stunnel with SMTPD -> open relay!

[pete]

It would be very nice to be able to support encrypted SMTP. However, if I try to use stunnel to
get an SSL connection to SMTPD on the listening interface, it results in an open relay due to
the fact that the connection appears to come from localhost which is allowed to relay in
smtpd.cfg.

stunnel.conf looks like:

[smtps]
accept=465
connect = [address of interface]:25

Is there any neat way around this?

P

(I saw the HOWTO entry, but was wondering if this could be done with a single address)

[kali]

You are correct - stunnel and smptd creates on open relay (documented).

But yes - there are alternatives which work, and I do it on all my installations. I use sendmail as the relay and it handles everything for port 25. Why? Because I can then:

1. Use SMTPAUTH
2. Use STARTTLS
3. Layer in all my virus/spam/content scanning engines.
4. Integrate any DNSBL's which are appropriate at the gw.
5. Include "local" accounts (such as spam accounts which sa-learn can read).

VERY functional, very robust. I have thought about writing a how-to (it's not that difficult really, other than SMTP-AUTH which is a little tricky) but have been a little careful not to undermine the Scalix standard setup in any way. It works wonders for me, and I have "standardized" on it, but you do need to be a reasonably competent Linux admin for this.

[ricky]

It would be very nice to be able to support encrypted SMTP. However, if I try to use stunnel to
get an SSL connection to SMTPD on the listening interface, it results in an open relay due to
the fact that the connection appears to come from localhost which is allowed to relay in
smtpd.cfg.

stunnel.conf looks like:

[smtps]
accept=465
connect = [address of interface]:25

Is there any neat way around this?

P

(I saw the HOWTO entry, but was wondering if this could be done with a single address)

Well, it can be done! :)

Set stunnel like you did above...

Change smtpd.conf to not relay from any "local ethernet ports" but loopback.
Change the smtpd address from the local hostname to "localhost" in /etc/opt/scalix/webmail/swa.properties.
Restart tomcat...
restart smtpd...

That should fix it, localhost is allowed to relay, you can actually turn on relaying for other LAN-addresses but not for the primary IP-address of the machine.

[ScalixSupport]

Hi Ricky,

are you saying you set it up like you suggested and you did not create an open SMTP relay or are you saying what you suggest should work?

Cheers,

Sascha.

[ricky]

Hi Ricky,

are you saying you set it up like you suggested and you did not create an open SMTP relay or are you saying what you suggest should work?

Cheers,

Sascha.

I set it up and when connecting to 465 I get an error if I don't use authentication, at least in thunderbird, the error in smtpd.log is as follows:

Accepted client 1 from (va.lindist.se)
Cli 7142/1 sent : 220 va.lindist.se ESMTP Scalix SMTP Relay 10.0.0.175; Tue, 14 Mar 2006 16:23:32 +0100 (CET)

Cli 7142/1 rcvd: 'EHLO [62.119.89.4]'
Cli 7142/1 sent : 250-va.lindist.se Hello va.lindist.se [62.119.89.200], pleased to meet you
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
250-AUTH=LOGIN
250-DSN
250 8BITMIME

Cli 7142/1 rcvd: 'MAIL FROM:<ricky@va.lindist.se>'
Cli 7142/1 sent : 250 ricky@va.lindist.se... Sender ok

Cli 7142/1 rcvd: 'RCPT TO:<ricky@osser.se>'
Rejected relay attempt from ricky@va.lindist.se at 62.119.89.200 to ricky@osser.se
Cli 7142/1 sent : 550 Denied due to spam list



If I turn on Login in Thunderbird it all works...


The important thing is, STUNNEL sends to the ethernet interface which isn't the loopback, if you don't allow an openrelay on the same interface then it won't realy without authentication as the IP-stack automatically sends from the same interface, this is Linux, not windows... So, as long as you don't relay the local IP-address and only localhost and set SWA to use localhost to send email then it works...

