Securing SMTP Sending

[smjhunt]

I have a very elementary question about configuring hmailserver.

I want to use hmailserver to send emails to other MTA's from a software client I have created. I assume this is what people call SMTP relay.
My question is, how do I restrict the mail server to sending to other MTA's only from my client while allowing other MTA's to still send mail to my mail server.

My confusion arises because looking at the SMTP protocol, it appears that the same port and commands are used to tell my MTA to send a message to another MTA and to deliver a message to my MTA. Consequently I can't lock down port 25 to just my client machine IP as then I would not be able to receive email from some other mail server but if I leave it fully open, I presume anyone could maliciously use my mail server to relay their email.

Is there a way to configure the mail server to only relay mail if it originates from my client but receive mail from anyone ?

Alternatively, I presume I can set up an SSL certificate and require authentication to send mail but if I do this, will external MTA's still be able to send mail destined for my mail server without authenticating ?

This seems like a fundamental issue but I have had no luck finding any resource so far that explains it.

[mattg]

SMTP routes
Use a global rule to catch a message, and then use action 'send using route'


If all outgoing mail is to be relayed, use the 'SMTP relayer' settings in SMTP

Most the of the port, TCP/IP settings and IP range setting only affect incoming connections.
hMailserver will ALWAYS send outbound on port 25, UNLESS the SMTP relayer is set, or a SMTP route is called

[Virinum]

For incoming mails from clients you can define any port you want in hMailServer. Port 25 has to be open for incoming mails from the world. Have a look at the table down below here: https://www.hmailserver.com/documentati ... to_install

Port 587 and 465 are normaly used for incoming mails from clients. You can lock down these ports for internal use only. Or use something like Port 2525 with no Encryption selected so you don't have to mess around with standards.

[smjhunt]

SMTP routes
Use a global rule to catch a message, and then use action 'send using route'


If all outgoing mail is to be relayed, use the 'SMTP relayer' settings in SMTP

Most the of the port, TCP/IP settings and IP range setting only affect incoming connections.
hMailserver will ALWAYS send outbound on port 25, UNLESS the SMTP relayer is set, or a SMTP route is called

Sorry for being a newbie but I'm afraid I don't understand. From reading the documentation, SMTP routes are an alternative to using DNS to determine the IP address associated with delivering a message to a specific domain. I want hmailserver to use DNS to determine which MTA to contact when delivering my messages.

As far as SMTP relay goes, from reading the documentation it appears to be a way to get hmailserver to deliver messages by using another MTA to relay them (for example, because your ISP blocks port 25). My hmailserver is running on Amazon AWS and I've already had them unblock port 25 so I don't need to do that. At any rate, the whole reason I have set up hmailserver is to avoid the charges of SMTP relay providers when sending large amounts of mail.

What I want to do is really simple. My hmailserver is associated with a domain, let's call it X. I have an MX record that points the domain to my hmailservers IP address. I want external MTAs to be able to connect to my ip address on port 25 to deliver email whose destination is domain X but block any attempts by external MTAs or other clients to use it to try to deliver email not destined for domain X. Meanwhile, I want to be able to connect to my hmailserver on that same ip address and port from my own client and ask it to send email whose destination is not domain X, the thing that I don't allow external MTAs to do.

[smjhunt]

For incoming mails from clients you can define any port you want in hMailServer. Port 25 has to be open for incoming mails from the world. Have a look at the table down below here: https://www.hmailserver.com/documentati ... to_install

Port 587 and 465 are normaly used for incoming mails from clients. You can lock down these ports for internal use only. Or use something like Port 2525 with no Encryption selected so you don't have to mess around with standards.

So if I understand you, I can set up hmailserver to allow requests to send a message to a domain other than its own on a specific port list 2525 but to block requests to send a message to a domain other than its own on port 25. Could you point me to where in the hmailserver documentation it describes how to do this ?

[palinka]

I want to use hmailserver to send emails to other MTA's from a software client I have created. I assume this is what people call SMTP relay.
My question is, how do I restrict the mail server to sending to other MTA's only from my client while allowing other MTA's to still send mail to my mail server.

