Page 1 of 1

hMailServer.Message Object

Posted: 2019-04-14 06:38
by VadaDosa
Hi,

Few weeks ago, I was completely new to hMailServer and since then I am kind of hooked to it due it 's simplicity. Very simple :) and a good :) product.
I must have done many experiments with various objects of hMailServer.

I discovered something interesting about hMailServer.Message object. This object allows to send email without authentications :!:
First, I thought there could be built-in Application wrapper around this object but I did not encountered authentication problem and "Save" method of hMailServer.Message object sends email without any authentication failure message. :roll:

All tests were done with hMailServer 5.6.8 - Build 2431 (BETA) on server and mail client on separate desktop machine. The hMailServer is configured for authentication required.

I did not find anyone bringing this behaviour of the hMailServer.Message object to this forum so thought of sharing with you. Please feel free to post comments on this so fix can be included in next release.

Following is a small script that was used to send email without authentication.
Dim hm As New hMailServer.Message
hm.FromAddress = FromEmail
hm.AddRecipient("", ToAddr)
hm.Subject = Subject
hm.HTMLBody = Msgbody
hm.Save()

Have fun guys,
Vada Dosa

Re: hMailServer.Message Object

Posted: 2019-04-14 06:58
by katip
VadaDosa wrote:
2019-04-14 06:38
All tests were done with hMailServer 5.6.8 - Build 2431 (BETA) on server and mail client on separate desktop machine.
what test have you done on mail client on separate desktop machine?

Re: hMailServer.Message Object

Posted: 2019-04-14 07:22
by VadaDosa
Testing were done mostly for sending emails and maintaining email records.

Re: hMailServer.Message Object

Posted: 2019-04-14 08:06
by katip
ok, what was your experience?
have you been able to send a message from your client without authentication?

Re: hMailServer.Message Object

Posted: 2019-04-14 09:13
by jimimaseye
All tests were done with hMailServer 5.6.8 - Build 2431 (BETA) on server and mail client on separate desktop machine. The hMailServer is configured for authentication required.
Let's see.

1, run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914

2, please post the log file showing all SMTPC and SMTPD entries of that mail being passed to the server and being delivered out. (for both script composed message and email client messages)

[Entered by mobile. Excuse my spelling.]

Re: hMailServer.Message Object

Posted: 2019-04-14 12:14
by mattg
The hmailserver object ONLY exists on the server, or on another machine with the hMailserver server installed

Your script is not VBS
What language is it??

Re: hMailServer.Message Object

Posted: 2019-04-14 12:26
by mattg
I just did this in VBS on my server

Code: Select all

dim hm
Set hm = CreateObject("hMailServer.Message")
hm.From = "President"
hm.FromAddress = "president@whitehouse.com"
hm.Body = "Test sending" & vbCrLf 
hm.subject = "Test Subject"
Call hm.AddRecipient ("MattG", "mygmailaddress@gmail.com")
hm.Save
And it sent.

There were no SMPTD lines in my logs, and I have external to external requiring AUTH

This is my logs

Code: Select all

"DEBUG"	35604	"2019-04-14 20:16:34.252"	"Requesting SMTPDeliveryManager to start message delivery"
"DEBUG"	87128	"2019-04-14 20:16:34.263"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	81608	"2019-04-14 20:16:34.263"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	81608	"2019-04-14 20:16:34.263"	"Delivering message..."
"APPLICATION"	81608	"2019-04-14 20:16:34.263"	"SMTPDeliverer - Message 1179349: Delivering message from president@whitehouse.com to mygmailaddress@gmail.com. File: c:\hMailServer\Data\{DC5D1E6A-1858-48D4-9DA1-2BCF2574AC42}.eml"
"DEBUG"	81608	"2019-04-14 20:16:34.263"	"Executing event OnDeliveryStart"
"DEBUG"	81608	"2019-04-14 20:16:34.295"	"Event completed"
"DEBUG"	81608	"2019-04-14 20:16:34.295"	"Applying rules"

All of my global rule ran here...

