About SMTP port?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

About SMTP port?

Post by fmail » 2019-03-22 20:57

I have two port assigned for incoming SMTP.
Port 25 with STARTTLS (Optional)
Port 587 with STARTTLS (Required)
Yesterday I made some update and change on HM.
**I set both port 25 and port 587 to STARTTLS (Required), this mean only incoming traffic with TLS are welcome, is that ok?
**I disabled TLSV1.0 is that ok, (now only V1.1 and 1.2 are enabled?

-In the log from HM i see a lot there can't handle the STARTTLS on port 25?

Confusion, what are best way to do in 2019?

User avatar
SorenR
Senior user
Senior user
Posts: 3054
Joined: 2006-08-21 15:38
Location: Denmark

Re: About SMTP port?

Post by SorenR » 2019-03-22 21:18

fmail wrote:
2019-03-22 20:57
I have two port assigned for incoming SMTP.
Port 25 with STARTTLS (Optional)
Port 587 with STARTTLS (Required)
Yesterday I made some update and change on HM.
**I set both port 25 and port 587 to STARTTLS (Required), this mean only incoming traffic with TLS are welcome, is that ok?
**I disabled TLSV1.0 is that ok, (now only V1.1 and 1.2 are enabled?

-In the log from HM i see a lot there can't handle the STARTTLS on port 25?

Confusion, what are best way to do in 2019?
Port 25 STARTTLS OPTIONAL - all the other ports you can do whatever you want - If not, you are going to be very lonely :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jim.bus
Normal user
Normal user
Posts: 156
Joined: 2011-05-28 11:49
Location: US

Re: About SMTP port?

Post by jim.bus » 2019-03-22 22:13

SorenR snuck in with his reposnse before I could finish my response but I believe what I suggest would aid in what you want to do but I would appreciate input from both SorenR and mattg as to what I believe would work too.

I do not claim to be an expert on this but I, too, have the same settings for SMTP as you do. I do include all the Security Protocols except SSL is not supported on my hMailServer by the fact I do not allow SSL.

I use hMailServer for an extremely limited number of users with the users being mostly myself. I myself want all communications from Email Clients to be encrypted which means I also required port 110 to use SSL/TLS encryptions and Port 465 to use StartTLS (Required). Normally port 110 is not for encrypted client communications.

Port 25 needs to be set to StartTLS (Optional) because Email Servers connect on Port 25 to deliver email to your hMailServer Email Server because not all Email Servers provide encryption. This left me still vulnerable to those Email Clients who connect on Port 25 which normally do not encrypt this connection.

mattg suggested to eliminate this hole in my personal requirements that all Email Clients be forced to encrypt no matter what port they connected that I add the following entries to my hMailServer.ini configuration file:

[settings]
DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.

This will disallow Email Clients from connecting to hMailServer on Port 25 because the default settings of hMailServer for SMTP is to require SMTP authentications.

But I would also like mattg to respond to this question. On the hMailAdmin IP Range For the Internet IP Ranges screen there is under 'Other' an option to require SSL/TLS for all connections which for the default setting is not checked for the Internet IP Range. Wouldn't checking this option also accomplish the same thing. The Help documentation indicates 'This option does not affect unauthenticated connections, such as normal delivery of inbound email messages from other servers'. I would interpret this to mean then Port 25 would require an encrypted connection from an Email Client while allowing connections from Email Servers. This then would mean I believe that the additional entries to the hMailAdmin.ini file would be unnecessary or am I missing something in my interpretation.

If this option under the IP Internet Range would accomplish the same thing then this might be more preferable to change than changing the hMailAdmin.ini configuration file because it would make installing upgrades to hMailServer less complicated because you would not have to make an additional change to the configuration file should you ever find a situation requiring you to go back and change it such as completing removing hMailServer from your computer requiring you to do essentially a complete new installation of hMailServer.

User avatar
SorenR
Senior user
Senior user
Posts: 3054
Joined: 2006-08-21 15:38
Location: Denmark

Re: About SMTP port?

Post by SorenR » 2019-03-23 02:12

jim.bus wrote:
2019-03-22 22:13
SorenR snuck in with his reposnse before I could finish my response but I believe what I suggest would aid in what you want to do but I would appreciate input from both SorenR and mattg as to what I believe would work too.
I'm not using STARTTLS at all. Port 25 is standard and included in DisableAUTHList, for clients I use 465 SSL and 993 SSL.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 690
Joined: 2008-06-27 14:42
Location: Netherlands

Re: About SMTP port?

