SMTH AUTH?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
brashquido
Normal user
Normal user
Posts: 244
Joined: 2006-06-26 07:14
Location: Melbourne, Australia
Contact:

SMTH AUTH?

Post by brashquido » 2016-05-18 11:07

Hi All,

Has been a while :) . I use a service which does a regular security scan on a server I maintain which is picking up an issue with hMailServer. The description of the issue it is lodging is as follows;

The SMTP server advertises the following SASL methods over an unencrypted channel:
All supported methods: LOGIN
Cleartext methods: LOGIN

I think this test is flawed as it is only checking for advertised authentication methods, it doesn't actually test to see if encryption is involved. I've tested and even if I have STARTTLS set to required it still fails on this check. The only way to pass would be to have connections set to SSL/TLS.

Anyway, short of getting this provider to actually alter their check to verify actual as opposed to advertised, was wondering if there is anyway (perhaps in INI file) to prevent HMS from advertising authentication methods at all? I've had a read through RFC 4954 (Authenticated SMTP) as well as RFC 2821 and RFC 5321 on SMTP and cannot find any mention that AUTH methods must be returned from an EHLO command. Would this be something hard to implement?
Dominic Ryan
Microsoft IIS MVP
IIS Aid

User avatar
mattg
Moderator
Moderator
Posts: 20228
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SMTH AUTH?

Post by mattg » 2016-05-18 11:30

G'day Dominic,

I think this may help

It's an INI setting

DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.

It actually stops any authentication on which ever port is detailed.
You need to make sure thought that no normal user is relying on that port.

I have all of my clients use port 587 via StartTLS or 465 via SSL
I offer optional StartTLS on port 25 for other servers wanting to send encrypted mail to me
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8156
Joined: 2011-09-08 17:48

Re: SMTH AUTH?

Post by jimimaseye » 2016-05-18 14:03

brashquido wrote:I've had a read through RFC 4954 (Authenticated SMTP) as well as RFC 2821 and RFC 5321 on SMTP and cannot find any mention that AUTH methods must be returned from an EHLO command. Would this be something hard to implement?
FWIW, my findings:

RFC5321 4.1.1.1 https://tools.ietf.org/html/rfc5321
Normally, the response to EHLO will be a multiline reply. Each line
of the response contains a keyword and, optionally, one or more
parameters. Following the normal syntax for multiline replies, these
keywords follow the code (250) and a hyphen for all but the last
line, and the code and a space for the last line. The syntax for a
positive response, using the ABNF notation and terminal symbols of
RFC 5234 [7], is:

ehlo-ok-rsp = ( "250" SP Domain [ SP ehlo-greet ] CRLF )
  • / ( "250-" Domain [ SP ehlo-greet ] CRLF
    *( "250-" ehlo-line CRLF )
    "250" SP ehlo-line CRLF )
In short, the response to EHLO is to return a "250-xxxx" of supported commends (including AUTH covered by rfc4954)


RFC4954: https://tools.ietf.org/html/rfc4954#page-3
3. The Authentication Service Extension
  • 1. The name of this [SMTP] service extension is "Authentication".

    2. The EHLO keyword value associated with this extension is "AUTH".

    3. The AUTH EHLO keyword contains as a parameter a space-separated
    list of the names of available [SASL] mechanisms. The list of
    available mechanisms MAY change after a successful STARTTLS
    command [SMTP-TLS].

    4. A new [SMTP] verb "AUTH" is defined.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

brashquido
Normal user
Normal user
Posts: 244
Joined: 2006-06-26 07:14
Location: Melbourne, Australia
Contact:

Re: SMTH AUTH?

Post by brashquido » 2016-05-19 05:53

Thanks Matt,

Perfect, exactly what I was after!

With your last comment, are you saying even with AUTH disabled on port 25 that users can still authenticate if STARTTLS has been initiated? I'll find out soon enough I guess :) .

Thanks Jimi, yeah I saw those details too. I guess the distinction I was making is that while returning a list of enabled SASL AUTH mechanisms is a valid response for an EHLO command, it is not a compulsory one. I noticed gmail for instance do not advertise AUTH mechanisms as part of their EHLO response.

