Urgent help! Why can someone send an email through my mail server without verification?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
fz123456
New user
New user
Posts: 4
Joined: 2019-09-24 09:18

Urgent help! Why can someone send an email through my mail server without verification?

Post by fz123456 » 2019-09-24 09:27

Urgent help! Why can someone send an email through my mail server without verification?

The validation username he submitted did not exist on my server at all, but he passed the validation and then sent an email.

Help, is this a system bug, or am I setting up a problem?

Thanks a lot for your help!
Attachments
Snipaste_2019-09-24_15-24-48.jpg

fz123456
New user
New user
Posts: 4
Joined: 2019-09-24 09:18

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by fz123456 » 2019-09-24 09:33

pls help me ,Thanks a lot!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8118
Joined: 2011-09-08 17:48

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by jimimaseye » 2019-09-24 10:32

run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914 Then we will point out your mistake.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by RvdH » 2019-09-24 10:39

You have a compromised account (username: hnjz), by default hmailserver allows a authenticated user to send from any emailaddress for the domains you own/host

Many of us use scripts to only allow authenticated users in same domain or only from the authenticated account, below you find some examples of such script
https://vdhout.nl/2015/04/hmailserver-d ... ed-account


You also might wanna disable default domain, that way a username has to be the full emailaddress
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

fz123456
New user
New user
Posts: 4
Joined: 2019-09-24 09:18

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by fz123456 » 2019-09-24 15:12

Thanks a lot for your help. @jimimaseye @RvdH

1、could you tel me which record can be point out the compromised account is "hnjz", thanks a lot.

2、I try enable the VBscript and reboot my server,and copy the third script like this,so it's works?

thanks for your help,I really appreciate your help.


--------------------------------------------------------------------
' Sub OnClientConnect(oClient)
' End Sub


Sub OnSMTPData(oClient, oMessage)
' denies any mail not sent from the authenticated account or alias
On Error Resume Next
If oClient.Username <> "" Then
If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
Dim obBaseApp
Set obBaseApp = CreateObject("hMailServer.Application")
Call obBaseApp.Authenticate("Administrator","***************") 'PUT YOUR PASSWORD HERE

Dim StrClientDomain, StrFromDomain, StrFromAddress
StrClientDomain = Split(oClient.Username,"@")(1)
StrFromDomain = Split(oMessage.FromAddress,"@")(1)

Dim obDomain
Set obDomain = obBaseApp.Domains.ItemByName(StrClientDomain)

Dim obAliases
Dim obAlias
Dim AliasFound : AliasFound = False

If LCase(StrClientDomain) <> LCase(StrFromDomain) Then
Set obAliases = obDomain.DomainAliases
For iAliases = 0 To (obAliases.Count - 1)
Set obAlias = obAliases.Item(iAliases)
If LCase(obAlias.AliasName) = LCase(StrFromDomain) Then
AliasFound = True
Exit For
End If
Next
If AliasFound Then
StrFromAddress = Split(oMessage.FromAddress,"@")(0) + "@" + StrClientDomain
End If
Else
StrFromAddress = oMessage.FromAddress
AliasFound = True
End If

If LCase(oClient.Username) <> LCase(StrFromAddress) Then
If AliasFound Then
Set obAliases = obDomain.Aliases
AliasFound = False
For iAliases = 0 To (obAliases.Count - 1)
Set obAlias = obAliases.Item(iAliases)
If (obAlias.Active) And (LCase(obAlias.Name) = LCase(StrFromAddress)) And (LCase(obAlias.Value) = LCase(oClient.UserName)) Then
AliasFound = True
Exit For
End If
Next
End If

If Not AliasFound Then
Result.Value = 2
Result.Message = "BLOCKED: You are only allowed to send from your own account or any of its aliases."
EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not is authenticated user or alias , eg: " & oClient.Username)
End If
End If
End If
End If
Err.Clear
On error goto 0
End Sub


' Sub OnAcceptMessage(oClient, oMessage)
' End Sub

' Sub OnDeliveryStart(oMessage)
' End Sub

' Sub OnDeliverMessage(oMessage)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
' End Sub

' Sub OnError(iSeverity, iCode, sSource, sDescription)
' End Sub

' Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
' End Sub

' Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
' End Sub

palinka
Senior user
Senior user
Posts: 1096
Joined: 2017-09-12 17:57

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by palinka » 2019-09-24 15:28

fz123456 wrote:
2019-09-24 15:12
Thanks a lot for your help. @jimimaseye @RvdH

1、could you tel me which record can be point out the compromised account is "hnjz", thanks a lot.
decode base64: "aG5qeg==" is "hnjz"