Post by RvdH » 2019-03-23 02:47

jim.bus wrote:
2019-03-22 22:13
If this option under the IP Internet Range would accomplish the same thing then this might be more preferable to change than changing the hMailAdmin.ini configuration file because it would make installing upgrades to hMailServer less complicated because you would not have to make an additional change to the configuration file should you ever find a situation requiring you to go back and change it such as completing removing hMailServer from your computer requiring you to do essentially a complete new installation of hMailServer.
hMailServer.ini is not updated/overwritten with upgrades, so dunno what you are talking about???
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 19724
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: About SMTP port?

Post by mattg » 2019-03-23 02:53

DisableAUTHList=25 doesn't just force mail clients to use another port

It also stops hackers from using port 25 for guessing username and password combinations.
Of course hackers can and sometimes do try other mail ports (587, 465, 110, 143, 993 and 995) AND also other custom ports, to try and guess username and passwords.

hackers also to connect using StartTLS encrypted connections - requiring SSL/TLS for authentication doesn't stop them (read on)

I have 'Require SSL/TLS for authentication selected for the internet IP range.
In fact I have it set for all but a couple of individual machines on my LAN that can't do that (iDrac on my servers and some printers that send emails when supplies are low)

IP ranges deals with IP addresses
The ini file setting deals with port(s) across ALL IP ranges

These are different things, but in the example that you cite, yes these do achieve the same outcome.

I automatically check my logs, and then autoban IPs that try to authenticate over port 25. I also autoban if an IP tries to send from a local address without Auth. (These are recorded in logs, as both are just outright rejected by my hMailserver). I trawl my logs very frequently to update my Autoban listings.

Using scripts, I automatically autoban IP addresses from overseas (not in Australia) that try to authenticate on any of the IMAP or POP3 ports, or my SMTP submission ports. I ALSO autoban for 'high' Spam Score. Only port 25 is accessible from overseas, so that I can get mail from overseas.

At the end of each day, I automatically count the entries in the autoban table that meet each criteria for autoban.
Of course when an IP is autobanned, subsequent attempts to connect are simply rejected - so this is the simply the first port tried by the would be hackers

Summary from last night is (each count is usually from 10-15). Autobans last 7 days - so this is a summary of the latest 7 days of attempts

Port 110 (tried to authenticate from overseas on port 110) = 9
Port 143 = 6
Port 465 = 9
Port 587 = 8
Port 993 = 13
Port 995 = 11
custom unpublished port = 8
No AUTH local sender = 12
Other reasons for Autoban = 11
High score SPAM = 237

The highest spam score recorded in last seven days is 184, which is not a record, late last month I scored a 199

As you can see (9+6+9+8+13+11+8+12+11)= 87 sophisticated hacking attempts in the last 7 days. That's an average of one IP address every 2 hours is trying to hack my mail server, most of whom have connected via StartTLS.

This is about average over the last year (I have daily records since late March 2018), except for a few week patch in September of last year where I had counts of around 800 for Port143. So many high days that the daily average over the last years for port 143 is actually 64.

Added to this is the occasional cipher test (where some machine is 'testing' what ciphers I will negotiate), and that my mail server has been exclusively TLSv1.2 since 1 October 2018, AND the continued hacking attempts on my web servers (a different IP is blocked every few minutes)- I'm starting to feel a little paranoid. :roll: :roll:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Normal user
Normal user
Posts: 156
Joined: 2011-05-28 11:49
Location: US

Re: About SMTP port?

Post by jim.bus » 2019-03-23 08:41

mattg,

Thanks for the explanation.

I forgot for the moment, that the .ini setting actually disables any attempt to authenticate at all.

Though one of your statements still puzzles me. You stated IP ranges deals with IP Addresses which is true and then you state the .ini setting deals with Ports across all IP Ranges. Now if you specify to use the Internet IP Range and you select Require SSL/TLS for all connections, doesn't this then require SSL/TLS authentication for all connections in the IP Internet range which is all possible IPv4 IP addresses (the Default setting for the IP Internet Range) which would mean all ports accessed from the Internet would be required to connect with SSL/TLS authentication and I do recognize without the .ini setting this would allow attempts to guess passwords?

