| Limit SMTP submission to local networks [message #150570] |
Mon, 22 November 2021 16:33  |
Grisebach GmbH
Messages: 2
Registered: November 2021
|
|
|
|
Dear all,
as confirmed by GFI support in ID #2957183, it is currently not possible to restrict SMTP submission to local subnets.
We configured some accounts that should only be able to send mails from specified subnets (like 192.168.1.0/24 and 10.110.20.0/23). To achieve that goal, a User Access Policy was set up restricting all services to a defined IP Address Group.
However, we found out it is not possible to limit SMTP submission in User Access Policies. You can limit IMAP and POP3, therefor it is not possible to create an account in a normal mail client. You can also limit the Kerio Connect client to be accessible only for specified subnets. As it turned out, a spammer with a stolen password still was able to submit mails from public IP addresses to the Kerio nevertheless.
This behaviour can be confirmed by first granting the "Default" Access Policy in the user's Rights tab, configuring the account in the local mail client and then restricting rights in a User Access Policy to local clients only. The password was asked for several times in the mail client afterwards, but it was possible to send mails. The mail log showed the public IP of the remote host and the mail was transferred.
When defining a User Access Policy, you can restrict access to "All protocols". When you save that Access Policy, the "All protocols" expand to single services like "Active Sync", "EWS" and more, omitting "SMTP submission". This does not seem intuitive. On the other hand, the only possibility at the moment is restricting SMTP submission to all mailboxes unticking the checkbox "Users authenticated through SMTP for outgoing mail" in Configuration -> SMTP Server.
Since the SMTP Server settings affect all users in all domains, we kindly ask to add the possibility to include "SMTP submission" as an option in the User Access Policies.
Kind regards,
Andreas Vogel on behalf of Grisebach GmbH
|
|
|
|
|
|
| Re: Limit SMTP submission to local networks [message #150584 is a reply to message #150576] |
Fri, 26 November 2021 09:40  |
Grisebach GmbH
Messages: 2
Registered: November 2021
|
|
|
|
Yes, there is a firewall present. But you would block valid users, too. The problem is that you cannot differentiate between mail accounts in the gateway. To have a subset of accounts that may only submit SMTP locally you have to manage it by Kerio Connect.
One workaround I could think of would be to create two VPN profiles. One without SMTP submission to the Kerio (general usage), another one with SMTP submission allowed (all mail users with allowance to send from the outside.) The downside is that the latter group always needs VPN turned on when sending mails from WAN.
Or did I oversee something?
|
|
|
|
Members
Search
Help
Register
Login
Home