"DEBUG"	81608	"2019-04-14 20:16:34.815"	"Executing event OnDeliverMessage"
"DEBUG"	81608	"2019-04-14 20:16:34.842"	"Event completed"
"DEBUG"	81608	"2019-04-14 20:16:34.842"	"Performing local delivery"
"DEBUG"	81608	"2019-04-14 20:16:34.842"	"Local delivery completed"
"TCPIP"	81608	"2019-04-14 20:16:34.842"	"DNS MX lookup: gmail.com"
"TCPIP"	81608	"2019-04-14 20:16:34.842"	"DNS - MX Result: 5 IP addresses were found."
"DEBUG"	81608	"2019-04-14 20:16:34.842"	"Starting external delivery process. Server: gmail-smtp-in.l.google.com (74.125.200.26), Port: 25, Security: 2, User name: "
"DEBUG"	81608	"2019-04-14 20:16:34.857"	"Creating session 9638"
"TCPIP"	81608	"2019-04-14 20:16:34.857"	"Connecting to 74.125.200.26:25..."
"DEBUG"	87484	"2019-04-14 20:16:34.873"	"TCP connection started for session 9638"
"SMTPC"	87484	9638	"2019-04-14 20:16:35.280"	"74.125.200.26"	"RECEIVED: 220 mx.google.com ESMTP r15si26209076pfn.4 - gsmtp"
"SMTPC"	87484	9638	"2019-04-14 20:16:35.280"	"74.125.200.26"	"SENT: EHLO it4doctors.com.au"
"SMTPC"	87484	9638	"2019-04-14 20:16:35.560"	"74.125.200.26"	"RECEIVED: 250-mx.google.com at your service, [49.176.216.49][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250 SMTPUTF8"
"SMTPC"	87484	9638	"2019-04-14 20:16:35.560"	"74.125.200.26"	"SENT: STARTTLS"
"SMTPC"	87640	9638	"2019-04-14 20:16:35.826"	"74.125.200.26"	"RECEIVED: 220 2.0.0 Ready to start TLS"
"DEBUG"	87640	"2019-04-14 20:16:35.826"	"Performing SSL/TLS handshake for session 9638. Verify certificate: True, Expected remote host name: gmail-smtp-in.l.google.com"
"DEBUG"	87640	"2019-04-14 20:16:35.967"	"Certificate verification succeeded for session 9638."
"TCPIP"	82356	"2019-04-14 20:16:36.107"	"TCPConnection - TLS/SSL handshake completed. Session Id: 9638, Remote IP: 74.125.200.26, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"SMTPC"	82356	9638	"2019-04-14 20:16:36.107"	"74.125.200.26"	"SENT: EHLO example.com"
"SMTPC"	87484	9638	"2019-04-14 20:16:36.373"	"74.125.200.26"	"RECEIVED: 250-mx.google.com at your service, [49.176.216.49][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC"	87484	9638	"2019-04-14 20:16:36.373"	"74.125.200.26"	"SENT: MAIL FROM:<president@whitehouse.com>"
"SMTPC"	87640	9638	"2019-04-14 20:16:36.654"	"74.125.200.26"	"RECEIVED: 250 2.1.0 OK r15si26209076pfn.4 - gsmtp"
"SMTPC"	87640	9638	"2019-04-14 20:16:36.654"	"74.125.200.26"	"SENT: RCPT TO:<mygmailaddress@gmail.com>"
"SMTPC"	82356	9638	"2019-04-14 20:16:36.982"	"74.125.200.26"	"RECEIVED: 250 2.1.5 OK r15si26209076pfn.4 - gsmtp"
"SMTPC"	82356	9638	"2019-04-14 20:16:36.982"	"74.125.200.26"	"SENT: DATA"
"SMTPC"	87484	9638	"2019-04-14 20:16:37.263"	"74.125.200.26"	"RECEIVED: 354  Go ahead r15si26209076pfn.4 - gsmtp"
"SMTPC"	87484	9638	"2019-04-14 20:16:37.263"	"74.125.200.26"	"SENT: [nl]."
"SMTPC"	87640	9638	"2019-04-14 20:16:37.701"	"74.125.200.26"	"RECEIVED: 250 2.0.0 OK  1555236994 r15si26209076pfn.4 - gsmtp"
"SMTPC"	87640	9638	"2019-04-14 20:16:37.701"	"74.125.200.26"	"SENT: QUIT"
"SMTPC"	82356	9638	"2019-04-14 20:16:37.967"	"74.125.200.26"	"RECEIVED: 221 2.0.0 closing connection r15si26209076pfn.4 - gsmtp"
"DEBUG"	82356	"2019-04-14 20:16:37.967"	"Ending session 9638"
"DEBUG"	81608	"2019-04-14 20:16:37.967"	"External delivery process completed"
The message was delivered to my SPAM folder on my gMail account.

Headers show my IP address.

