Synology Mail Server Big Problem, Be aware!!!

[snbforumstom]

Hi

I have 3 domain on my synology diskstation ds213j with lates DS gui. I run my own DNS server so i created TXT SPF record for each of my domains to protect against spam.

In synology DS mail server Authentication->SPF i enable "Enable SPF verification"
= checked
and "REject SPF softfail". I saved and restarted the server. Then i went to check the server if spammers can use it.


I went to https://www.wormly.com/test_smtp_server and i run the test with real and fake users both could send email to my real user ex. bob.

See the screen shot.

How to fix it so forge emails wont get to my inbox with sender ex. tom@skynetisp.ca
-------------------------------------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------------------------------------------------------------------
Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
220 skynetisp.ca ESMTP Postfix
SMTP -> FROM SERVER:
250-skynetisp.ca
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: bob@skynetisp.ca
SMTP -> FROM SERVER:
250 2.1.0 Ok
RCPT TO: tom@skynetisp.ca
SMTP -> FROM SERVER:
250 2.1.5 Ok
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 End data with .
SMTP -> FROM SERVER:
250 2.0.0 Ok: queued as C34372843
Message completed successfully.

 

[stevech]

Run my own DNS?
Admin my own email server?
As a SOHO/residential user?
Not.

 

[coxhaus]

I did for 9 years. I ran Microsoft Exchange in the small business server 2003. I retired and stopped using it. It got to be a lot of trouble supporting all the handhelds toward the end. At first it was easy with PCs but then everybody wanted their email on their iPhone and such. You had to use software routers to fight spam or UTMs at the end seemed better. Consumer routers would not stop the email spam.

 

[sfx2000]

SPF (and DKIM) only validate the domain, not the USER as SPF and DKIM are MTA actions, not MUA actions.

so TOM@SKYNETISP.CA could be valid as MAIL FROM - postfix is only going to know RCPT TO, e.g.BOB@SKYNETISP.CA, and if bob is a good mailbox - if the "bob" account doesn't exist, then postfix does a bounce...

If TOM is not a valid account, SPF doesn't care, as it assumes that the SMTP server for SKYNETISP.CA already knows TOM...

It's SMTP, and there are ways to fix it, but also, please understand the roles of MUA and MTA - postfix is an MTA, just like sendmail - Thunderbird, Outlook, Apple Mail, etc... are all MUA's...

 

[sfx2000]

I did for 9 years. I ran Microsoft Exchange in the small business server 2003. I retired and stopped using it. It got to be a lot of trouble supporting all the handhelds toward the end. At first it was easy with PCs but then everybody wanted their email on their iPhone and such. You had to use software routers to fight spam or UTMs at the end seemed better. Consumer routers would not stop the email spam.

Jeez... feel your pain there... between Exchange/AD/OWA and Active Sync... and then having to deal with spam... gah, you're a better man that me for living with that challenge for 9 years...

(way back in the days, I managed an MS Mail platform for a while... after a long break, I did inherit an SMTP/MMS/SMPP gateway (actually 14 of them) and spam was a huge problem, put the SPAM to bed quite nicely with some help from ProofPoint and CloudMark, but that's another story perhaps)

 

[coxhaus]

I had to run my own mail server in the old days as I hated the way email work in those days. Email would download to a machine where your client was. If you logged on to a different workstation or laptop your email would be on the other machine. There was no browser based email. Microsoft brought out browser based email and it was like heaven being able to check your email on any machine. Outlook worked but I like browser based. So I had to run my own email server. Plus we had Exchange at work so it kind of fit.

I went through several software routers with email filtering. In the end I settled on Untangle UTM. I still remember when Microsoft started supporting handhelds. My wife had an original iPhone and she was the first. I started modifying Exchange as Microsoft wrote updates. Then all my kids and everyone had handhelds.

 

[stevech]

run own email server... versus rocks in shoes.

I'd take the latter.

 

[sfx2000]

run own email server... versus rocks in shoes.

I'd take the latter.

For a small biz, sometimes better to outsource it rather than self-host - there are some great email only service providers out there that have done great work, and many will even walk you thru all the steps needed to update the DNS records for MX, along with SPF, DKIM, and many now also support DMARC...

Most of them support IMAP (properly, unlike Google's solution), POP3, and SMTP with TLS...