You want to receive everything, but only send from your software client.

Install with the default settings.

Create your domain and user account.

Create an IP range for your software client. Enable authentication and use your user account credentials to send mail from your client.

Use port 587 for mail submission from your client.

That's pretty much all there is to it. Try it out and if you have any specific issues, we can help you troubleshoot. Get everything going first, get your feet wet.

[mattg]

What I want to do is really simple. My hmailserver is associated with a domain, let's call it X. I have an MX record that points the domain to my hmailservers IP address. I want external MTAs to be able to connect to my ip address on port 25 to deliver email whose destination is domain X but block any attempts by external MTAs or other clients to use it to try to deliver email not destined for domain X. Meanwhile, I want to be able to connect to my hmailserver on that same ip address and port from my own client and ask it to send email whose destination is not domain X, the thing that I don't allow external MTAs to do.

That is absolutely a vanilla install of hMailserver with default settings

In IP ranges 'external to external' is what stops mail being relayed VIA YOUR hMailserver. Just don't allow that.
(This is turned off by default)

[smjhunt]

I want to use hmailserver to send emails to other MTA's from a software client I have created. I assume this is what people call SMTP relay.
My question is, how do I restrict the mail server to sending to other MTA's only from my client while allowing other MTA's to still send mail to my mail server.

You want to receive everything, but only send from your software client.

Install with the default settings.

Create your domain and user account.

Create an IP range for your software client. Enable authentication and use your user account credentials to send mail from your client.

Use port 587 for mail submission from your client.

That's pretty much all there is to it. Try it out and if you have any specific issues, we can help you troubleshoot. Get everything going first, get your feet wet.

Thanks. I can't create an IP range for my client because the client is remote. Just like external MTA's it comes in through the one public IP address of the server.
However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.

[palinka]

Thanks. I can't create an IP range for my client because the client is remote.

That's not true. Just set the IP of the IP range to the IP of the client.

Just like external MTA's it comes in through the one public IP address of the server.

Yes. But it comes in to port 587 using authentication. Mail to be received from the world (unauthenticated) comes in on port 25 only.

However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.

Exactly. The default configuration will give you this - assuming you set up a domain and at least one user to authenticate against.

[smjhunt]

Thanks. I can't create an IP range for my client because the client is remote.

That's not true. Just set the IP of the IP range to the IP of the client.

Just like external MTA's it comes in through the one public IP address of the server.

Yes. But it comes in to port 587 using authentication. Mail to be received from the world (unauthenticated) comes in on port 25 only.

However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.

Exactly. The default configuration will give you this - assuming you set up a domain and at least one user to authenticate against.

I created a self signed certificate with common name = mail server domain name using openssl and added it to hmailserver config
I set port 587 to require authentication and use the certificate I added to config
I created a test account
I turned on all logging
I used an SMTP test tool to try to send an email by connecting on 587 with the test account authentication. It fails.
Here is the pertinent log
"TCPIP" 4476 "2020-10-10 06:26:10.215" "TCP - 127.0.0.1 connected to 127.0.0.1:587."
"DEBUG" 4476 "2020-10-10 06:26:10.215" "TCP connection started for session 55"
"DEBUG" 4476 "2020-10-10 06:26:10.215" "Performing SSL/TLS handshake for session 55. Verify certificate: False"
"TCPIP" 4476 "2020-10-10 06:26:30.246" "TCPConnection - TLS/SSL handshake failed. Session Id: 55, Remote IP: 127.0.0.1, Error code: 335544539, Message: short read"
"DEBUG" 4476 "2020-10-10 06:26:30.246" "Ending session 55"

Could it be the problem is my test client won't accept the self-signed certificate ?

thanks

[mattg]

Could it be the problem is my test client won't accept the self-signed certificate ?

Likely to be the case

What client are you using? Some of them will accept self signed certificates, and have a 'accept this certifcate' type window open, often in the background
Check with [ALT] + [Left TAB]

[smjhunt]

Thanks. I can't create an IP range for my client because the client is remote.