Unsure how this could be sent from another hmailserver machine though

Re: hMailServer.Message Object

Posted: 2019-04-14 12:45
by jimimaseye
mattg wrote:
2019-04-14 12:26
I just did this in VBS on my server
.
.
.
The message was delivered to my SPAM folder on my gMail account.

Headers show my IP address.

Unsure how this could be sent from another hmailserver machine though
Presumably there is an argument that says if the message is via a script using the hmailserver object, and given that writing the script must involve controlled and careful decision and implementation, then the script (object), which is a property of the mailserver, must already be theoretically authorised by default by the server administrator/implementator (and therefore doesnt require official programmatic authentication). In other words, why would the mail server require to authenticate to itself to send its own messages that it created itself?

Re: hMailServer.Message Object

Posted: 2019-04-14 13:54
by katip
it came to my attention some time ago when i was trying jimimaseye's email clearup script (delete mails older than x days). after finishing the job it sends a report. this is not logged by SMTP.
on server that's a known feature. anyone who is logged on the box can do this among countless other things. thumb rule:
#1 change OS administrator account name
#2 keep your OS logon credentials safe

actually i was wondering why OP was mentioning some tests on client machine. this is another thing.

Re: hMailServer.Message Object

Posted: 2019-04-14 14:38
by SorenR
katip wrote:
2019-04-14 13:54
it came to my attention some time ago when i was trying jimimaseye's email clearup script (delete mails older than x days). after finishing the job it sends a report. this is not logged by SMTP.
on server that's a known feature. anyone who is logged on the box can do this among countless other things. thumb rule:
#1 change OS administrator account name
#2 keep your OS logon credentials safe

actually i was wondering why OP was mentioning some tests on client machine. this is another thing.
It works from a client also but you need to tell it what server to use. Install hMailAdmin to install COM/DCOM on a client without hMailServer.

Code: Select all

With CreateObject("hMailServer.Application", "my_hmailserver")
   dim hm
   Set hm = CreateObject("hMailServer.Message")
   hm.From = "Wile E. Coyote"
   hm.FromAddress = "wile.e.coyote@acme.inc"
   hm.Body = "Test sending" & vbCrLf 
   hm.subject = "Test Subject"
   hm.AddRecipient "Root", "someone@not-gmail.com"
   hm.Save
   Set hm = Nothing
End With
This is interesting... "acme.inc" IS a domain on my server. Change recipient to gmail and mail passes without a trace. Netbios name of my laptop is "SR".

All my ranges require AUTH for local-to-local and local-to-external so how it should be able to send from @acme.inc to @gmail.com without authentication I have no clue.

Code: Select all

"SMTPD"	3228	1201	"2019-04-14 14:16:46.666"	"192.168.0.60"	"SENT: 220 mx.mydomain.tld ESMTP"
"SMTPD"	3228	1201	"2019-04-14 14:16:46.666"	"192.168.0.60"	"RECEIVED: HELO SR"
"SMTPD"	3228	1201	"2019-04-14 14:16:46.682"	"192.168.0.60"	"SENT: 250 Hello."
"SMTPD"	3228	1201	"2019-04-14 14:16:46.682"	"192.168.0.60"	"RECEIVED: MAIL FROM:<president@whitehouse.com>"
"SMTPD"	3228	1201	"2019-04-14 14:16:46.682"	"192.168.0.60"	"SENT: 250 OK"
"SMTPD"	3228	1201	"2019-04-14 14:16:46.682"	"192.168.0.60"	"RECEIVED: RCPT TO:<postmaster@mydomain.tld>"
"SMTPD"	3228	1201	"2019-04-14 14:16:46.682"	"192.168.0.60"	"SENT: 550 Delivery is not allowed to this address."
"SMTPD"	3228	1201	"2019-04-14 14:16:46.697"	"192.168.0.60"	"RECEIVED: QUIT"
"SMTPD"	3228	1201	"2019-04-14 14:16:46.697"	"192.168.0.60"	"SENT: 221 goodbye"

