Securing SMTP Sending
Securing SMTP Sending
I have a very elementary question about configuring hmailserver.
I want to use hmailserver to send emails to other MTA's from a software client I have created. I assume this is what people call SMTP relay.
My question is, how do I restrict the mail server to sending to other MTA's only from my client while allowing other MTA's to still send mail to my mail server.
My confusion arises because looking at the SMTP protocol, it appears that the same port and commands are used to tell my MTA to send a message to another MTA and to deliver a message to my MTA. Consequently I can't lock down port 25 to just my client machine IP as then I would not be able to receive email from some other mail server but if I leave it fully open, I presume anyone could maliciously use my mail server to relay their email.
Is there a way to configure the mail server to only relay mail if it originates from my client but receive mail from anyone ?
Alternatively, I presume I can set up an SSL certificate and require authentication to send mail but if I do this, will external MTA's still be able to send mail destined for my mail server without authenticating ?
This seems like a fundamental issue but I have had no luck finding any resource so far that explains it.
I want to use hmailserver to send emails to other MTA's from a software client I have created. I assume this is what people call SMTP relay.
My question is, how do I restrict the mail server to sending to other MTA's only from my client while allowing other MTA's to still send mail to my mail server.
My confusion arises because looking at the SMTP protocol, it appears that the same port and commands are used to tell my MTA to send a message to another MTA and to deliver a message to my MTA. Consequently I can't lock down port 25 to just my client machine IP as then I would not be able to receive email from some other mail server but if I leave it fully open, I presume anyone could maliciously use my mail server to relay their email.
Is there a way to configure the mail server to only relay mail if it originates from my client but receive mail from anyone ?
Alternatively, I presume I can set up an SSL certificate and require authentication to send mail but if I do this, will external MTA's still be able to send mail destined for my mail server without authenticating ?
This seems like a fundamental issue but I have had no luck finding any resource so far that explains it.
Re: Securing SMTP Sending
SMTP routes
Use a global rule to catch a message, and then use action 'send using route'
If all outgoing mail is to be relayed, use the 'SMTP relayer' settings in SMTP
Most the of the port, TCP/IP settings and IP range setting only affect incoming connections.
hMailserver will ALWAYS send outbound on port 25, UNLESS the SMTP relayer is set, or a SMTP route is called
Use a global rule to catch a message, and then use action 'send using route'
If all outgoing mail is to be relayed, use the 'SMTP relayer' settings in SMTP
Most the of the port, TCP/IP settings and IP range setting only affect incoming connections.
hMailserver will ALWAYS send outbound on port 25, UNLESS the SMTP relayer is set, or a SMTP route is called
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Securing SMTP Sending
For incoming mails from clients you can define any port you want in hMailServer. Port 25 has to be open for incoming mails from the world. Have a look at the table down below here: https://www.hmailserver.com/documentati ... to_install
Port 587 and 465 are normaly used for incoming mails from clients. You can lock down these ports for internal use only. Or use something like Port 2525 with no Encryption selected so you don't have to mess around with standards.
Port 587 and 465 are normaly used for incoming mails from clients. You can lock down these ports for internal use only. Or use something like Port 2525 with no Encryption selected so you don't have to mess around with standards.
Re: Securing SMTP Sending
Sorry for being a newbie but I'm afraid I don't understand. From reading the documentation, SMTP routes are an alternative to using DNS to determine the IP address associated with delivering a message to a specific domain. I want hmailserver to use DNS to determine which MTA to contact when delivering my messages.mattg wrote: ↑2020-10-09 02:52SMTP routes
Use a global rule to catch a message, and then use action 'send using route'
If all outgoing mail is to be relayed, use the 'SMTP relayer' settings in SMTP
Most the of the port, TCP/IP settings and IP range setting only affect incoming connections.
hMailserver will ALWAYS send outbound on port 25, UNLESS the SMTP relayer is set, or a SMTP route is called
As far as SMTP relay goes, from reading the documentation it appears to be a way to get hmailserver to deliver messages by using another MTA to relay them (for example, because your ISP blocks port 25). My hmailserver is running on Amazon AWS and I've already had them unblock port 25 so I don't need to do that. At any rate, the whole reason I have set up hmailserver is to avoid the charges of SMTP relay providers when sending large amounts of mail.
