SMTP Auth |
Post Reply |
Author | |
yapadu
Senior Member Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
Posted: 10 June 2018 at 7:34am |
Is there any INI setting to disable SpamFilter from announcing SMTP Auth? We don't have any users sending mail through our server with authentication. Some PCI compliance guys are making noises that our server is advertising SMTP Auth, since we don't use it we might as well just stop announcing it.
|
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Uhm.. we're actually going to classify thit as a bug - if SpamFilter is not configured to use authentication, then your PCI guys are right - we should not advertise it being available.
We should be able to have a patch ready within the next 24/48 hours.
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Yapadu,
FYI a patched build (v4.7.4.250) is now available for download in the registered user area. Thanks for the report!
|
|
mmmctune
Newbie Joined: 09 September 2017 Status: Offline Points: 15 |
Post Options
Thanks(0)
|
Running v4.7.4.250, still seeing these - 07/11/18 07:25:19:033 -- (40641232) User failed AUTH LOGIN:
Did I miss a setting? user Authentication is set to none.
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
If authentication is disabled in SpamFilter, then SpamFilter will not advertise that it supports authentication in the EHLO response. Per RFC, this should prevent clients from attempting to authenticate.
If a hacker tries to authenticate anyways... SpamFilter is simply sending to NULL the username/password and will simply ignore the auth request (but we are logging the attempted username/password in the logs so admins can see what the hacker is trying to do...).
|
|
mmmctune
Newbie Joined: 09 September 2017 Status: Offline Points: 15 |
Post Options
Thanks(0)
|
OK, thanks.
|
|
dspan824
Newbie Joined: 13 September 2018 Location: Wisconsin USA Status: Offline Points: 1 |
Post Options
Thanks(0)
|
My mail Server requires Authentication - I am not using SSL or TLS - How do I Pass this through the spam filter to the Server The Log entry is: User failed AUTH LOGIN: my IP Address Any help would be Appreciated Edited by dspan824 - 13 September 2018 at 12:20pm |
|
Dan Spangler
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
dspan824,
As mentioned in the support email, the issue is likely caused by this bug that is fixed in the licensed version of SpamFilter but that has not been added to the eval version yet: // New to VersionNumber = '4.7.4.250'; {TODO -cFix : Outbound TLS connections were only being made with TLS 1.0, even if TLS 1.1 and TLS 1.2 were configured and in use correctly for inbound emails} {TODO -cFix : Due to a regression error since v4.5, the AUTH LOGIN appeared in the welcome banner even if authentication was disabled in SpamFilter We provided a workaround earlier today, but please feel free to contact again either via our support email or via the forum if you need us to assist further! |
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.266 seconds.