"SMTPD"	3228	1224	"2019-04-14 14:19:20.583"	"192.168.0.60"	"SENT: 220 mx.mydomain.tld ESMTP"
"SMTPD"	3228	1224	"2019-04-14 14:19:20.583"	"192.168.0.60"	"RECEIVED: HELO SR"
"SMTPD"	3228	1224	"2019-04-14 14:19:20.599"	"192.168.0.60"	"SENT: 250 Hello."
"SMTPD"	3228	1224	"2019-04-14 14:19:20.599"	"192.168.0.60"	"RECEIVED: MAIL FROM:<wile.e.coyote@acme.inc>"
"SMTPD"	3228	1224	"2019-04-14 14:19:20.599"	"192.168.0.60"	"SENT: 250 OK"
"SMTPD"	3228	1224	"2019-04-14 14:19:20.599"	"192.168.0.60"	"RECEIVED: RCPT TO:<postmaster@mydomain.tld>"
"SMTPD"	3228	1224	"2019-04-14 14:19:20.599"	"192.168.0.60"	"SENT: 530 SMTP authentication is required."
"SMTPD"	3228	1224	"2019-04-14 14:19:20.614"	"192.168.0.60"	"RECEIVED: QUIT"
"SMTPD"	3228	1224	"2019-04-14 14:19:20.614"	"192.168.0.60"	"SENT: 221 goodbye"

Re: hMailServer.Message Object

Posted: 2019-04-14 15:08
by katip
SorenR wrote:
2019-04-14 14:38
It works from a client also but you need to tell it what server to use. Install hMailAdmin to install COM/DCOM on a client without hMailServer.

Code: Select all

With CreateObject("hMailServer.Application", "my_hmailserver")
   dim hm
   Set hm = CreateObject("hMailServer.Message")
   hm.From = "Wile E. Coyote"
   hm.FromAddress = "wile.e.coyote@acme.inc"
   hm.Body = "Test sending" & vbCrLf 
   hm.subject = "Test Subject"
   hm.AddRecipient "Root", "someone@not-gmail.com"
   hm.Save
   Set hm = Nothing
End With
doesn't work here. tried netbios name, IP, domain, no avail.
hMailAdmin works on my client PC since day #1
Untitled 1.png
Untitled 1.png (6.02 KiB) Viewed 19953 times

Re: hMailServer.Message Object

Posted: 2019-04-14 17:47
by SorenR
With CreateObject("hMailServer.Application", "192.168.0.5")

... also works for me. In hMailAdmin chose Alt+F "Connect" and use what it says in the Host column.

Re: hMailServer.Message Object

Posted: 2019-04-14 18:38
by katip
SorenR wrote:
2019-04-14 17:47
With CreateObject("hMailServer.Application", "192.168.0.5")

... also works for me. In hMailAdmin chose Alt+F "Connect" and use what it says in the Host column.
yes, sure, i know my servers IP nr. :o
Error explanation is clear to me: service does not exist.
so true, i have on my PC only hMailAdmin installed (as installation option offered), without HMS service. typical client Admin install.

Re: hMailServer.Message Object

Posted: 2019-04-14 18:42
by SorenR
katip wrote:
2019-04-14 18:38
SorenR wrote:
2019-04-14 17:47
With CreateObject("hMailServer.Application", "192.168.0.5")

... also works for me. In hMailAdmin chose Alt+F "Connect" and use what it says in the Host column.
yes, sure, i know my servers IP nr. :o
Error explanation is clear to me: service does not exist.
so true, i have on my PC only hMailAdmin installed (as installation option offered), without HMS service. typical client Admin install.
What does line 4 in your script say?

Re: hMailServer.Message Object

Posted: 2019-04-14 19:05
by katip
SorenR wrote:
2019-04-14 18:42
What does line 4 in your script say?
Set hm = CreateObject("hMailServer.Message")

Re: hMailServer.Message Object

Posted: 2019-04-14 19:21
by VadaDosa
Hi,

FYI:
Below code is VB.NET and Visual Studio 2016. Can I also see Martin's comments. I guess he is the one who would provide fix for this.

Dim hm As New hMailServer.Message
hm.FromAddress = FromEmail
hm.AddRecipient("", ToAddr)
hm.Subject = Subject
hm.HTMLBody = Msgbody
hm.Save()

Have fun guys,
Vada Dosa

Re: hMailServer.Message Object

Posted: 2019-04-14 19:50
by jimimaseye
VadaDosa wrote:
2019-04-14 19:21
Can I also see Martin's comments. I guess he is the one who would provide fix for this.
Doubt it. He hasn't been seen since 02/2018. He isn't really active any more.

Re: hMailServer.Message Object

Posted: 2019-04-14 20:17
by katip
jimimaseye wrote:
2019-04-14 19:50
VadaDosa wrote:
2019-04-14 19:21
Can I also see Martin's comments. I guess he is the one who would provide fix for this.
Doubt it. He hasn't been seen since 02/2018. He isn't really active any more.
so what? do we admit HMS is an open relay by design via remote scripting?
and this without leaving a trace? are you serious?

