Community Forum

Patrick
Patrick
Offline
Resolved
0 votes
Hi Everyone,

I have ClearOS setup in gateway mode and everything is working out well those far. The only real issue I'm having is in sending email from a client/phone when outside the building/LAN. I can't connect to the outbound mail server. When inside the LAN mail sends out just fine.

I have the SMTP service turned on and Mail Forwarding enabled for both my internal mail servers. In the firewall settings I have SMTP enabled under Incoming Connections. In the past with other products I've just setup a port forward on SMTP. However, I can't port forward 25 and also have SMTP listed under incoming connections.

How do I accomplish this without just setting up a port forward. I don't want to lose the ability to filter email coming through the gateway.

Thanks all
Sunday, June 18 2017, 11:25 PM
Share this post:
Responses (5)
  • Accepted Answer

    Monday, June 19 2017, 06:38 PM - #Permalink
    Resolved
    0 votes
    There is one more thing you can do. Due to feature (bug) in the ClearOS set up, authentication by SMTPS is permanently enabled. What you can do instead of turning on Authentication, is switch to SMTPS and open incoming tcp:465 in your firewall. Theoretically this is no more secure than turning on authentication and using tcp:25, except that there is still hostile traffic on 465 but far less than on 25. The attack vector is the same and app-attack-detector provides the same defence to 465 as it does to 25. Personally I use STARTTLS on tcp:587 rather than SMTPS, but that requires further configuration of ClearOS.

    The SMTPS solution will work both inside and outside your LAN.
    The reply is currently minimized Show
  • Accepted Answer

    Patrick
    Patrick
    Offline
    Monday, June 19 2017, 02:36 PM - #Permalink
    Resolved
    0 votes
    Thanks for the info Dave!

    I guess the question at this point is how do I use SASL authentication for "remote clients" to gain SMTP "same network" rights? How does this work if my mail server is already authenticating SMTP connections?

    I really need a fairly straight forward solution to allow remote clients/employees the ability to send email when they are not physically on the LAN.

    Any further guidance is much appreciated!
    The reply is currently minimized Show
  • Accepted Answer

    Monday, June 19 2017, 01:24 PM - #Permalink
    Resolved
    0 votes
    Patrick is spot on. Thanks Patrick! The only safe way to relay email from the outside is to turn on authentication. This too has its risks because now each of your users and their usernames and passwords (if they are weak) are attack vectors for spam. We see this all the time in ClearCARE support where SMTP authentication is turned on to give the results of being able to send mail on the outside but not enough is done to secure the client.

    - For example, passwords sent in plain text means that a man in the middle attack on your SMTP service will be able to relay mail now through your SMTP service and destroy your reputation to send mail on the internet. To prevent this, make sure that TLS is turned on and that your clients are only configured with Secure TLS for their SMTP settings and for the POP3 and IMAP setting have them use POP3S and IMAPS (don't even open the non-secure ports)

    - Another vector is antivirus on the workstations. We also see that users can be compromised on the inside of the network and hackers can see the passwords they are using through various means. Knowing this and that you have an authentication relay for email means that once again your mail server is compromised and sending spam on behalf of exploitive dorks who rationalize their immoral extortion of your resources in their minds by stating that you had it coming because you failed to secure your network.

    - Another vector is that you can have users with bad passwords that make them easy to guess. With authentication now open to the outside, spammers will use probes to attempt to detect authentication vectors. They will even use your own user's usernames as pawns if they are known. And by known I mean that the hackers already send you spam so they know your accounts, see. So they look up the mail domain for that account and see if they can authenticate to it. Even though your mail server uses TLS, they can securely connect and try all day long to guess your user's password. This is why you need to have strong passwords and ALSO why you need to install and use the Attack Detector app under ClearOS 7 (for ClearOS 6 users you will want to set up the open source fail2ban app).
    The reply is currently minimized Show
  • Accepted Answer

    Patrick
    Patrick
    Offline
    Monday, June 19 2017, 07:09 AM - #Permalink
    Resolved
    0 votes
    Should I have SMTP authentication turned on within ClearOS? When I do see this message in the maillog.
    warning: unknown[myinternet IP]: SASL LOGIN authentication failed: authentication failure

    When I turn authentication off I get this message.
    NOQUEUE: reject: RCPT from unknown 454 4.7.1 Relay access denied;
    The reply is currently minimized Show
  • Accepted Answer

    Patrick
    Patrick
    Offline
    Monday, June 19 2017, 01:10 AM - #Permalink
    Resolved
    0 votes
    My internal mail server message:
    530 SMTP authentication is required. (in reply to RCPT TO command)

    I guess what I'm asking...is ClearOS preventing the connection to my mail server for outbound mail? I haven't been able to authenticate my email client with my outbound mail server.
    The reply is currently minimized Show
Your Reply