That was the user sent for authentication in your log snippet.

fz123456
New user
New user
Posts: 4
Joined: 2019-09-24 09:18

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by fz123456 » 2019-09-25 02:11

I got it !thanks @palinka

maxtor
New user
New user
Posts: 2
Joined: 2019-10-09 04:18

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by maxtor » 2019-10-09 04:36

I have the same problem, a spammer sends mail through my server with credentials.
Here is the log of the activity:

"TCPIP" 51408 "2019-10-08 12:25:22.264" "TCP - 124.81.236.122 connected to 192.168.0.102:587."
"SMTPD" 51408 185858 "2019-10-08 12:25:22.268" "124.81.236.122" "SENT: 220 Helo maxtor_smtp here!"
"SMTPD" 25140 185858 "2019-10-08 12:25:22.898" "124.81.236.122" "RECEIVED: EHLO 192.168.1.12" this ip is not in my internal range
"SMTPD" 25140 185858 "2019-10-08 12:25:22.899" "124.81.236.122" "SENT: 250-maxtor_smtp[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 48396 185858 "2019-10-08 12:25:23.529" "124.81.236.122" "RECEIVED: AUTH LOGIN"
"SMTPD" 48396 185858 "2019-10-08 12:25:23.529" "124.81.236.122" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 51408 185858 "2019-10-08 12:25:24.160" "124.81.236.122" "RECEIVED: Y2xhdWRpb0BtYXJxdWV0LmNvbS5hcg=="
"SMTPD" 51408 185858 "2019-10-08 12:25:24.161" "124.81.236.122" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 25140 185858 "2019-10-08 12:25:24.791" "124.81.236.122" "RECEIVED: ***"
"SMTPD" 25140 185858 "2019-10-08 12:25:24.798" "124.81.236.122" "SENT: 235 authenticated."
"SMTPD" 51408 185858 "2019-10-08 12:25:25.428" "124.81.236.122" "RECEIVED: MAIL FROM: <claudio@mydomain.com.ar>"
"SMTPD" 51408 185858 "2019-10-08 12:25:25.431" "124.81.236.122" "SENT: 250 OK"
"SMTPD" 25140 185858 "2019-10-08 12:25:26.062" "124.81.236.122" "RECEIVED: RCPT TO: <samuelv1985@hotmail.com>"
"SMTPD" 25140 185858 "2019-10-08 12:25:26.067" "124.81.236.122" "SENT: 250 OK"
"SMTPD" 51408 185858 "2019-10-08 12:25:26.697" "124.81.236.122" "RECEIVED: DATA"
"SMTPD" 51408 185858 "2019-10-08 12:25:26.699" "124.81.236.122" "SENT: 354 OK, send."
"TCPIP" 63216 "2019-10-08 12:25:39.759" "DNS - Query failure. Treating as temporary failure. Query: 122.236.81.124.in-addr.arpa, Type: 12, DnsQuery return value: 1460."
"SMTPD" 6092 185858 "2019-10-08 12:25:39.768" "124.81.236.122" "SENT: 250 Queued (13.056 seconds)"
"APPLICATION" 64664 "2019-10-08 12:25:39.769" "SMTPDeliverer - Message 5480: Delivering message from claudio@mydomain.com.ar to samuelv1985@hotmail.com. File: C:\Program Files (x86)\hMailServer\Data\{080B45D3-B453-4867-A5C8-19343F146514}.eml"
"TCPIP" 64664 "2019-10-08 12:25:39.782" "DNS MX lookup: hotmail.com"
"TCPIP" 64664 "2019-10-08 12:25:39.798" "DNS - MX Result: 2 IP addresses were found."