What I want to do is really simple. My hmailserver is associated with a domain, let's call it X. I have an MX record that points the domain to my hmailservers IP address. I want external MTAs to be able to connect to my ip address on port 25 to deliver email whose destination is domain X but block any attempts by external MTAs or other clients to use it to try to deliver email not destined for domain X. Meanwhile, I want to be able to connect to my hmailserver on that same ip address and port from my own client and ask it to send email whose destination is not domain X, the thing that I don't allow external MTAs to do.
Re: Securing SMTP Sending
So if I understand you, I can set up hmailserver to allow requests to send a message to a domain other than its own on a specific port list 2525 but to block requests to send a message to a domain other than its own on port 25. Could you point me to where in the hmailserver documentation it describes how to do this ?Virinum wrote: ↑2020-10-09 07:42For incoming mails from clients you can define any port you want in hMailServer. Port 25 has to be open for incoming mails from the world. Have a look at the table down below here: https://www.hmailserver.com/documentati ... to_install
Port 587 and 465 are normaly used for incoming mails from clients. You can lock down these ports for internal use only. Or use something like Port 2525 with no Encryption selected so you don't have to mess around with standards.
Re: Securing SMTP Sending
You want to receive everything, but only send from your software client.smjhunt wrote: ↑2020-10-09 02:43I want to use hmailserver to send emails to other MTA's from a software client I have created. I assume this is what people call SMTP relay.
My question is, how do I restrict the mail server to sending to other MTA's only from my client while allowing other MTA's to still send mail to my mail server.
Install with the default settings.
Create your domain and user account.
Create an IP range for your software client. Enable authentication and use your user account credentials to send mail from your client.
Use port 587 for mail submission from your client.
That's pretty much all there is to it. Try it out and if you have any specific issues, we can help you troubleshoot. Get everything going first, get your feet wet.

Re: Securing SMTP Sending
That is absolutely a vanilla install of hMailserver with default settingssmjhunt wrote: ↑2020-10-09 21:45What I want to do is really simple. My hmailserver is associated with a domain, let's call it X. I have an MX record that points the domain to my hmailservers IP address. I want external MTAs to be able to connect to my ip address on port 25 to deliver email whose destination is domain X but block any attempts by external MTAs or other clients to use it to try to deliver email not destined for domain X. Meanwhile, I want to be able to connect to my hmailserver on that same ip address and port from my own client and ask it to send email whose destination is not domain X, the thing that I don't allow external MTAs to do.
In IP ranges 'external to external' is what stops mail being relayed VIA YOUR hMailserver. Just don't allow that.
(This is turned off by default)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Securing SMTP Sending
Thanks. I can't create an IP range for my client because the client is remote. Just like external MTA's it comes in through the one public IP address of the server.palinka wrote: ↑2020-10-09 23:19You want to receive everything, but only send from your software client.smjhunt wrote: ↑2020-10-09 02:43I want to use hmailserver to send emails to other MTA's from a software client I have created. I assume this is what people call SMTP relay.
My question is, how do I restrict the mail server to sending to other MTA's only from my client while allowing other MTA's to still send mail to my mail server.
Install with the default settings.
Create your domain and user account.
Create an IP range for your software client. Enable authentication and use your user account credentials to send mail from your client.
Use port 587 for mail submission from your client.
That's pretty much all there is to it. Try it out and if you have any specific issues, we can help you troubleshoot. Get everything going first, get your feet wet.![]()
However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.
Re: Securing SMTP Sending
That's not true. Just set the IP of the IP range to the IP of the client.
Yes. But it comes in to port 587 using authentication. Mail to be received from the world (unauthenticated) comes in on port 25 only.Just like external MTA's it comes in through the one public IP address of the server.
Exactly. The default configuration will give you this - assuming you set up a domain and at least one user to authenticate against.However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.
Re: Securing SMTP Sending
I created a self signed certificate with common name = mail server domain name using openssl and added it to hmailserver configpalinka wrote: ↑2020-10-10 04:21That's not true. Just set the IP of the IP range to the IP of the client.
Yes. But it comes in to port 587 using authentication. Mail to be received from the world (unauthenticated) comes in on port 25 only.Just like external MTA's it comes in through the one public IP address of the server.
