starred/modoboa-modoboa

Fork 0

mirror of https://github.com/modoboa/modoboa.git synced 2026-04-26 01:16:01 +03:00

[GH-ISSUE #1667] Unauthenticated SMTP possible on port 25 #1311

New issue

Closed

opened 2026-02-27 11:16:27 +03:00 by kerem · 4 comments

kerem commented

2026-02-27 11:16:27 +03:00

Owner

Originally created by @PatTheMav on GitHub (Feb 7, 2019).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/1667

Impacted versions

Modoboa: 1.13.1
installer used: Yes
Webserver: Nginx

Steps to reproduce

Use a SMTP tester (e.g. https://www.gmass.co/smtp-test)
Use the mail server domain, port 25, leave name and password empty
Use a fake email address as the "from address"
Use an existing email address on the same server as the "to address"
Send email

Current behavior

On port 25 the email server allows arbitrary emails to be sent to local, existing mailboxes without authentication. This allows any client (even such test pages) to spam existing users.

Non-local email addresses are correctly rejected with the message Relay access denied, also using port 587 blocks access.

Expected behavior

When authentication is enabled, all attempts to send email via SMTP without auth should be blocked.

As far as I could check, authentication is enabled and works, i.e. I can't send an email using Apple Mail without proper authentication. If I enter a wrong password however, Apple Mail's connection test tells me that the connection was successful, but no authentication is needed (actually sending out an email fails however).

But I successfully "spammed" my own users with the test tool and my own SMTP. 😕

Originally created by @PatTheMav on GitHub (Feb 7, 2019). Original GitHub issue: https://github.com/modoboa/modoboa/issues/1667 # Impacted versions * Modoboa: 1.13.1 * installer used: Yes * Webserver: Nginx # Steps to reproduce * Use a SMTP tester (e.g. https://www.gmass.co/smtp-test) * Use the mail server domain, port `25`, leave name and password empty * Use a fake email address as the "from address" * Use an existing email address *on the same server* as the "to address" * Send email # Current behavior On port 25 the email server allows arbitrary emails to be sent to local, existing mailboxes without authentication. This allows any client (even such test pages) to spam existing users. Non-local email addresses are correctly rejected with the message `Relay access denied`, also using port 587 blocks access. # Expected behavior When authentication is enabled, all attempts to send email via SMTP without auth should be blocked. --- As far as I could check, authentication is enabled and works, i.e. I can't send an email using Apple Mail without proper authentication. *If* I enter a wrong password however, Apple Mail's connection test tells me that the connection was successful, but no authentication is needed (actually sending out an email fails however). But I successfully "spammed" my own users with the test tool and my own SMTP. 😕

kerem closed this issue

2026-02-27 11:16:27 +03:00

kerem commented

2026-02-27 11:16:28 +03:00

Author

Owner

@PatTheMav commented on GitHub (Feb 7, 2019):

Let this be a lesson for later generations:

Understand how Email works.
Then write GitHub issues.

Closed.. 🙈😂

@PatTheMav commented on GitHub (Feb 7, 2019): Let this be a lesson for later generations: 1. Understand how Email works. 2. Then write GitHub issues. Closed.. 🙈😂

kerem commented

2026-02-27 11:16:28 +03:00

Author

Owner

@carbans commented on GitHub (Feb 19, 2019):

@tonioo this problems exist and I recibing a lot SPAM by this way. How we can fix it? I think it's a important bug

@carbans commented on GitHub (Feb 19, 2019): @tonioo this problems exist and I recibing a lot SPAM by this way. How we can fix it? I think it's a important bug

kerem commented

2026-02-27 11:16:28 +03:00

Author

Owner

@Arvedui commented on GitHub (Feb 20, 2019):

This is not a bug, it's a feature.

Yes it is most certainly how all the spam reaches you, just like any other mail coming from other servers. If you fix this "bug" you won't be able to receive mails from people using other mail providers like gmail or outlook.

If you are absolutely certain that that is what you want, just delete the MX record and close port 25 in you firewall.

@Arvedui commented on GitHub (Feb 20, 2019): This is not a bug, it's a feature. Yes it is most certainly how all the spam reaches you, just like any other mail coming from other servers. If you fix this "bug" you won't be able to receive mails from people using other mail providers like gmail or outlook. If you are absolutely certain that that is what you want, just delete the MX record and close port 25 in you firewall.

kerem commented

2026-02-27 11:16:28 +03:00

Author

Owner

@PatTheMav commented on GitHub (Feb 25, 2019):

@carbans at first I thought this to be an error as well, but after "understanding how Email works" (as I've written before I closed the issue), it's obvious it can't be locked down (simplified explanation follows):

If clients need to send an email to somebody outside their domain as their SMTP is not configured to be an open relay (good!), clients need to connect via port 587 and authenticate against the server.
Unauthenticated clients (port 25) can just send emails to accounts at the same domain as the SMTP itself.
Which means:
- If you send an email to someone@domain.com, the MX record of domain.com will name the server that should receive that mail, on port 25.
- Your own smtp only accepts such a request on port 587 after authentication.
- It will then relay that email to the other SMTP server.
- If the remote SMTP is configured correctly, it'll only accept emails on port 25 for local accounts, but not for any other domains.

In essence, an open port 25 needs to "allow spamming" of local email accounts, because that's how email is transferred - other SMTPs send emails to your SMTP on that port. That's why SMTPs need to be closed down to not relay email to any domain outside of their own. And that's why DKIM/SPF/DMARC are necessary.

@PatTheMav commented on GitHub (Feb 25, 2019): @carbans at first I thought this to be an error as well, but after "understanding how Email works" (as I've written before I closed the issue), it's obvious it can't be locked down (simplified explanation follows): * If clients need to send an email to somebody outside their domain as their SMTP is not configured to be an open relay (good!), clients need to connect via port 587 and authenticate against the server. * Unauthenticated clients (port 25) can just send emails to accounts at the same domain as the SMTP itself. * Which means: * If you send an email to someone@domain.com, the `MX` record of domain.com will name the server that should receive that mail, on port 25. * Your own smtp only accepts such a request on port 587 after authentication. * It will then relay that email to the other SMTP server. * If the remote SMTP is configured correctly, it'll only accept emails on port 25 for local accounts, but not for any other domains. In essence, an open port 25 needs to "allow spamming" of local email accounts, because that's how email is transferred - other SMTPs send emails to your SMTP on that port. That's why SMTPs need to be closed down to not relay email to any domain outside of their own. And that's why DKIM/SPF/DMARC are necessary.