cPanel configuration appears to allow unauthenticated SMTP - how to fix?

Posted by ttsiodras on Server Fault See other posts from Server Fault or by ttsiodras
Published on 2010-03-01T16:06:57Z Indexed on 2010/05/15 20:06 UTC
Read the original article Hit count: 212

Filed under:

secure

|

email

|

exim

|

tls

One of my clients is using a cPanel-based Virtual Dedicated Server that appears to allow unauthenticated SMTP:

bash$ echo EHLO | nc mail.clientscompany.com 25
...
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP

It therefore appears that anyone (esp. spammers) can use his mail server to send whatever - I just connected from my DSL connection at home, and...

bash$ nc mail.clientscompany.com 25
HELO clientscompany.com
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
From: <[email protected]>
To: <[email protected]>
Date: ...
Subject: ...
Blah
.
QUIT

I just tested this, and sure enough, it sent a mail from "[email protected]".

Since I am not familiar with cPanel and WHM, can someone provide pointers to configure his mail server to (a) only accept TLS connections and (b) only authenticated ones (i.e. with user/password, not just plain connections).

Thanks for any help.

© Server Fault or respective owner

Related posts about secure

Secure Networks Require Secure Web Gateways

as seen on Internet.com - Search for 'Internet.com'
Most IT shops have handled the e-mail threat but overlook the rise of the Web as today's primary attack vector. Secure Web gateways that know better than to trust "good" sites will be key to addressing that oversight. >>> More
All Secure: "Secure Testimony"

as seen on Oracle Technology Network - Search for 'Oracle Technology Network'
Advising the United States Congress about cybersecurity >>> More
Different settings for secure & non-secure versions of Django site using WSGI

as seen on Server Fault - Search for 'Server Fault'
I have a Django website where some of the URLs need to be served over HTTPS and some over a normal connection. It's running on Apache and using WSGI. Here's the config: <VirtualHost example.org:80> ServerName example.org DocumentRoot /var/www/html/mysite WSGIDaemonProcess mysite … >>> More
using paperclip with secure and non-secure files

as seen on Stack Overflow - Search for 'Stack Overflow'
First off, we have this namespaced/sti'd structure for our different types of 'Media' Media< Ar::Base Media::Local < Media Media::Local::Image < Media::Local Media::Local::Csv < Media::Local etc... etc.. This is excellent since a user can have many media, and how we display each piece… >>> More
Secure messaging using Secure MIME is it reliable?

as seen on Stack Overflow - Search for 'Stack Overflow'
We have an automatic reporting and notification system written in .net that sends emails with plain text. We are having to encrypt the messages that we send our clients. The possible implementation approaches we have: Send messages as S/Mime email with attachments. Plain text email with that just… >>> More

Related posts about email

CRM 2011 - Workflows Vs JavaScripts

as seen on Programmers - Search for 'Programmers'
In the Contact entity, I have the following attributes Preferred email - A read only field of type Email Personal email 1 - An email field Personal email 2 - An email field Work email 1 - An email field Work email 2 - An email field School email - An email field Other email - An email field Preferred… >>> More
Sending Email in Android using JavaMail API without using the default android app(Builtin Email app

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Folks, I am trying to create a mail sending application in android, If I use `Intent emailIntent = new Intent(android.content.Intent.ACTION_SEND`); This will launch the builtin application of android, I'm trying to send the mail on button click directly without using this app, Please any suggestions… >>> More
Processing Email in Outlook

as seen on Daniel Moth - Search for 'Daniel Moth'
A. Why Goal 1 = Help others: Have at most a 24-hour response turnaround to internal (from colleague) emails, typically achieving same day response. Goal 2 = Help projects: Not to implicitly pass/miss an opportunity to have impact on electronic discussions around any project on the radar. Not achieving… >>> More
Processing Email in Outlook

as seen on Daniel Moth - Search for 'Daniel Moth'
A. Why Goal 1 = Help others: Have at most a 24-hour response turnaround to internal (from colleague) emails, typically achieving same day response. Goal 2 = Help projects: Not to implicitly pass/miss an opportunity to have impact on electronic discussions around any project on the radar. Not achieving… >>> More
email is moved to junk-email folder even though sender is listed as safe

as seen on Super User - Search for 'Super User'
Using Outlook-2007 : Added a sender as safe sender, but still the email from that id goes to junk-email folder. Tried resetting all settings and restarted outlook . any ideas ? Thanks! >>> More