Exactly. The default configuration will give you this - assuming you set up a domain and at least one user to authenticate against.However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.
I set port 587 to require authentication and use the certificate I added to config
I created a test account
I turned on all logging
I used an SMTP test tool to try to send an email by connecting on 587 with the test account authentication. It fails.
Here is the pertinent log
"TCPIP" 4476 "2020-10-10 06:26:10.215" "TCP - 127.0.0.1 connected to 127.0.0.1:587."
"DEBUG" 4476 "2020-10-10 06:26:10.215" "TCP connection started for session 55"
"DEBUG" 4476 "2020-10-10 06:26:10.215" "Performing SSL/TLS handshake for session 55. Verify certificate: False"
"TCPIP" 4476 "2020-10-10 06:26:30.246" "TCPConnection - TLS/SSL handshake failed. Session Id: 55, Remote IP: 127.0.0.1, Error code: 335544539, Message: short read"
"DEBUG" 4476 "2020-10-10 06:26:30.246" "Ending session 55"
Could it be the problem is my test client won't accept the self-signed certificate ?
thanks
Re: Securing SMTP Sending
Likely to be the case
What client are you using? Some of them will accept self signed certificates, and have a 'accept this certifcate' type window open, often in the background
Check with [ALT] + [Left TAB]
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Securing SMTP Sending
I replaced the self signed certificate with a sectigo certificate. Same result , log says "Verify Certificate: false"smjhunt wrote: ↑2020-10-10 08:44I created a self signed certificate with common name = mail server domain name using openssl and added it to hmailserver configpalinka wrote: ↑2020-10-10 04:21That's not true. Just set the IP of the IP range to the IP of the client.
Yes. But it comes in to port 587 using authentication. Mail to be received from the world (unauthenticated) comes in on port 25 only.Just like external MTA's it comes in through the one public IP address of the server.
Exactly. The default configuration will give you this - assuming you set up a domain and at least one user to authenticate against.However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.
I set port 587 to require authentication and use the certificate I added to config
I created a test account
I turned on all logging
I used an SMTP test tool to try to send an email by connecting on 587 with the test account authentication. It fails.
Here is the pertinent log
"TCPIP" 4476 "2020-10-10 06:26:10.215" "TCP - 127.0.0.1 connected to 127.0.0.1:587."
"DEBUG" 4476 "2020-10-10 06:26:10.215" "TCP connection started for session 55"
"DEBUG" 4476 "2020-10-10 06:26:10.215" "Performing SSL/TLS handshake for session 55. Verify certificate: False"
"TCPIP" 4476 "2020-10-10 06:26:30.246" "TCPConnection - TLS/SSL handshake failed. Session Id: 55, Remote IP: 127.0.0.1, Error code: 335544539, Message: short read"
"DEBUG" 4476 "2020-10-10 06:26:30.246" "Ending session 55"
Could it be the problem is my test client won't accept the self-signed certificate ?
thanks
Re: Securing SMTP Sending
That is saying that hmailserver is NOT TRYING to verify the signature - not that the verification failed
The next line was the problem
Code: Select all
"TCPIP" 4476 "2020-10-10 06:26:30.246" "TCPConnection - TLS/SSL handshake failed. Session Id: 55, Remote IP: 127.0.0.1, Error code: 335544539, Message: short read"
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Securing SMTP Sending
Is there an error log?
Re: Securing SMTP Sending
"TCP - 68.5.184.74 connected to 172.31.27.134:587."
"DEBUG" 3500 "2020-10-11 20:33:19.518" "TCP connection started for session 105"
"DEBUG" 3500 "2020-10-11 20:33:19.534" "Performing SSL/TLS handshake for session 105. Verify certificate: False"
"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"
"DEBUG" 2496 "2020-10-11 20:33:39.485" "Ending session 105"
Re: Securing SMTP Sending
That is NOT an ERROR log. Error logs have the word ERROR in teh namesmjhunt wrote: ↑2020-10-11 22:41"TCP - 68.5.184.74 connected to 172.31.27.134:587."
