[HMail Server] SMTP credentials transmitted unencrypted

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
eric_xtremax
New user
New user
Posts: 2
Joined: 2019-03-18 09:20

[HMail Server] SMTP credentials transmitted unencrypted

Post by eric_xtremax » 2019-03-18 10:07

Hello,

Our team is setup HMail server act as SMTP Relay in our internal infrastructure.
Currently, our security auditor is scanning our environment and found this vulnerability in our HMail server.

3.2.4. SMTP credentials transmitted unencrypted (smtp-plaintext-auth)
hmail vulnerability.jpg
How I can fix this vulnerability? I think we already setup the server not to use plain authentication.
hmail config.jpg
Thanks

User avatar
jim.bus
Normal user
Normal user
Posts: 156
Joined: 2011-05-28 11:49
Location: US

Re: [HMail Server] SMTP credentials transmitted unencrypted

Post by jim.bus » 2019-03-19 00:49

I definitely am not well versed in how hMailServer treats unencrypted authentication but being a novice I would I would check is to see if your server which relays through hMailServer specifies that hMailServer (the relaying server) requires authentication.

You should also check to see if your server relaying to hMailServer designates that the Relay should use connection security.

I would also check in hMailServer IP Ranges to see if you have indicated that Authentication is required for this action.

User avatar
mattg
Moderator
Moderator
Posts: 19724
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: [HMail Server] SMTP credentials transmitted unencrypted

Post by mattg » 2019-03-19 02:05

In your hmailserver.ini

add this to the bottom

Code: Select all

[settings]
DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.
In hMailserver Admin GUI, set Port 587 to 'Require StartTLS' (Assuming that you have a valid cert installed)
Then restart the hMailserver.

**All of your mail clients will need to Authenticate over port 587 (not port 25), and must then use StartTLS
This 'vulnerability' is exactly the SMTP specification.


By doing the above steps you don't allow anyone to authenticate over port 25... at all...ever, but you still need port 25 open to receive mail from the world.

Whomever did the security audit should also have checked IMAP and POP3 ports, and you should (assuming that you have a valid cert installed) set those ports -110 and 143, to 'require StartTLS' as well.

You should also set port 25 to be 'StartTLS optional', encouraging as much secure traffic as you can.

Which database do you use? Some security auditors require encrypted connections to the database, and that can be a bit trickier, but not impossible to achieve.

FYI, since 1 Oct 2018, I've been solely TLSv1.2 on my hMailserver. I have two senders who struggle with that, one is the accountant of a business client, and I've been talking to his tech people (don't know that they are listening though), the second is the Australian Taxation Office server used to send newsletters; After it tries every hour for three days, it passes the newsletter message to another ATO server that sends the message first go - I've been in contact with them too. Everyone else sends without an encrypted connection if they can't negotiate my ciphers / security level.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

eric_xtremax
New user
New user
Posts: 2
Joined: 2019-03-18 09:20

Re: [HMail Server] SMTP credentials transmitted unencrypted

Post by eric_xtremax » 2019-03-19 06:05

Hello,

Thanks for the advise.
Let me try first in our environment.

Thank you

Post Reply