That's not true. Just set the IP of the IP range to the IP of the client.

Just like external MTA's it comes in through the one public IP address of the server.

Yes. But it comes in to port 587 using authentication. Mail to be received from the world (unauthenticated) comes in on port 25 only.

However I now see in IP range settings that there are checkboxes that allow me to require authentication for delivery to remote accounts while not requiring authentication for delivering to local accounts which should work for me. This was what I wasn't sure of, whether if set up authentication, it would also require it from external MTA's delivering to my domain.

Exactly. The default configuration will give you this - assuming you set up a domain and at least one user to authenticate against.

I created a self signed certificate with common name = mail server domain name using openssl and added it to hmailserver config
I set port 587 to require authentication and use the certificate I added to config
I created a test account
I turned on all logging
I used an SMTP test tool to try to send an email by connecting on 587 with the test account authentication. It fails.
Here is the pertinent log
"TCPIP" 4476 "2020-10-10 06:26:10.215" "TCP - 127.0.0.1 connected to 127.0.0.1:587."
"DEBUG" 4476 "2020-10-10 06:26:10.215" "TCP connection started for session 55"
"DEBUG" 4476 "2020-10-10 06:26:10.215" "Performing SSL/TLS handshake for session 55. Verify certificate: False"
"TCPIP" 4476 "2020-10-10 06:26:30.246" "TCPConnection - TLS/SSL handshake failed. Session Id: 55, Remote IP: 127.0.0.1, Error code: 335544539, Message: short read"
"DEBUG" 4476 "2020-10-10 06:26:30.246" "Ending session 55"

Could it be the problem is my test client won't accept the self-signed certificate ?

thanks

I replaced the self signed certificate with a sectigo certificate. Same result , log says "Verify Certificate: false"

[mattg]

I replaced the self signed certificate with a sectigo certificate. Same result , log says "Verify Certificate: false"

That is saying that hmailserver is NOT TRYING to verify the signature - not that the verification failed

The next line was the problem

Code: Select all

"TCPIP" 4476 "2020-10-10 06:26:30.246" "TCPConnection - TLS/SSL handshake failed. Session Id: 55, Remote IP: 127.0.0.1, Error code: 335544539, Message: short read"

[palinka]

Is there an error log?

[smjhunt]

Is there an error log?

"TCP - 68.5.184.74 connected to 172.31.27.134:587."
"DEBUG" 3500 "2020-10-11 20:33:19.518" "TCP connection started for session 105"
"DEBUG" 3500 "2020-10-11 20:33:19.534" "Performing SSL/TLS handshake for session 105. Verify certificate: False"
"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"
"DEBUG" 2496 "2020-10-11 20:33:39.485" "Ending session 105"

[mattg]

Is there an error log?

"TCP - 68.5.184.74 connected to 172.31.27.134:587."
"DEBUG" 3500 "2020-10-11 20:33:19.518" "TCP connection started for session 105"
"DEBUG" 3500 "2020-10-11 20:33:19.534" "Performing SSL/TLS handshake for session 105. Verify certificate: False"
"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"
"DEBUG" 2496 "2020-10-11 20:33:39.485" "Ending session 105"

That is NOT an ERROR log. Error logs have the word ERROR in teh name

The problem is this line

"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"

[smjhunt]

Is there an error log?

"TCP - 68.5.184.74 connected to 172.31.27.134:587."
"DEBUG" 3500 "2020-10-11 20:33:19.518" "TCP connection started for session 105"
"DEBUG" 3500 "2020-10-11 20:33:19.534" "Performing SSL/TLS handshake for session 105. Verify certificate: False"
"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"
"DEBUG" 2496 "2020-10-11 20:33:39.485" "Ending session 105"

That is NOT an ERROR log. Error logs have the word ERROR in teh name

The problem is this line

"TCPIP" 2496 "2020-10-11 20:33:39.485" "TCPConnection - TLS/SSL handshake failed. Session Id: 105, Remote IP: 68.5.184.74, Error code: 335544539, Message: short read"