"TCPIP" 64664 "2019-10-08 12:25:39.799" "Connecting to 104.47.5.33:25..."
"SMTPC" 25140 185861 "2019-10-08 12:25:40.331" "104.47.5.33" "RECEIVED: 220 HE1EUR02FT022.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 8 Oct 2019 15:25:00 +0000"
"SMTPC" 25140 185861 "2019-10-08 12:25:40.333" "104.47.5.33" "SENT: EHLO maxtor_smtp"
"SMTPC" 25140 185861 "2019-10-08 12:25:40.691" "104.47.5.33" "RECEIVED: 250-HE1EUR02FT022.mail.protection.outlook.com Hello [myIP][nl]250-SIZE 49283072[nl]250-PIPELINING[nl]250-DSN[nl]250-ENHANCEDSTATUSCODES[nl]250-STARTTLS[nl]250-8BITMIME[nl]250-BINARYMIME[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 25140 185861 "2019-10-08 12:25:40.692" "104.47.5.33" "SENT: STARTTLS"
"TCPIP" 51408 "2019-10-08 12:25:40.746" "TCP - 45.142.195.150 connected to myinternalIP:587."
"SMTPC" 51408 185861 "2019-10-08 12:25:40.961" "104.47.5.33" "RECEIVED: 220 2.0.0 SMTP server ready"
"TCPIP" 63216 "2019-10-08 12:25:41.526" "TCPConnection - TLS/SSL handshake completed. Session Id: 185861, Remote IP: 104.47.5.33, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384, Bits: 256"
"SMTPC" 63216 185861 "2019-10-08 12:25:41.527" "104.47.5.33" "SENT: EHLO maxtor_smtp"
"SMTPC" 25140 185861 "2019-10-08 12:25:41.794" "104.47.5.33" "RECEIVED: 250-HE1EUR02FT022.mail.protection.outlook.com Hello [myIP][nl]250-SIZE 49283072[nl]250-PIPELINING[nl]250-DSN[nl]250-ENHANCEDSTATUSCODES[nl]250-8BITMIME[nl]250-BINARYMIME[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 25140 185861 "2019-10-08 12:25:41.796" "104.47.5.33" "SENT: MAIL FROM:<claudio@mydomain.com.ar>"
"SMTPC" 63216 185861 "2019-10-08 12:25:42.069" "104.47.5.33" "RECEIVED: 250 2.1.0 Sender OK"
"SMTPC" 63216 185861 "2019-10-08 12:25:42.071" "104.47.5.33" "SENT: RCPT TO:<samuelv1985@hotmail.com>"
"SMTPC" 25140 185861 "2019-10-08 12:25:42.366" "104.47.5.33" "RECEIVED: 250 2.1.5 Recipient OK"
"SMTPC" 25140 185861 "2019-10-08 12:25:42.368" "104.47.5.33" "SENT: DATA"
"SMTPC" 51408 185861 "2019-10-08 12:25:42.636" "104.47.5.33" "RECEIVED: 354 Start mail input; end with <CRLF>.<CRLF>"
"SMTPC" 51408 185861 "2019-10-08 12:25:42.638" "104.47.5.33" "SENT: [nl]."
"SMTPC" 63216 185861 "2019-10-08 12:25:43.641" "104.47.5.33" "RECEIVED: 250 2.6.0 <49A64078-9DB0-B2C9-38F9-D385C53E2433@mydomain.com.ar> [InternalId=40188009044883, Hostname=HE1EUR02HT017.eop-EUR02.prod.protection.outlook.com] 8767 bytes in 0.380, 22.477 KB/sec Queued mail for delivery -> 250 2.1.5"
"SMTPC" 63216 185861 "2019-10-08 12:25:43.643" "104.47.5.33" "SENT: QUIT"
"SMTPC" 51408 185861 "2019-10-08 12:25:43.908" "104.47.5.33" "RECEIVED: 221 2.0.0 Service closing transmission channel"
"APPLICATION" 64664 "2019-10-08 12:25:43.910" "SMTPDeliverer - Message 5480: Message delivery thread completed."