"DEBUG" 3500 "2020-10-11 20:33:19.518" "TCP connection started for session 105"
"DEBUG" 3500 "2020-10-11 20:33:19.534" "Performing SSL/TLS handshake for session 105. Verify certificate: False"
"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"
"DEBUG" 2496 "2020-10-11 20:33:39.485" "Ending session 105"
The problem is this line
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Securing SMTP Sending
The log excerpt above was from a file called hmailserver_2020-10-11.log in the hmailserver Logs folder. Don't see any other logs. Where would ERROR logs be located ?mattg wrote: ↑2020-10-11 23:46That is NOT an ERROR log. Error logs have the word ERROR in teh namesmjhunt wrote: ↑2020-10-11 22:41"TCP - 68.5.184.74 connected to 172.31.27.134:587."
"DEBUG" 3500 "2020-10-11 20:33:19.518" "TCP connection started for session 105"
"DEBUG" 3500 "2020-10-11 20:33:19.534" "Performing SSL/TLS handshake for session 105. Verify certificate: False"
"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"
"DEBUG" 2496 "2020-10-11 20:33:39.485" "Ending session 105"
The problem is this line
Meanwhile, I found a terrific debugging tool https://www.checktls.com
It failed like the rest and showed that the SSL handshake was not even being performed on 587
I went back and changed config for port 587 FROM SSL/TLS to STARTLS and tried again
This time it did the SSL handshake but failed the authentication which is a different issue.
Apparently the setting needs to be STARTLS, not SSL/TLS.
If you are not familiar with this tool you might want to give it a try and recommend it to others. When the handshake finally was performed it provided all the details one would need to fix certficiate problems. Here is it's output
Code: Select all
seconds test stage and result
[000.000] Trying TLS on realamail.net[3.21.225.66:587] (1)
[000.018] Server answered
[000.037] <‑‑ 220 realamail.net ESMTP
[000.037] We are allowed to connect
[000.037] ‑‑> EHLO www11-do.CheckTLS.com
[000.055] <‑‑ 250-realamail.net
250-SIZE 20480000
250-STARTTLS
250-AUTH LOGIN
250 HELP
[000.055] We can use this server
[000.055] TLS is an option on this server
[000.055] ‑‑> STARTTLS
[000.073] <‑‑ 220 Ready to start TLS
[000.073] STARTTLS command works on this server
[000.163] Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
Perfect Forward Secrecy: yes
Certificate #1 of 5 (sent by MX):
Cert signed by: #2
Cert VALIDATED: ok
Cert Hostname VERIFIED (realamail.net = realamail.net | DNS:realamail.net | DNS:www.realamail.net)
Not Valid Before: Oct 10 00:00:00 2020 GMT
Not Valid After: Oct 10 23:59:59 2021 GMT
subject= /CN=realamail.net
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
Certificate #2 of 5 (sent by MX):
Cert signed by: #3, #4
Cert VALIDATED: ok
Not Valid Before: Nov 2 00:00:00 2018 GMT
Not Valid After: Dec 31 23:59:59 2030 GMT
subject= /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
Certificate #3 of 5 (added from CA Root Store):
Cert signed by: #3, #4
Cert VALIDATED: ok
Not Valid Before: Feb 1 00:00:00 2010 GMT
Not Valid After: Jan 18 23:59:59 2038 GMT
subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
Certificate #4 of 5 (sent by MX):
Cert signed by: #5
Cert VALIDATED:
Not Valid Before: Mar 12 00:00:00 2019 GMT
Not Valid After: Dec 31 23:59:59 2028 GMT
subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
Certificate #5 of 5 (sent by MX, also in CA Root Store):
Cert signed by: #5
Cert VALIDATED:
Not Valid Before: Jan 1 00:00:00 2004 GMT
Not Valid After: Dec 31 23:59:59 2028 GMT
subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
[000.822] ~~> EHLO www11-do.CheckTLS.com
[000.840] <~~ 250-realamail.net
250-SIZE 20480000
250-AUTH LOGIN
250 HELP
[000.841] TLS successfully started on this server
Re: Securing SMTP Sending
Now that that's sorted out, does your client work?
Re: Securing SMTP Sending
Same place
Normally yes, but it really does ALSO depend on the settings in your mail client
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Securing SMTP Sending
And your mail client doesn't work now, then please run this and post the results
viewtopic.php?f=20&t=30914
viewtopic.php?f=20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation