Spam mail from external user

paoloc · 2018-03-07 14:00:14 UTC

NethServer Version: 6.9
Module: webtop

Hello everyone, we are using nethserver as mail server, recently we had some spam issues due to hacked password from an external user.
The strange thing is that this external user was capable of sending mail from a fake domain not present in our nethserver. how is it possible? how can i disable my server sending mail from unknown domains?
(Obviously i changed the password of the hacked user and we have no more spam)

Thanks

Stefano_Zamboni · 2018-03-07 14:03:30 UTC

well… if you can authenticate yourself you can easily use any sending domain you want: AFAIK there’s no such a restriction

paoloc · 2018-03-07 14:07:18 UTC

so you are telling me that if i know the password of a user, i can send mail from any other account? for example if a tecnician knows the password of his user account, then he can send mail from also the administration department or every other user account?

planet_jeroen · 2018-03-07 14:17:38 UTC

Nice catch … this should not be possible.

I edited my SOGo email settings like so:
From: someone@microsoft.com
Reply-to: someone@microsoft.com

The result after sending a mail to myself:
afbeelding

But what’s worse, is that I can, as is suggested above, enter ANY adres I like, including that of the CEO, and pretend I have send mail from there. If I edit my personal details to mach, there is no good way to see this was done.

This is a HUGE issue of you ask me.

This means I can in

Stefano_Zamboni · 2018-03-07 14:49:10 UTC

the “issue” has nothing to do with SOGo, but just with how the smtp is configured

for example, I create often an account in my servers to be used as auth smtp smarthost for some customers…

planet_jeroen · 2018-03-07 15:02:44 UTC

I should not be able to impersonate another address on the same server.

Stefano_Zamboni · 2018-03-07 15:11:46 UTC

maybe, but this is the way things are working now

saitobenkei · 2018-03-07 15:18:51 UTC

Yes.

There’s a discussion opened here:

https://community.nethserver.org/t/check-authenticated-user-identity-before-sending/7576

planet_jeroen · 2018-03-07 15:51:57 UTC

So, it might be that I have been too long in a Microsoft world, as this is indeed default behaviour on the few mailservers I tested this on just now.

It looks pretty WTF if you are not aware of this, and have been living in an Outlook-Exchange-world.

Can anybody school me on how they prevent JohnDoe@mydomain sending mail as if it was from hrm@mydomain.com or emergency@mydomain.com with links to malicious content? Is this just no concern to people ? Am I still missing something ?

Stefano_Zamboni · 2018-03-07 16:01:13 UTC

well… exchange-outlook and email-server in the same sentence is an oxymoron

planet_jeroen · 2018-03-07 16:03:13 UTC

…I know, I know … try to tell that story in userland

I used to be able to …
On exchange I could just …

…stuff like that … they rather do not like to hear that exchange ignores standards in order to be able to provide those services, and therefore breaks compatibility with just about everything else.

alefattorini · 2018-03-08 14:05:21 UTC

The only way to prevent things like this is implementing a check like @saitobenkei suggested above

planet_jeroen · 2018-03-08 14:07:19 UTC

As long as it will also recognise aliases, I am all for that!

saitobenkei · 2018-03-08 14:07:21 UTC

(Which he failed to make it work with webtop )