Prevent anonymous users from sending through my PMG?

The Merchant

Member
May 27, 2021
15
1
8
Hello. I'm using PMG as a mail proxy for my Exchange mailserver.

Yesterday I noticed that it's possible to send mails anonymously from the domains listed in my relay domains, to any other domain listed in my relay domains. I tested from an unrelated external network, and i was able to send emails from my relay using a simple SMTP tester, but only from and to mydomains.tld.

I was convinced that only IPs listed in the networks tab were allowed to send FROM the relay.

Luckily this hasn't been abused yet except from 1 single phishing mail that made me aware of the issue (so thanks spammer).

How do i prevent any other network to send from the relay, except from those listed in trusted networks - regardless of the sender and receiver domain?

I hope my question makes sense.

I've posted some screenshots of my configuration.

Thanks in advance.
 

Attachments

  • Skærmbillede 2023-09-30 201030.png
    Skærmbillede 2023-09-30 201030.png
    26.8 KB · Views: 19
  • Skærmbillede 2023-09-30 201043.png
    Skærmbillede 2023-09-30 201043.png
    33.4 KB · Views: 17
  • Skærmbillede 2023-09-30 201154.png
    Skærmbillede 2023-09-30 201154.png
    60.6 KB · Views: 18
  • Skærmbillede 2023-09-30 201222.png
    Skærmbillede 2023-09-30 201222.png
    23.3 KB · Views: 18
Yesterday I noticed that it's possible to send mails anonymously from the domains listed in my relay domains, to any other domain listed in my relay domains. I tested from an unrelated external network, and i was able to send emails from my relay using a simple SMTP tester, but only from and to mydomains.tld.
This is how SMTP works - there is no built-in authentication between Servers sending mail over the internet.

The Access control in PMG works as follows:
* everybody (the public internet) can send e-mails to your _Relay Domains_ (this includes your users) on the external port (defaults to 25)
* everybody coming from a _Trusted Network_ can send mail everywhere on the internal port (defaults to 26)

If you want to prevent address spoofing - the technologies are called SPF, DKIM, DMARC (but they also do not work 100%)

I hope this helps
 
This is how SMTP works - there is no built-in authentication between Servers sending mail over the internet.

The Access control in PMG works as follows:
* everybody (the public internet) can send e-mails to your _Relay Domains_ (this includes your users) on the external port (defaults to 25)
* everybody coming from a _Trusted Network_ can send mail everywhere on the internal port (defaults to 26)

If you want to prevent address spoofing - the technologies are called SPF, DKIM, DMARC (but they also do not work 100%)

I hope this helps
What if I need to use PMG as an SMTP server for a third party application? That application requires to enter a user and password in the SMTP configuration and it does not accept an empty user/password.
 
What if I need to use PMG as an SMTP server for a third party application? That application requires to enter a user and password in the SMTP configuration and it does not accept an empty user/password.
which application is that - as I think I have not encountered any that really _needs_ SMTPAUTH on the client side?

anyways - why not point that application to your downstream server, which has the mailboxes (and thus also accounts) ?
 
which application is that - as I think I have not encountered any that really _needs_ SMTPAUTH on the client side?

anyways - why not point that application to your downstream server, which has the mailboxes (and thus also accounts) ?
It is https://www.streamsoft.eu/
And yes - we finally ended up with using the internal mail server which is the good old Domino 9.0 mail server :)

Thanks for your advice!

Marek
 
Hey, sorry for Necroing the thread but just leaving this here if someone else stumble upon it.

We solved this by making a "Who Objects" containing all our internal domain, and then an inbound rule, blocking the message if "From" is on the list of internal domains

Do be cautious though that this will also block incoming mails for anyone allowed to send on your behalf as specified in SPF, like Mailchamp for example.
 
  • Like
Reactions: killmasta93

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!