I believe that it vulnerates the local to external delivery policy that is activated for my use, but can´t understand how it can provide the password, ever when i changed it!

Here is the log of the script, I have made some minor changes in configuration, but nothing that can give me the security that this will not occur anymore.

Code: Select all

2019-10-08   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - esxxxxxxxxxxxx.com             Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\bin\dkim_Domain1.com.mail.key
                                                Selector:    mail

   "Domain2.com" - fixxxxxxxxxxxx.com.ar          Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\bin\dkim_Domain2.com.mail.key
                                                Selector:    mail

   "Domain3.com" - maxxxxx.com.ar                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\bin\dkim_Domain3.com.mail.key
                                                Selector:    mail
-----------------------------------------------------------------------------------------------

GLOBAL RULES
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:  False                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    -  True
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True !! Protocol DISABLED !!      SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      2
                              Minutes Before Reset:           30  (0,50 hours, 0,02 days)
                              Minutes to Autoban:            300  (5,00 hours, 0,21 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  1  No Retries:  4 Mins: 60   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:    10
Max Msg Size: 10240  Relay:-                   Incorrect endings: False  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:   2  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 3

IMAP
 !! Service Not Enabled !!
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  3       Use SPF:            True - 3    Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 4
  Add X-HmailServer-Reason:   True    Check MX records:  False    
  Add X-HmailServer-Subject:  True    Verify DKIM:        True - 5
              Subject Text: "[HMAILSERVER SPAM]"
  Spam delete threshold: 7         Maximum message size: 1024

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.*
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
                  psbl.surriel.com      Score: 3     Result: 127.0.0.*
            b.barracudacentral.org      Score: 4     Result: 127.0.0.*

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   No entries
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 143   / SMTP   -   None                
               0.0.0.0         / 1025  / SMTP   -   None                
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-10-08.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-10-08.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -      .
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory F:\BACKUP is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.98, Hmailserver Forum.



Thank you for your assistance!
Claudio

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by mattg » 2019-10-09 05:38

maxtor wrote:
2019-10-09 04:36
Here is the log of the activity:

"SMTPD" 48396 185858 "2019-10-08 12:25:23.529" "124.81.236.122" "RECEIVED: AUTH LOGIN"
"SMTPD" 48396 185858 "2019-10-08 12:25:23.529" "124.81.236.122" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 51408 185858 "2019-10-08 12:25:24.160" "124.81.236.122" "RECEIVED: Y2xhdWRpb0BtYXJxdWV0LmNvbS5hcg=="
"SMTPD" 51408 185858 "2019-10-08 12:25:24.161" "124.81.236.122" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 25140 185858 "2019-10-08 12:25:24.791" "124.81.236.122" "RECEIVED: ***"
"SMTPD" 25140 185858 "2019-10-08 12:25:24.798" "124.81.236.122" "SENT: 235 authenticated."
"SMTPD" 51408 185858 "2019-10-08 12:25:25.428" "124.81.236.122" "RECEIVED: MAIL FROM: <claudio@mydomain.com.ar>"
What happens here is that the password for <claudio@mydomain.com.ar> has been used successfully to AUTH, from someone at IP 124.81.236.122

That IP address is in Indonesia

You need to change THAT password ASAP
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

maxtor
New user
New user
Posts: 2
Joined: 2019-10-09 04:18

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by maxtor » 2019-10-09 16:10

Thank you for your response.
And how could him know the password?, evidently is a security hole anywhere.
The server was used from different ip´s in different places in the same day.
Here are some of them:
110.49.101.58
103.95.97.121
202.53.234.2
91.122.37.92
198.211.122.238
201.90.122.115
208.102.79.232
178.19.247.25
168.121.233.7

Question, do you think that configuration is correct?
Thanks!

palinka
Senior user
Senior user
Posts: 1096
Joined: 2017-09-12 17:57

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by palinka » 2019-10-09 16:40

Simple passwords are easily guessed. Alternatively, it could have been part of a data breach (not on your server) where the user had the same password for the breached account as the mail account.

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by mattg » 2019-10-10 01:45

maxtor wrote:
2019-10-09 16:10
And how could him know the password?
I don't know
That is for you to manage
palinka wrote:
2019-10-09 16:40
Simple passwords are easily guessed.
Absolutley
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1096
Joined: 2017-09-12 17:57

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by palinka » 2019-10-10 03:16

mattg wrote:
2019-10-10 01:45
palinka wrote:
2019-10-09 16:40
Simple passwords are easily guessed.
Absolutley
Powershell script for strong random passwords. :mrgreen:

Code: Select all

Function MakeUp-String([Int]$Size = 12, [Char[]]$CharSets = "ULNS", [Char[]]$Exclude) {
    $Chars = @(); $TokenSet = @()
    If (!$TokenSets) {$Global:TokenSets = @{
        U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'                                #Upper case
        L = [Char[]]'abcdefghijklmnopqrstuvwxyz'                                #Lower case
        N = [Char[]]'0123456789'                                                #Numerals
        S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~'                         #Symbols
    }}
    $CharSets | ForEach {
        $Tokens = $TokenSets."$_" | ForEach {If ($Exclude -cNotContains $_) {$_}}
        If ($Tokens) {
            $TokensSet += $Tokens
            If ($_ -cle [Char]"Z") {$Chars += $Tokens | Get-Random}             #Character sets defined in upper case are mandatory
        }
    }
    While ($Chars.Count -lt $Size) {$Chars += $TokensSet | Get-Random}
    ($Chars | Sort-Object {Get-Random}) -Join ""                                #Mix the (mandatory) characters and output string
}; Set-Alias Create-Password MakeUp-String -Description "Generate a random string (password)"

$password = Create-Password 12 ULNS "OLIoli01"
write-host $password
I can't remember where I found this, but it makes very strong passwords. The options: 12 = 12 characters and "OLIoli01" are for options I totally forgot about. Something to with ignoring those characters because 0 looks like O, I/1/l, etc, I think. Very VERY strong, impossible-to-remember passwords.

