GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » Product Feedback » Kerio Connect Feedback » Limit SMTP submission to local networks (User Access Policies cannot deny SMTP submission)
Limit SMTP submission to local networks [message #150570] Mon, 22 November 2021 16:33 Go to next message
Grisebach GmbH is currently offline  Grisebach GmbH
Messages: 2
Registered: November 2021
Dear all,

as confirmed by GFI support in ID #2957183, it is currently not possible to restrict SMTP submission to local subnets.

We configured some accounts that should only be able to send mails from specified subnets (like 192.168.1.0/24 and 10.110.20.0/23). To achieve that goal, a User Access Policy was set up restricting all services to a defined IP Address Group.

However, we found out it is not possible to limit SMTP submission in User Access Policies. You can limit IMAP and POP3, therefor it is not possible to create an account in a normal mail client. You can also limit the Kerio Connect client to be accessible only for specified subnets. As it turned out, a spammer with a stolen password still was able to submit mails from public IP addresses to the Kerio nevertheless.

This behaviour can be confirmed by first granting the "Default" Access Policy in the user's Rights tab, configuring the account in the local mail client and then restricting rights in a User Access Policy to local clients only. The password was asked for several times in the mail client afterwards, but it was possible to send mails. The mail log showed the public IP of the remote host and the mail was transferred.

When defining a User Access Policy, you can restrict access to "All protocols". When you save that Access Policy, the "All protocols" expand to single services like "Active Sync", "EWS" and more, omitting "SMTP submission". This does not seem intuitive. On the other hand, the only possibility at the moment is restricting SMTP submission to all mailboxes unticking the checkbox "Users authenticated through SMTP for outgoing mail" in Configuration -> SMTP Server.

Since the SMTP Server settings affect all users in all domains, we kindly ask to add the possibility to include "SMTP submission" as an option in the User Access Policies.


Kind regards,
Andreas Vogel on behalf of Grisebach GmbH
Re: Limit SMTP submission to local networks [message #150576 is a reply to message #150570] Wed, 24 November 2021 17:45 Go to previous messageGo to next message
Bud Durland is currently offline  Bud Durland
Messages: 586
Registered: December 2013
Location: Plattsburgh, NY
if there is a firewall / router / core switch between the user and the mail server, a viable workaround might be to block access to the submission ports there.
Re: Limit SMTP submission to local networks [message #150584 is a reply to message #150576] Fri, 26 November 2021 09:40 Go to previous message
Grisebach GmbH is currently offline  Grisebach GmbH
Messages: 2
Registered: November 2021
Yes, there is a firewall present. But you would block valid users, too. The problem is that you cannot differentiate between mail accounts in the gateway. To have a subset of accounts that may only submit SMTP locally you have to manage it by Kerio Connect.

One workaround I could think of would be to create two VPN profiles. One without SMTP submission to the Kerio (general usage), another one with SMTP submission allowed (all mail users with allowance to send from the outside.) The downside is that the latter group always needs VPN turned on when sending mails from WAN.

Or did I oversee something?
Previous Topic: Make S/MIME in iOS profiles working again
Next Topic: Translator in Outlook
Goto Forum:
  


Current Time: Fri Feb 03 10:22:09 CET 2023

Total time taken to generate the page: 0.02102 seconds