Re: hMailServer.Message Object

Posted: 2019-04-14 20:49
by VadaDosa
Martin is not following this forum then who has released hMailServer 5.6.8 - Build 2431 (BETA) on 2018-03-27? :roll:

I guess HMS could be considered as an open relay until fix is provided. :twisted:

Re: hMailServer.Message Object

Posted: 2019-04-14 20:57
by SorenR
VadaDosa wrote:
2019-04-14 20:49
Martin is not following this forum then who has released hMailServer 5.6.8 - Build 2431 (BETA) on 2018-03-27? :roll:

I guess HMS could be considered as an open relay until fix is provided. :twisted:
Last active on forum 27 Jan 2019, 21:48.
People report stuff on Github if Martin needs to see it.

Re: hMailServer.Message Object

Posted: 2019-04-14 20:59
by jimimaseye
katip wrote:
2019-04-14 20:17
jimimaseye wrote:
2019-04-14 19:50
VadaDosa wrote:
2019-04-14 19:21
Can I also see Martin's comments. I guess he is the one who would provide fix for this.
Doubt it. He hasn't been seen since 02/2018. He isn't really active any more.
so what? do we admit HMS is an open relay by design via remote scripting?
and this without leaving a trace? are you serious?
My point being that if you wait for him to make a comment on this subject in the forum then you will be waiting a long time. There are many topics and issues, some far more serious and important (Opensll 1.0.x becoming obsolete and HMS not compatible with 1.1, TLS v1.3 implementation, memory restrictions with IMAP and no official 64bit version as yet etc etc), that needs addressing by Martin but he hasnt been seen since last year - even on Github his last activity was July.

Re: hMailServer.Message Object

Posted: 2019-04-14 21:43
by VadaDosa
HMS not compatible with 1.1, TLS v1.3 implementation
That being said, what is the alternative? :wink:

Re: hMailServer.Message Object

Posted: 2019-04-14 22:00
by jimimaseye
VadaDosa wrote:
2019-04-14 21:43
HMS not compatible with 1.1, TLS v1.3 implementation
That being said, what is the alternative? :wink:
Forum member 'Dravion' has his own fork of Hmailserver whcih (I think) he has adapted for LibreSSL and a 64 bit version, but I may be wrong. Im sure he will chip in when he sees this.

Re: hMailServer.Message Object

Posted: 2019-04-15 08:48
by mattg
Again
mattg wrote:
2019-04-14 12:26
Unsure how this could be sent from another hmailserver machine though
unless you install hmailadmin on another LAN machine as SorenR has done

I don't believe for a second that being able to send from your server without AUTH, or even from a known LAN install when you have specifically allowed a LAN connection to hMailAdmin, without AUTH is a huge security issue.

I do not believe that you could send via my hMailserver for instance..

Re: hMailServer.Message Object

Posted: 2019-04-15 12:17
by SorenR
mattg wrote:
2019-04-15 08:48
Again
mattg wrote:
2019-04-14 12:26
Unsure how this could be sent from another hmailserver machine though
unless you install hmailadmin on another LAN machine as SorenR has done

I don't believe for a second that being able to send from your server without AUTH, or even from a known LAN install when you have specifically allowed a LAN connection to hMailAdmin, without AUTH is a huge security issue.

I do not believe that you could send via my hMailserver for instance..
https://support.microsoft.com/en-us/hel ... d-firewall

Re: hMailServer.Message Object

Posted: 2019-04-15 12:23
by mattg
So may be an issue with a hMailserver that runs IPv6?

Ipv6 doesn't use NAT

Re: hMailServer.Message Object

Posted: 2019-04-15 12:28
by mattg

Re: hMailServer.Message Object

Posted: 2019-04-16 06:34
by VadaDosa
Hey! mattg,

I took all efforts in bringing this product vulnerability to all of you.
I would have appreciated if, you could have at least put a link back to this posting in your github message. :evil:

Have fun guys,
Vada Dosa

Re: hMailServer.Message Object

Posted: 2019-04-19 05:58
by VadaDosa
Good work mattg for putting the backlink to this forum on your github message. :) :D

Have fun guys,
Vada Dosa

Re: hMailServer.Message Object

Posted: 2019-04-22 05:14
by mattg
And for the record, I didn't change my guthib post, it already had the link to this thread in it.

I've been on leave in an area with no mobile coverage the past almost-a-week