…stuff like that … they rather do not like to hear that exchange ignores standards in order to be able to provide those services, and therefore breaks compatibility with just about everything else.


(Alessio Fattorini) #12

The only way to prevent things like this is implementing a check like @saitobenkei suggested above :point_up:


(Jeroen Visser) #13

As long as it will also recognise aliases, I am all for that!


(Saito Benkei) #14

(Which he failed to make it work with webtop :smiley: )