The log excerpt above was from a file called hmailserver_2020-10-11.log in the hmailserver Logs folder. Don't see any other logs. Where would ERROR logs be located ?
Meanwhile, I found a terrific debugging tool https://www.checktls.com
It failed like the rest and showed that the SSL handshake was not even being performed on 587
I went back and changed config for port 587 FROM SSL/TLS to STARTLS and tried again
This time it did the SSL handshake but failed the authentication which is a different issue.
Apparently the setting needs to be STARTLS, not SSL/TLS.
If you are not familiar with this tool you might want to give it a try and recommend it to others. When the handshake finally was performed it provided all the details one would need to fix certficiate problems. Here is it's output

Code: Select all

seconds 		test stage and result
[000.000] 		Trying TLS on realamail.net[3.21.225.66:587] (1)
[000.018] 		Server answered
[000.037] 	<‑‑ 	220 realamail.net ESMTP
[000.037] 		We are allowed to connect
[000.037] 	‑‑> 	EHLO www11-do.CheckTLS.com
[000.055] 	<‑‑ 	250-realamail.net
250-SIZE 20480000
250-STARTTLS
250-AUTH LOGIN
250 HELP
[000.055] 		We can use this server
[000.055] 		TLS is an option on this server
[000.055] 	‑‑> 	STARTTLS
[000.073] 	<‑‑ 	220 Ready to start TLS
[000.073] 		STARTTLS command works on this server
[000.163] 		Connection converted to SSL
		SSLVersion in use: TLSv1_2
		Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
		Perfect Forward Secrecy: yes
		Certificate #1 of 5 (sent by MX):
		Cert signed by: #2
		Cert VALIDATED: ok
		Cert Hostname VERIFIED (realamail.net = realamail.net | DNS:realamail.net | DNS:www.realamail.net)
		

Not Valid Before: Oct 10 00:00:00 2020 GMT

		

Not Valid After: Oct 10 23:59:59 2021 GMT

		subject= /CN=realamail.net
		issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
		Certificate #2 of 5 (sent by MX):
		Cert signed by: #3, #4
		Cert VALIDATED: ok
		

Not Valid Before: Nov  2 00:00:00 2018 GMT

		

Not Valid After: Dec 31 23:59:59 2030 GMT

		subject= /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA
		issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
		Certificate #3 of 5 (added from CA Root Store):
		Cert signed by: #3, #4
		Cert VALIDATED: ok
		

Not Valid Before: Feb  1 00:00:00 2010 GMT

		

Not Valid After: Jan 18 23:59:59 2038 GMT

		subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
		issuer= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
		Certificate #4 of 5 (sent by MX):
		Cert signed by: #5
		Cert VALIDATED:
		

Not Valid Before: Mar 12 00:00:00 2019 GMT

		

Not Valid After: Dec 31 23:59:59 2028 GMT

		subject= /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
		issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
		Certificate #5 of 5 (sent by MX, also in CA Root Store):
		Cert signed by: #5
		Cert VALIDATED:
		

Not Valid Before: Jan  1 00:00:00 2004 GMT

		

Not Valid After: Dec 31 23:59:59 2028 GMT

		subject= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
		issuer= /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
[000.822] 	~~> 	EHLO www11-do.CheckTLS.com
[000.840] 	<~~ 	250-realamail.net
250-SIZE 20480000
250-AUTH LOGIN
250 HELP
[000.841] 		TLS successfully started on this server

[palinka]

Now that that's sorted out, does your client work?

[mattg]

The log excerpt above was from a file ...in the hmailserver Logs folder. Don't see any other logs. Where would ERROR logs be located ?

Same place

I went back and changed config for port 587 FROM SSL/TLS to STARTLS and tried again
This time it did the SSL handshake but failed the authentication which is a different issue.
Apparently the setting needs to be STARTLS, not SSL/TLS.

Normally yes, but it really does ALSO depend on the settings in your mail client

[mattg]

And your mail client doesn't work now, then please run this and post the results
viewtopic.php?f=20&t=30914

[smjhunt]

Now that that's sorted out, does your client work?

after fixing the login problem it is now working.