[ricky]

Hi Ricky,

are you saying you set it up like you suggested and you did not create an open SMTP relay or are you saying what you suggest should work?

Cheers,

Sascha.

Hi Sascha,

no, I did not create an open SMTP-realy and it does work... Tried with both 9.4.x and 10.0...

/Ricky

[interways1]

What do you mean change to not relay from any local ethernet ports? How do I do that in smtpd.cfg?

Thanks

Chris

[ricky]

What do you mean change to not relay from any local ethernet ports? How do I do that in smtpd.cfg?

Thanks

Chris

Well, don't openly relay from any non-localhost (non 127.0.0.1) ports...

All lP-addresses on the server should ask for SMTP-authentication.

Regards,

Rickard

[dpuryear]

We configured smtpd to do AUTH, but now Scalix webmail can't send mail to non-local addresses. How do we reconfigure Scalix webmail to do AUTH? Or do we do something else?

What do you mean change to not relay from any local ethernet ports? How do I do that in smtpd.cfg?

Thanks

Chris

Well, don't openly relay from any non-localhost (non 127.0.0.1) ports...

All lP-addresses on the server should ask for SMTP-authentication.

Regards,

Rickard

[ScalixSupport]

You need to give the server a second IP address that is not stunneled and then allow relaying for that IP address. In swa.properties change the smtpserver parameter to this new IP address.

Cheers,

Sascha.

[btisdall]

Thanks Ricky, I needed to implement SMTPS/IMAPS on Scalix for the first time this week & your tip works a treat. For those who might appreciate a 'recipe', this how I did it:

/etc/stunnel/stunnel.conf:

Code: Select all

cert = /path/to/stunnel-cert.pem
key = /path/to/stunnel-key.pem
[imaps]
accept = 993
connect = 143
[smtps]
accept = 465
connect = 192.168.0.3:25

Of course replace '192.168.0.3' with your server IP.

/var/opt/scalix/sys/smtpd.cfg (fragment):

Code: Select all

RELAY accept 127.0.0.1
RELAY Log_Reject ALL

(make sure no other RELAY lines exist in the above file unless you know what you're doing)

/etc/opt/scalix/webmail/swa.properties (fragment):

Code: Select all

swa.email.smtpServer=127.0.0.1

Or if using 9.4:

/etc/opt/scalix/webmail/partner.xml (fragment):

Code: Select all

smtpServer="127.0.0.1"

Restart tomcat & the smtp relay & try to relay with authentication (should work) & without (shouldn't!). Just to be paranoid, I checked the server with abuse.net too, which gave a clean bill of health. Check that you can send to external addresses using SWA too!

[ScalixSupport]

Just to make sure that everyone is clear on this. The above suggestions will only work if Scalix is the only server to receive mail on your domain.

If you need to forward incoming mail for the same domain to other servers that are not Scalix, you MUST have a

Code: Select all

RELAY accept .domain.com

line and also use the 2-IP address method for blocking out non-authenticated connections to the SMTP Relay.

Cheers

Dave

[btisdall]

Hi Dave,

thanks for pointing this out, could you further clarify something please:

According to the admin guide as it relates to the smtp relay (my bold):

The hostname pattern identifies the originating host (or the destination host in the case of the SMTP Relay event).

However, as far as I can gather from practice & from the guide's description of the RELAY event, if a host matches a pattern in a 'RELAY accept' directive then that host may relay to any host & be relayed to from any host. If this is the case then perhaps the wording should be tightened up to something like:

"... originating host (or in the case of an SMTP relay event either the originating or destination host)".

Do I understand all this correctly?

Cheers.

[ScalixSupport]

The English language is wonderfully confusing, isn't it ?

Your understanding is correct ( as is our wording ) so I'll raise a doc bug to get this cleaned up.

Cheers

Dave

[bluemike]

Regarding the 'recipe' above, how are these made?:

Code: Select all

cert = /path/to/stunnel-cert.pem
key = /path/to/stunnel-key.pem