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by mattg » 2019-10-10 06:34

palinka wrote:
2019-10-10 03:16
Very VERY strong, impossible-to-remember passwords.
I use those kinds of passwords often for email, because email is just set and forget.
My daughter had a random 15 character password that was clearly sniffed probably somewhere where she used wifi, many years back. I've tightened up my security since then, not that it was terrible then, but much stronger now.

viewtopic.php?f=8&t=30990&p=193794&hili ... er#p193794
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1096
Joined: 2017-09-12 17:57

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by palinka » 2019-10-10 11:28

mattg wrote:
2019-10-10 06:34
palinka wrote:
2019-10-10 03:16
Very VERY strong, impossible-to-remember passwords.
I use those kinds of passwords often for email, because email is just set and forget.
My daughter had a random 15 character password that was clearly sniffed probably somewhere where she used wifi, many years back. I've tightened up my security since then, not that it was terrible then, but much stronger now.

viewtopic.php?f=8&t=30990&p=193794&hili ... er#p193794
I had a quick look at that thread. Password guessing is terrible (i know that's not the case there).

I've totally locked down my setup. I've mentioned this before - all mail ports are blocked at the router except 25 and i force all connections through activesync or webmail, and no authon 25. There is literally no chance for a password guess.

On Soren's advice i implemented his ids into my firewall ban and opened up the router to imap & pop connections. That seems to work well so far. I haven't had a single password guess yet. I would know immediately because i get notified by sms on every bad login. In the couple of days I've been running the ids, I've only had one bad login from my mom, which is expected and the entire reason i setup the notification in the first place. She's autobanned herself so many times that i wanted to be able to fix that immediately without her having to beg for help. :mrgreen:

I'm not sure why I'm not getting password guessers currently. The only explanation i can think of is I've already firewall banned the majority of them. Before i blocked imap/ pop from thr internet, i used to see most guessers on those ports. Geoip autobanning showed the majority on those ports. Blocking the ports is really the most effective thing you can do, if you're able to force users through alternate connections: webmail, activesync, vpn or simply alternative ports.

User avatar
mattg
Moderator
Moderator
Posts: 20108
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by mattg » 2019-10-10 12:23

I've been running stats on my autoban list since March 2018

I ban for 7 days
Right now I have

6 - port 110 international IPs blocked
20 - port 143 international IPs blocked
18 - port 465 international IPs blocked
21 - port 587 international IPs blocked
20 - port 993 international IPs blocked
9 - port 995 international IPs blocked
21 - custom SMTP port - international IPs blocked
13 IPs that have tried to AUTH on port 25
143 blocked for sending me high scoring SPAM, with my current highest spam score being 243
65 IPs blocked for using dodgy EHLO (I'm pretty lax on this - there is only about three reason that this can be triggered)


The international IPs typically try password guessing, or test Security = That's 115 in the last 7 days, at an average of one every hour and a half
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1096
Joined: 2017-09-12 17:57

Re: Urgent help! Why can someone send an email through my mail server without verification?

Post by palinka » 2019-10-10 14:22

8,053 hits for GeoIP.
1,635 hits for Spamhaus zen
128 hits for UCEP. [Many FPs - need to get rid of this]
37 hits for ResIP. [Looks for dynamic-y looking HELOs]
31 hits for HELO-Inv. [HELO validation]
11 hits for SH-DBL. [Spamhaus DBL OnHELO]
6 hits for ListUnsub-Rej. [Soren's xml custom list]
4 hits for IDS.
4 hits for HELO-Rej. [Soren's xml custom list]
2 hits for Manual. [Manual entry IP ban]
2 hits for SpamDonkey.
1 hit for Spamhaus-DBL. [against from address domain]

This is my firewall ban list.

Also, have a look at this: https://hmailserver.com/forum/viewtopic.php?f=9&t=34179

It has become far more useful than i could possibly have imagined.

Post Reply