3

I'm having an issue that's above my competence level. As we're working on improving the security measures that are in place in our network, we found (among others) one flaw that we have no idea how to fix.

We have our own SMTP server locally based on a MDaemon and we hire a professional hosting service that connects us to the WAN and they also have their own SMTP relay, publicly accessible. So when the mail goes through, it comes from their SMTP to ours, to our devices. But we found out that their tcp port 587 didn't ask for authentification meaning we could spoof any address whose domain name they handle, sending any email from, for example, boss@ourcorp.com to accountants@ourcorp.com, making it easier for a potential attacker to do phishing scams. But our service provider can't just close this port because we have nomadic users sending mails through it from their cellphone. Here are the options i thought of, being unsure how feasible they are :

  • Synchronise their SMTP user database with ours (or making it just theirs) so they have the login/passwords to enforce and check authentification when someone just netcat on the MSA on port 587,
  • Not use their MSA and putting ours public directly, having the same practical effect of reducing it to just one publicly accesible MSA that has the user database to check for authentication,
  • Find some way of relaying the authentification request from their MSA to ours, making the verification, and returning an "accept" or "decline" token to their MSA. It would probably be the ideal option, but i have no idea how we could do that. I know that relaying authentification request are used for chained LDAP/LDAP or Active Directory/LDAP situation, but have no idea how it can be used practically or if it works with SMTP-AUTH,
  • Find some anti-spoofing software to put on our servers (but how would it check ? The mail will always be coming from a trusted MSA with a potentially existing address)

If you have any thoughts on our issue, thanks in advance.

Law29
  • 3,507
  • 1
  • 15
  • 28
Tom
  • 31
  • 2
  • Am I right in supposing that your mobile phone users get their mail from your mail server directly? – Law29 Jun 28 '16 at 17:43

1 Answers1

0

First off, I suppose that your ISP's port 587 is secured in some way other than login/password? One way is by source IP, so that it is accessible only from customers connected to that ISP, but that would restrict cellphone users to connecting through that ISP. Another way is by POP-before-SMTP, but that only works if the ISP also handles the mail store and thus can authenticate users anyway. I recommend none of these two ways, but the only other solution I see is an open relay, which is definitely something you want to avoid, and whose existence would reflect badly upon the competence of your ISP.

Depending on your provider's MSA and on your own authentication services, it can be possible to proxy authentication. I would not recommend it as it seems to be rather hard to set up and maintain for no advantage that I can see.

I would recommend your second solution: you already have your mail store exposed to Internet over IMAP (I suppose!), you already have your mail server, you already have the MSA set up, so exposing the MSA to the Internet is not a tremendous change in exposure. This way, everything is very standard, very simple to explain, you depend less upon your ISP, you do not transmit sensitive login/password information needlessly to your ISP. There are security issues, of course, like dictionary attacks, but if I'm correct they are issues that you already expose yourself to by letting your cellphone users check their mail.

Things that could make me change my opinion would be

  • number of users (I don't suppose we are talking 10000+)
  • ridiculously low or expensive bandwidth to your site (but you already run your mailserver there)
  • if your cellphone users only send mail, never check mail from the Internet
Law29
  • 3,507
  • 1
  • 15
  • 28
  • Our IMAP is actually NATed by our ISP, so indeed, it's pretty much already exposed. And we're exactly looking to depend less upon our ISP. And we aren't in the bandwith issues you're raising. We'll definitely consider the option of doing the job ourselves completely then. Thank you for your advice. Just as a follow-up "curiosity" question : how would you consider doing the proxy authentication if you had to, even though i agree it'd too complicated for our use case ? – Tom Jun 28 '16 at 21:27
  • I feel that using [SASL](https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer) can't be too hard if your ISP's MSA supports it. If your own authentication service does not, you could proxy it on your side. There are SASL implementations in perl. – Law29 Jun 29 '16 at 07:28