Votes

36

Enhance access control options in GWIA regarding SMTP authentication

by: Massimo R. | over a year ago | Agents
Cast your vote or comment ...
return to idea list

Currently, a directly internet connected GWIA is a worthwhile and easy target all sorts of hacking, as it's officially impossible to even outright disable SMTP authentication, let alone control who is allowed to use it. That's why countless GWIAs are constantly bruteforce attacked for valid credentials, often either succesful (then abused as spam relay or worse, to access mailboxes of hacked accounts), or at least resulting in DOS attacks, *if* the admin was observant enough to at least change the defaults (which allow brute force attacks without any countermeasure) and enabled intruder detection.

At a very minimum, we urgently need a switch to totally disable any SMTP authentication on a GWIA. But in the long run, GWIA needs to be able to control SMTP authentication per user. In it's current state, it becomes more and more difficult if not impossible to directly connect GWIA to the Internet due to the lack of security in that area.

by: Massimo R. | over a year ago | Agents

Comments

  • Having some other protection in front isn't always an option, and even when there is, we still need a full Depth in Defense for when the bad guys either get around other protection or to defend against internal hostiles such as at a school.

    by: Andy K. | over a year ago

  • And of course, no product should factually require third party products on top to be properly useable. But that's almost the state of GWIA at this point in time.

    by: Massimo R. | over a year ago

  • Agreed. I see a lot of attacks directed at "webmaster", "abuse" etc.

    by: Anders G. | over a year ago

  • What has helped me is to enable:
    --disallowauthrelay
    as well as Relay Allow overrides (IPAddress to * or IPAddress to *@yourdomain.com) for internal scripting engines that send mail via GWIA relay.

    by: Andreas B. | over a year ago

  • --disallowauthrelay doesn't do it. It does *NOT* stop the authentication itself, aka it's still possible to check and guess valid passwords via the GWIA. It *does* stop the abuse of the credentials for relaying only.

    by: Massimo R. | over a year ago

  • Is there any security software I can put between GWIA IMAP and the Internet? I use postfix for SMTP which is not a perfect solution, but helps a lot. I couldn't find any software for IMAP.

    by: Gellért H. | over a year ago

  • I suggest you ask this (with details what you're trying to achieve) in the forums, this isn't really the right place.

    by: Massimo R. | over a year ago