Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Email Notification authentication
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Email Notification authentication (Read 12460 times)
dcol
Hero Member
Posts: 635
Karma: 51
Email Notification authentication
«
on:
February 05, 2018, 12:10:30 am »
I have one complaint about email notifications, and it is most likely a FreeBSD issue.
The authentication method used is PLAIN which violates security protocols. Most email servers do not accept this method on purpose and the ones that do advise against using it.
How do I go about making a request to change this authentication method. I am not even sure which module handles that. Or at least an option to offer more modern methods. Kind of silly that a security device would leave an open door like that.
Thanks
Logged
slackadelic
Full Member
Posts: 145
Karma: 9
Re: Email Notification authentication
«
Reply #1 on:
February 05, 2018, 02:29:14 pm »
I'm confused, do you mean in System -> Settings -> notifications?
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Email Notification authentication
«
Reply #2 on:
February 05, 2018, 04:19:22 pm »
Yes, and there the authentication method used for email is AUTH PLAIN.
Monit alerts do not use AUTH PLAIN, which is good
Logged
slackadelic
Full Member
Posts: 145
Karma: 9
Re: Email Notification authentication
«
Reply #3 on:
February 05, 2018, 04:27:32 pm »
You can enable STARTTLS etc.. at least in my settings I see them.
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Email Notification authentication
«
Reply #4 on:
February 05, 2018, 04:34:30 pm »
But the email server still needs to allow AUTH PLAIN to accept the messages. That is the issue. OPNsense may send encrypted with STARTTLS, but the server has to be left vulnerable by allowing AUTH PLAIN for all incoming SMTP.
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Email Notification authentication
«
Reply #5 on:
February 05, 2018, 04:52:09 pm »
I think that's
https://github.com/opnsense/core/issues/1983
I'll hopefully fix this week... even though it'll be a fix that won't be needed once Monit is integrated but since that is still almost 6 months away it's not totally in vain.
I'll add a CFT here when the code is available or someone beats me to it.
Cheers,
Franco
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Email Notification authentication
«
Reply #6 on:
February 05, 2018, 05:12:37 pm »
AUTH PLAIN is perfectly ok in case of a TLS connection.
LOGIN is also not secure over an unencrypted connection so there are not many options left, any server supports. From the list of authentication variants supported by Thunderbird, only kerberos, NTLM and OAUTH2 are left.
This is the reason why the best protection is an email server, that supports STARTTLS connections. There is only one valid alternative that may work: The postfix plugin. In that case, OPNsense could send mails by itself and does not depend on an external mail server but in that case, the SPF record must match and the postfix plugin is not preinstalled and therefore not available on all appliances.
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Email Notification authentication
«
Reply #7 on:
February 05, 2018, 05:25:38 pm »
Maybe ok for OPNsense, but you still have to leave an email server wide open to accept the message. OPNsense is not my concern because STARTTLS can be used. But any other mis-configured client may expose themselves.
I love monit. Good idea to integrate it. Installed the plug-in and tested the heck out of it this past weekend and it does what I wanted. Also, monit does not use AUTH PLAIN, which is good.
Logged
slackadelic
Full Member
Posts: 145
Karma: 9
Re: Email Notification authentication
«
Reply #8 on:
February 05, 2018, 05:32:40 pm »
I guess I'm confused, if you're worried about misconfigured clients trying to send outbound on port 25, why not just explicitly block outbound port 25 traffic?
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Email Notification authentication
«
Reply #9 on:
February 05, 2018, 06:00:42 pm »
Clients are not local and can use an unknown IP. Authenticated traffic can relay. If I close port 25, then no email will be accepted. Outbound for an external authenticated user is inbound traffic to me. I cannot restrict inbound port 25, but users sending mail must authenticate, but if I allow AUTH PLAIN, then a mis-configured client is vulnerable.
What would actually solve this issue, which looks like it is being addressed, is to send notifications via port 465 over SSL. But that is not currently working. Then I could set my email server to never allow authentication over port 25 for sending email. That way a client could never configure their SMTP outbound for port 25. Which is actually the way it was set until I had to allow it for this one OPNsense feature.
I guess another work around would be to open up some obscure SMTP port and use that. Then allow only local traffic to that port in the firewall.
Logged
slackadelic
Full Member
Posts: 145
Karma: 9
Re: Email Notification authentication
«
Reply #10 on:
February 05, 2018, 06:08:50 pm »
465 has been deprecated for a long time... Really should configure clients to use Port 587 (submission) with STARTTLS...
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Email Notification authentication
«
Reply #11 on:
February 05, 2018, 06:44:27 pm »
Right now I use 465 with SSL which is the standard port for SMTP SSL. Is there a reason I haven't heard why SSL is being depreciated?
Logged
slackadelic
Full Member
Posts: 145
Karma: 9
Re: Email Notification authentication
«
Reply #12 on:
February 05, 2018, 06:48:44 pm »
Probably best to reference this article with the links to the source info than me trying to haphazardly explain it hehe
https://en.wikipedia.org/wiki/SMTPS
Logged
dcol
Hero Member
Posts: 635
Karma: 51
Re: Email Notification authentication
«
Reply #13 on:
February 05, 2018, 07:42:51 pm »
I will start using 587, but need to maintain 465 for compatibility reasons. But will maintain SSL over STARTTLS.
I have opened an internal port for the OPNsense email notifications. That seems to work nicely.
Logged
NOYB
Jr. Member
Posts: 75
Karma: 6
Re: Email Notification authentication
«
Reply #14 on:
February 05, 2018, 10:36:32 pm »
Quite a bit of incorrect information floating around in this thread.
PLAIN auth is fine with SSL/STARTTLS and does not require that the server be left wide open. Servers can force requirement of either SSL or STARTTLS and reject unsecure connections.
Currently OPNsense email notifications SSL and STARTTLS is broken. Neither are secure.
https://github.com/opnsense/core/issues/1983
In general STARTTLS is unsecure for clients that merely request but do not require connection upgrade.
https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations
It's not difficult to do. But it requires diligent attention to some details.
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
Archive
»
18.1 Legacy Series
»
Email Notification authentication