You seem to acknowledge that the option to require all connections authenticate with SSL/TLS for the IP Internet range would have been equivalent to what I originally had wanted which was to require all encrypted connections though I like even better your having originally suggested I use the .ini setting to prevent even allowing any authentication attempts on Port 25. So currently my .ini setting is with the block to authenticate on Port 25 but I have the IP Internet Range currently doesn't have the option to Require SSL/TLS for authentication. But based on what I believe you've indicated in your posting, I will add to the IP Internet Range the option to Require SSL/TLS for authentication as this appears to add even additional security.

I do have one puzzling phenomena currently going on in my Auto Ban IP Addresses. I have my Auto Ban parameters set to be fairly restrictive for how long the expiration date is with an Auto Ban IP Address. I have noticed I seem to go through periods of many attempts to guess my email account passwords and I will get a lot of Auto Ban IP Addresses and then periods of low activity. Currently now for quite a long time I have been sitting at 47 Auto Ban IP Addresses with no additional IP Addresses being added to the total count of 47 and even more puzzling with the exception of maybe 7 IP Addresses which the Email Account being guessed is the Default Domain because no Domain is specified for the Email Account, the Auto Ban email account is the same exact email account except for the unique identifier hMailServer adds the Email Account identifier. Of course the IP Addresses are different. This seems strange that all but the default Domain email accounts are all the same Email Account which looks like it is the same hacker repeatedly going after the same email account but on different days or times. You would think the attempts would be to different email accounts even if it really was only one hacker involved.

But your posting has made me a bit more paranoid now too!

Thanks for the input. I always appreciate learning more. One reason I snoop through the forum occasionally is that I sometimes also see interesting tidbits of information that if not immediately applicable to something I may want to do, it is good information for possible use later and also can give a greater understanding as to how things work.

P.S.:

One thing you might have an answer to is I rarely ever get any email notifications to any Posting I have been following such as this Thread and I have Notify me when a reply is posted checked. I did get an Email Posting Notification a few weeks ago which was the first in probably over a year and now none again. This has been the case for many years too. I, also have clicked on the links to look at the replies and so it should not be a problem with me not responding to the Notification which I know will suspend receiving the Email Notifications until you click on the link to view the replies.

User avatar
jim.bus
Normal user
Normal user
Posts: 156
Joined: 2011-05-28 11:49
Location: US

Re: About SMTP port?

Post by jim.bus » 2019-03-23 08:53

RvdH wrote:
2019-03-23 02:47
jim.bus wrote:
2019-03-22 22:13
If this option under the IP Internet Range would accomplish the same thing then this might be more preferable to change than changing the hMailAdmin.ini configuration file because it would make installing upgrades to hMailServer less complicated because you would not have to make an additional change to the configuration file should you ever find a situation requiring you to go back and change it such as completing removing hMailServer from your computer requiring you to do essentially a complete new installation of hMailServer.
hMailServer.ini is not updated/overwritten with upgrades, so dunno what you are talking about???
You should look at mattg's response later on as he points out I did forget that the .ini file setting actually prevents any authentication attempt which then prevents an attempt to guess the password as well which means the option I point out while it would have satisfied my original issue from awhile back it is not exactly equivalent as the .ini file provides more security.

But as to why I said it might be better than using the .ini setting file because it might get changed with updates or installs is you could completely uninstall hMailServer including removing the .ini file and then do essentially a new install as opposed to installing over an existing installation in which case you would have to make the custom change to the .ini file again whereas with the IP Internet option to Require SSL/TLS for authentication is a smaller change. It is merely just checking an option on the setting screen as to add multiple settings lines to the .ini configuration file.

User avatar
mattg
Moderator
Moderator
Posts: 19724
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: About SMTP port?

Post by mattg » 2019-03-24 03:26

RvdH's post is correct - the ini file isn't overwritten in an update.
Even if you uninstall hMailserver completely, the ini file is left behind in case or re-installation (as are the settings recorded in the database).

