| Connection method audting [message #134775] |
Wed, 22 March 2017 23:17  |
Bud Durland
Messages: 586
Registered: December 2013
Location: Plattsburgh, NY
|
|
|
|
We had a user's account credentials get compromised, and spammers were able to spend qabout 3 hours spewing through my mail server. I've locked down the account, cleaned up the queue, etc. and am now doing some investigation.
As far as I can tell, my firewall does not permit port 25 access to the Kerio server from the the outside world; it all gets forwarded to our spam filter / server. We do permit 465 through so that mobile devices that can't use ActiveSync will work. Looking at the audit log, I see entries like so:
[22/Mar/2017 15:49:58] SMTP: User j.smith<_at_>example.com authenticated from IP address 12.34.56.78
Does that mean the authentication was through any SMTP port, or would authentication through secure SMTP (port 465) begin with "SSMTP" or some such? I realize that the compromised password makes the port used practically irrelevant, I'm just curious.
|
|
|
|
| Re: Connection method audting [message #134787 is a reply to message #134775] |
Fri, 24 March 2017 15:03  |
j.a.duke
Messages: 239
Registered: October 2006
|
|
|
|
Bud Durland wrote on Wed, 22 March 2017 18:17We had a user's account credentials get compromised, and spammers were able to spend qabout 3 hours spewing through my mail server. I've locked down the account, cleaned up the queue, etc. and am now doing some investigation.
As far as I can tell, my firewall does not permit port 25 access to the Kerio server from the the outside world; it all gets forwarded to our spam filter / server. We do permit 465 through so that mobile devices that can't use ActiveSync will work. Looking at the audit log, I see entries like so:
[22/Mar/2017 15:49:58] SMTP: User j.smith<_at_>example.com authenticated from IP address 12.34.56.78
Does that mean the authentication was through any SMTP port, or would authentication through secure SMTP (port 465) begin with "SSMTP" or some such? I realize that the compromised password makes the port used practically irrelevant, I'm just curious.
Bud,
I've closed off 465 externally as it appears to be deprecated for use as a port for clients to utilize. I only have 25 (for server to server) and 587 (client to server) open. I've also forced all my connections to be secure (IMAPS, HTTPS, SMTPS, etc.).
But to answer your question, yes, they can authenticate against any SMTP port, even without being secure (used to auth via plaintext on 25 for some clients as they didn't like 465 or 587).
Cheers,
Jon
|
|
|
|
Members
Search
Help
Register
Login
Home