Anyway, this will get this compliance monkey off my back for now. Thanks guys.
Dominic Ryan
Microsoft IIS MVP
IIS Aid

User avatar
mattg
Moderator
Moderator
Posts: 20228
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SMTH AUTH?

Post by mattg » 2016-05-19 06:49

brashquido wrote:With your last comment, are you saying even with AUTH disabled on port 25 that users can still authenticate if STARTTLS has been initiated?
No they can't.

Many servers (gmail, Outlook.com, my hMailserver etc) will send via StartTLS if it is available for normal un-athenticated mail
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RDadmin
New user
New user
Posts: 22
Joined: 2019-06-13 04:05

Re: SMTH AUTH?

Post by RDadmin » 2019-10-03 02:12

Hi guys,

I get the same error during a security scan.

Could you please tell me which .ini file to be edited.

Much appreciate any help.

Thanks

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: SMTH AUTH?

Post by jim.bus » 2019-10-03 07:43

RDadmin wrote:
2019-10-03 02:12
Hi guys,

I get the same error during a security scan.

Could you please tell me which .ini file to be edited.

Much appreciate any help.

Thanks
I believe MattG, is referring to C:\Program Files (x86)\hMailServer\Bin\hMailServer.ini

This is the .ini file Matt directed me to to make the same entry he referred to for Port 25.

RDadmin
New user
New user
Posts: 22
Joined: 2019-06-13 04:05

Re: SMTH AUTH?

Post by RDadmin » 2019-10-03 07:45

Hi Jim,

Thanks for the reply.

I couldnt find the below entry in that ini file.

DisableAUTHList=25

Should I add this entry and restart the service?

Please let me know mate.

Thanks

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: SMTH AUTH?

Post by jim.bus » 2019-10-03 08:19

RDadmin wrote:
2019-10-03 07:45
Hi Jim,

Thanks for the reply.

I couldnt find the below entry in that ini file.

DisableAUTHList=25

Should I add this entry and restart the service?

Please let me know mate.

Thanks
That was what Matt was trying to tell you to do. You add that entry to the end of the .ini file.

However the complete addition should be this at the end of the File (see below). Don't know if the [settings] is already there or not. Obviously the last two lines are only comments and I would recommend leaving them since they tell you what the DisableAUTHList entry does.

[settings]
DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8156
Joined: 2011-09-08 17:48

Re: SMTH AUTH?

Post by jimimaseye » 2019-10-03 08:31

jim.bus wrote:
2019-10-03 08:19
However the complete addition should be this at the end of the File (see below). Don't know if the [settings] is already there or not.
No. You will need to ensure
[settings] is included.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: SMTH AUTH?

Post by jim.bus » 2019-10-03 08:41

jimimaseye wrote:
2019-10-03 08:31
jim.bus wrote:
2019-10-03 08:19
However the complete addition should be this at the end of the File (see below). Don't know if the [settings] is already there or not.
No. You will need to ensure
[settings] is included.

[Entered by mobile. Excuse my spelling.]
That's what I said. I was indicating I didn't know if the [settings] Entry was already in the .ini file but I gave the complete entry required at the end of the .ini file at the end of my Post which included the [settings] Entry. This is why I replied showing what the complete Entry needed to be added at the end of the .ini file.

RDadmin
New user
New user
Posts: 22
Joined: 2019-06-13 04:05

Re: SMTH AUTH?

Post by RDadmin » 2019-10-07 01:20

Hi Guys,

I did the same settings as mentioned above which is
[settings]
DisableAUTHList=25

and didnt get the issue fixed.

" Disable the plaintext authentication methods on your SMTP server for unencrypted (non-SSL/TLS) sessions "

This is what I am getting when the scan is done.

Any support is much appreciated.

Thanks in advance

User avatar
mattg
Moderator
Moderator
Posts: 20228
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SMTH AUTH?

Post by mattg » 2019-10-07 03:47

Did you restart the hmailserver?

Also there is an SMTP setting under RFC compliance 'allow plain text authentication'
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RDadmin
New user
New user
Posts: 22
Joined: 2019-06-13 04:05

Re: SMTH AUTH?

Post by RDadmin » 2019-10-08 00:19

Hi Matt,

Restarting service fixed the issue. I was under the impression I already restarted.

Thanks for the support mate.

Post Reply