To remove all files you would need to uninstall the database, and delete the hMailserver directory (including the ini file).
jim.bus wrote:
2019-03-23 08:41
P.S.:

One thing you might have an answer to...
I have no idea about this website. I don't host it.
jim.bus wrote:
2019-03-23 08:41
I will add to the IP Internet Range the option to Require SSL/TLS for authentication as this appears to add even additional security.
It doesn't stop spammers or hackers in any way - they just connect securely before trying their rubbish
jim.bus wrote:
2019-03-23 08:41
...the Email Account being guessed is the Default Domain because no Domain is specified for the Email Account...
You really should turn off default domain if you can - that is a real security hole, and often causes much more spam to be received.
jim.bus wrote:
2019-03-23 08:41
I have been sitting at 47 Auto Ban IP Addresses
In my stats above, none of them are regular autobans.
Many are bans that I create based on nefarious persons trying to guess accounts and passwords via IMAP and POP3 ports - this is NOT handled automatically by hMailserver. You could have dozens or even hundreds of these each day, and you wouldn't know unless perhaps you trawled your logs.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Normal user
Normal user
Posts: 156
Joined: 2011-05-28 11:49
Location: US

Re: About SMTP port?

Post by jim.bus » 2019-03-24 11:52

mattg wrote:
2019-03-24 03:26
RvdH's post is correct - the ini file isn't overwritten in an update.
Even if you uninstall hMailserver completely, the ini file is left behind in case or re-installation (as are the settings recorded in the database).

To remove all files you would need to uninstall the database, and delete the hMailserver directory (including the ini file).
jim.bus wrote:
2019-03-23 08:41
P.S.:

One thing you might have an answer to...
I have no idea about this website. I don't host it.
jim.bus wrote:
2019-03-23 08:41
I will add to the IP Internet Range the option to Require SSL/TLS for authentication as this appears to add even additional security.
It doesn't stop spammers or hackers in any way - they just connect securely before trying their rubbish
jim.bus wrote:
2019-03-23 08:41
...the Email Account being guessed is the Default Domain because no Domain is specified for the Email Account...
You really should turn off default domain if you can - that is a real security hole, and often causes much more spam to be received.
jim.bus wrote:
2019-03-23 08:41
I have been sitting at 47 Auto Ban IP Addresses
In my stats above, none of them are regular autobans.
Many are bans that I create based on nefarious persons trying to guess accounts and passwords via IMAP and POP3 ports - this is NOT handled automatically by hMailserver. You could have dozens or even hundreds of these each day, and you wouldn't know unless perhaps you trawled your logs.
First, when I stated I would completely uninstall hMailServer, I meant exactly that. I would manually remove all files and folders which would include the .ini file as well. I am well aware that an uninstall doesn't necessarily remove everything. If you look at my original post where I correct myself about the hackers still being able to connect securely and guess the password, you will see I did indicate I would have to remove the .ini file as part of the uninstall.

Second, again going back to my prior posting quoted above, I indicated I recognized your points and indicated I would leave the .ini file with the setting to prohibit even connecting on Port 25 and still also add to the Internet IP Range the option to require all connections to be encrypted as well. This addition might have been superfluous but it didn't seem it could hurt.

Third, I never said I had Default Domain turned on. I have no Default Domain as I didn't see any necessity for it and I saw it was a greater security risk too and to prove everybody was right including myself I get attempts to connect to my non-existent Default Domain which are Auto Banned because I have no Default Domain.

Fourth, not sure if you understood my comment about the 47 Auto-Bans. On my Status screen it reports I have 47 Auto Bans. If I look in my IP Ranges, I see all the Auto-Bans listed. I used to get sometimes more Auto-Bans than 47 which would also be all listed. My comment was just to state for some strange reason it is just now sitting at 47 Auto-Bans which all look like the same ones and has been this way for quite awhile. I understand why the Auto-Bans have not shrunk in number because they haven't reached their expiration date yet. But I would have thought more might have been added to the 47 Auto-Bans which is why I was puzzled. It seemed unlikely to me that I would just not get anymore for such a long time. Though at one time, I didn't have any for awhile too.

Fifth. I was just noting in my P.S. comment that Email Notification from hMailServer Forum when someone Replies to a Posting is not being sent to me when I seem to have the correction options set. And strangely for your Reply to which I am now responding I got an Email Notification of your Reply to my posting. Whereas on all the prior Postings on this particular Forum Topic I have received no Email Notifications.

I do appreciate your feedback though. Feedback always has a potential to be helpful.

Post Reply