cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Change "FKA SMTP Tweak" behavior to encourage correct user behavior

Martin Thykier shared this idea 6 years ago
Open Discussion

The "Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak) currently punishes users who try to authenticate to a remote mail server before sending mails, while it "rewards" users who just send mails to remote sites, by working out of the box.


Using this tweak then encourages the opposite behavior of what we intended by enabling this feature.


Details:

Connections by regular users to remote servers on ports 25, 465 & 587 are "hijacked" by the local mail server.

Remote login credentials are therefore tried on the local mail server which denies the login with the less than helpful error message "Authentication Failed" (which they believe to come from the remote server).


In case the user adapts and by trial and error make it work using local credentials they're unintentionally leaking their credentials if the feature is ever disabled or their account is migrated to a server without this tweak enabled.


Malicous scripts trying to bypass the local mailserver, on the other hand, are given a second chance to have their mail forwarded by a legitimate mail server which now treats the connection as a local user.

---

Our proposed changes:

1. Leave the "mail submission" port 587 alone, a mail server listening on this port should require authentication before accepting mails, thus any mail sent this way is quite likely legitimate.

If users have cases that require special mail servers, or wish to bypass the spam issues on our server, who are we to stop them?


2. Be even more aggressive on ports 25 and 465, either block the connection entirely, giving a TCP "Connection refused" or, even better: Redirect the connections to dedicated ports (one for SSL and one without) on the mail server which always end the connection with a correct error message:

"550 Please connect to localhost or use the submission protocol on port 587"

Comments (2)

photo
1

This just BIT me with some sites not being able to use Joomla and other CMS's to send email via GMail. This needs to be changed somehow.

photo
2

I just found this after spending an hour trying to figure out why SMTP email was sending on my local WAMP setup but not on a live cPanel system, with all the same SMTP settings. Why would this be disabled by default??

photo
1

Andy, THANK YOU! Still, in 2020 this issue continues. This was driving me around the bend.

photo
Leave a Comment
 
Attach a file