 

[stevech]

Anyone heard of a small biz using Google's professional email?

http://business.tutsplus.com/articles/setting-up-a-hosted-email-solution-with-google-apps--fsw-40168

 

[sfx2000]

Anyone heard of a small biz using Google's professional email?

http://business.tutsplus.com/articles/setting-up-a-hosted-email-solution-with-google-apps--fsw-40168

Quite a few do, and it works reasonably well (well, it's basically the same as Gmail anyways...) - Microsoft's offering is pretty decent.

 

[snbforumstom]

HI


So is there a way to fix it in synology mail server?

Using the test tool: https://www.wormly.com/test_smtp_server i was able to do this:


1) Fake user Greg to send email to true user Tom
ex: greg@skynetisp.ca ----> tom@skynetisp.ca ------------------------> HOW TO FIX IT I DONT WANT THIS TO HAPPEN

Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
220 skynetisp.ca ESMTP Postfix
SMTP -> FROM SERVER:
250-skynetisp.ca
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: greg@skynetisp.ca
SMTP -> FROM SERVER:
250 2.1.0 Ok
RCPT TO: tom@skynetisp.ca
SMTP -> FROM SERVER:
250 2.1.5 Ok
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 End data with .
SMTP -> FROM SERVER:
250 2.0.0 Ok: queued as C34372843
Message completed successfully.

2) True user to true user:
ex: tom@skynetisp.ca ----> bob@skynetisp.ca ------------------------> HOW TO FIX IT I DONT WANT THIS TO HAPPEN


Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
220 skynetisp.ca ESMTP Postfix
SMTP -> FROM SERVER:
250-skynetisp.ca
250-PIPELINING
250-SIZE 104887600
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: bob@skynetisp.ca
SMTP -> FROM SERVER:
250 2.1.0 Ok
RCPT TO: tom@skynetisp.ca
SMTP -> FROM SERVER:
250 2.1.5 Ok
Sending Mail Message Body...
SMTP -> FROM SERVER:
354 End data with .
SMTP -> FROM SERVER:
250 2.0.0 Ok: queued as C35379844
Message completed successfully.

 

[sfx2000]

So is there a way to fix it in synology mail server?

Read post 4 above...

SMTP will accept inbound - and either bounce or route to /dev/null...

That's how SMTP works...

 

[snbforumstom]

Read post 4 above...

SMTP will accept inbound - and either bounce or route to /dev/null...

That's how SMTP works...

U are WRONG..... for sure there is user on Bob and Tom on hotmail.com mail server ? am i right?

IF yes: try to send using the test toool url email:
ex: bob@hotmail.com ----> tom@hotmail.com

or to himself
ex: bob@hotmial.com----> bob@hotmail.com

I bet you the hotmail server WILL BLOCK YOU.

WHY I CAN NOT DO THE SAME.

 

[sfx2000]

I'm not wrong... SMTP validates DOMAIN's at the MTA level, which is server to server...

Some SMTP host may reject based on USER@DOMAIN, but most don't... note that I say "may" not "must"... postfix accepts anything sent to it via MTA connection, and then deals with it accordingly.

Once it gets thru the MTA, then it's up to local SMTP host to either drop the message in the user's mail spool, or route it back to the sending MTA as a bounce (no such user), or route to trash (/dev/null)

So cool your jets man...

 

[snbforumstom]

I'm not wrong... SMTP validates DOMAIN's at the MTA level, which is server to server...

Some SMTP host may reject based on USER@DOMAIN, but most don't... note that I say "may" not "must"... postfix accepts anything sent to it via MTA connection, and then deals with it accordingly.

Once it gets thru the MTA, then it's up to local SMTP host to either drop the message in the user's mail spool, or route it back to the sending MTA as a bounce (no such user), or route to trash (/dev/null)

So cool your jets man...

I cool u coool


So How do you BOUNCE back that mail if the user is fake? thats all i want to do.


thx

 

[coxhaus]

Have you looked a Untangle for preprocessing your SMTP mail? It does a good job. You just route the mail through it before the mail server.

 

[snbforumstom]

This doesnt make sens nor logic. Make male sever on synology KNOWING everybody will be able with FAKE user using my domain to send to real users on my domain. It should be all put together not separate. What a joke

 

[stevech]

Mail server admin in this era of spam and hacking.
flagellation (or masochism).

 

[sfx2000]

So How do you BOUNCE back that mail if the user is fake? thats all i want to do.

Your SMTP transport agent (postfix) will bounce it automatically if there is no user account... but it does this after the fact - check your postfix logs, and you'll see the error handling log entry there.

 

[stevech]

... Make male sever on synology ...

I'm pondering what that male server would look like.