Enhance access control options in GWIA regarding SMTP authentication

Idea ID 2785599

Enhance access control options in GWIA regarding SMTP authentication

Currently, a directly internet connected GWIA is a worthwhile and easy target all sorts of hacking, as it's officially impossible to even outright disable SMTP authentication, let alone control who is allowed to use it. That's why countless GWIAs are constantly bruteforce attacked for valid credentials, often either succesful (then abused as spam relay or worse, to access mailboxes of hacked accounts), or at least resulting in DOS attacks, *if* the admin was observant enough to at least change the defaults (which allow brute force attacks without any countermeasure) and enabled intruder detection.

At a very minimum, we urgently need a switch to totally disable any SMTP authentication on a GWIA. But in the long run, GWIA needs to be able to control SMTP authentication per user. In it's current state, it becomes more and more difficult if not impossible to directly connect GWIA to the Internet due to the lack of security in that area.
7 Comments
Absent Member.
Absent Member.
Having some other protection in front isn't always an option, and even when there is, we still need a full Depth in Defense for when the bad guys either get around other protection or to defend against internal hostiles such as at a school.
Knowledge Partner
Knowledge Partner
And of course, no product should factually require third party products on top to be properly useable. But that's almost the state of GWIA at this point in time.
Absent Member.
Absent Member.
Agreed. I see a lot of attacks directed at "webmaster", "abuse" etc.
Respected Contributor.
Respected Contributor.
What has helped me is to enable: --disallowauthrelay as well as Relay Allow overrides (IPAddress to * or IPAddress to *@yourdomain.com) for internal scripting engines that send mail via GWIA relay.
Knowledge Partner
Knowledge Partner
--disallowauthrelay doesn't do it. It does *NOT* stop the authentication itself, aka it's still possible to check and guess valid passwords via the GWIA. It *does* stop the abuse of the credentials for relaying only.
Super Contributor.
Super Contributor.
Is there any security software I can put between GWIA IMAP and the Internet? I use postfix for SMTP which is not a perfect solution, but helps a lot. I couldn't find any software for IMAP.
Knowledge Partner
Knowledge Partner
I suggest you ask this (with details what you're trying to achieve) in the forums, this isn't really the right place.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.