Stunnel Insecure for SMTP?

[bzimmer]

I'm running a clean install of 8.1.1 (latest patches) and just enabled the stunnel utility (Plesk SSL Wrapper). When I ran a security scan of my server (Nessus, offered by Softlayer), it informed me that although my SMTP port (25) was closed to relaying, my SMTPS port (465) allowed relaying. It would appear that when stunnel is invoked, the local IP address (127.0.0.1) is being passed to mailenable instead of the IP of the connection. I read a bit about this at:

http://marc.info/?l=stunnel-users&m=100831182223125&w=2

and it would seem the -T flag must be invoked when stunnel is ran. Can someone confirm if this is in fact what the bug is? If so, is there a place I can add -T flag or does SWSoft need to fix this (if it is a bug). Thanks!

Brian

 

[bzimmer]

Has anyone else attempted to reproduce this? All you should need to do is setup a server, allow relaying with authentication and relaying from 127.0.0.1 (that's a default setting), enable stunnel, and then try sending a message through SMPTS to another server (using outlook or another mail program). If the message goes through (without sending the server any authentication), then there is a hole. Thanks!

 

[sergius]

Hello bzimmer,

Thank you for the report. Seems you are right and this issue does take place. It will be fixed as soon as possible.