14

I received an email from one of our servers this morning (CentOS, with WHM running LAMP) stating:

The server has POP3 before SMTP enabled.

For security reasons, cPanel highly recommends that you disable this functionality.

I have done some searching but I can't see why cPanel is recommending this be disabled.

I am loathe to just go ahead and disabled this feature. Our clients haven't been instructed to access the SMTP server via POP before SMTP, but that doesn't mean that some enterprising IT guy working for a customer of ours hasn't configured their mail accounts to do so (it does require SMTP authentication, so someone might try to get around that with POP before SMTP).

What security reasons are cPanel warning me about?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
GeoffAtkins
  • 261
  • 2
  • 8
  • 1
    For anybody who needs to disable this in cPanel: If "POP before SMTP" does not appear in Tweak Settings in WHM, another way to disable it is to simply disable `antirelayd` in WHM's Service Manager. – Austin Burk Oct 16 '15 at 14:17

1 Answers1

29

For starters, everyone behind a common NAT gateway will be authorized to send mail as the client that initiated the POP before SMTP, as it just means "IP x.x.x.x has sucessfully authorized, they may send mail now" and all clients behind the NAT will appear with the same IP.

Potentially, this might mean 1000s of completely random, unreleated users can use your SMTP server in case of modern carrier grade NAT networks, e.g. in cell phone networks.

This alone and the fact that every relevant mail client nowadays is able to do SMTP auth should be enough to convince you to turn it off.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • That's exactly the concise and compelling argument I needed. Thank you. Admittedly, our server doesn't have anything like that amount of users, but it's reason enough. – GeoffAtkins Oct 16 '15 at 09:33
  • 5
    With the 1000s of users I meant the amount of devices sharing a public IP address in a cell phone network. Most carriers use NAT and all those devices with the same public IP potentially would be able to send mail via your server if one of your users used SMTP after POP from such a network. – Sven Oct 16 '15 at 09:35