1

Topic: My server is vulnerable on port 25 (SMTP with out auth)

==== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian Squeeze
- Related log if you're reporting an issue:
====

Using port 25 and telnet from my server anyone could send emails without the need to login, that is, anyone could send emails pretending to be someone else.

How I can I avoid this.

Thanks for all, I hope someone can help me.
Best regards.

PS: Sorry for my english, it's not my primary language.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: My server is vulnerable on port 25 (SMTP with out auth)

Not exactly, If I telnet to my server and issue "mail -v test test@test.com" command I get the following

"MUST ISSUE A STARTTLS command first"

Knowing what I know about the IRedMail project there is no way the developers would have had the script configure a server as an open smtp relay.

I found this article that goes over how to test SMTP auth over telnet. http://www.petri.co.il/smtp-authentication.htm



Thanks
-Tim

3

Re: My server is vulnerable on port 25 (SMTP with out auth)

Hi @kzkggaara,

*) Please show us how you test it with telnet, all commands you type and the output.
*) iRedMail is configured to enable SMTP AUTH for sending emails by default.