SMTP Open Relay

[huwbart]

The PaperCut-SMTP software is being detected as an open SMTP relay by our security scanning software, doesn't appear to be a way to secure the connection with a username/password. Can an option be added to require a username/password to connect?

[Jaben]

Papercut SMTP is designed to be used on LOCALHOST and bound to LOCALHOST:25. Why would it need security by default? I can look at supporting this but it's complex and gets outside the current scope of what the project is used for.

It's obviously NOT an open relay so you could just ignore that too.

[Jaben]

Issue should be: support authentication on the SMTP

[huwbart]

Hello Jaben, Many thanks for the reply – I understand the logic and agree it isn’t necessarily needed but its flagging up on security vulnerability reports so I have to investigate options. Huw Owen Huw​​​​ Owen IT Infrastructure Manager Direct Line: +44 (0)20 7825 7204<tel:+44%20(0)20%207825%207204> Mobile: +44 (0)7834 251 776<tel:+44%20(0)7834%20251%20776> Email: ***@***.******@***.***> ***@***.*** ​Argenta Holdings Limited Registered office: 5th Floor, 70 Gracechurch Street, London, EC3V 0XL Registered in England number 4973117 www.argentagroup.com <http://www.argentagroup.com/> ​ ​At Argenta, we operate a flexible approach to our start and finish times, but all employees work between the core hours of 10am and 4pm. Therefore, you may receive emails from me outside of usual working hours; please do not feel any pressure to read, action or respond to these outside of your own working day. ​ This email, together with any attachments, is for the exclusive and confidential use of the recipients. Any other distribution, use or reproduction without the sender's prior consent is unauthorised and strictly prohibited. If you have received this message in error, please notify the sender by email immediately and delete the message from your computer without making any copies. ​ ​From time to time we collect personal information through email correspondence with you for the purpose of conducting day to day business. For information on how we treat your personal information, please refer to our privacy policy ​<https://www.argentagroup.com/media/1076> From: Jaben Cargman ***@***.***> Sent: Tuesday, April 23, 2024 2:39 PM To: ChangemakerStudios/Papercut-SMTP ***@***.***> Cc: Owen, Huw ***@***.***>; Author ***@***.***> Subject: Re: [ChangemakerStudios/Papercut-SMTP] SMTP Open Relay (Issue #261) ALERT: This message originated outside of Argenta's network - BE CAUTIOUS before clicking on any links or attachments. Papercut SMTP is designed to be used on LOCALHOST and bound to LOCALHOST:25. Why would it need security by default? I can look at supporting this but it's complex and gets outside the current scope of what the project is used for.It<http://for.It>'s obviously NOT an open relay so you could just <https://uk.report.cybergraph.mimecast.com/alert-details/?dep=PRTTLBdz14wu8yI8GX0%2FsA%3D%3DUf3dMzPprxn034XK2mrF0AyMo7mVLQoUuEnTbvpH%2B7TgOeERSi1da9Ap%2FtqhqTAxrvULm2UbX%2Bcu3j%2FEDDo5w%2FFS1I3gxCI7xh4MUqArUzFsCRQzuFMj%2Bz03iVikGuSTspqqQGIeZ%2BJhmCJLvL02DNam93yU5Y25Q%2Bp%2BrTVaLseTGE6WToPNFMiLDGA3q54GkIglw%2B1LtVMVF4BRaiyH3oG3JG8ZA9ms0n5pZKPt4q6tsvvwAg%2FR6nGAd2RH1svNePPNU1LOmYRZJrIRCA98mcU5oGjKKskFiCnYvXxe2TpLFzTrx1xtc5NNe%2FmkL7JDQzXKbV46FeWTq6zaOa02473cKchi1BCPr%2F8OL7MnISDQVsA%2BK3FxIx7RRYGnXCxoVKLJ81k0ucqXqf67yFwYnhe0AARB5nl5%2BiUaZSPUWBLoS8rwVGhPMxM3bGKMhrP8lDmIZwD8nEWzdgVGlZbCJhGICzw4BHxO0AW3PdAKsquXv4MSx0ynfx6sTt8JmEZsCoQiVVuZ13fRvKgvcz8%2BOwzc5ww8XL9wwkqsdpoJQPzZ5TB5K%2FtnihjEVT76dxKpSIEF0SEx8W%2FOkOmwEEghmo%2FTL8TQxg1lZ%2Bi1RZMVGBaDMGuEc%2FHx%2BEy4OpYu5epCJdlM30%2BM%2FA77UD21GK5t9SLKWg%2FD3%2FRFhC2apdZKdofhzEOW698tEUuvi1n3ICQuVYs9in7J4JEe0IQx2wt5g2kGj251Ya2pubvjckRJ1KaBUxJH5rLKInNRQX1JXLiozzqI53dJiEG3HSLy%2Bu0wUdqDpiiTkr1aO5Zw8DlhiM1l5iecEwgrGlmpmw%2BoxWJwyqV0HU8Usz0UrvT6HWWm2qQ%2BVdT5sj33%2BeEBQrh9QmcMt6giUgf8JpsABIzOWDI27fti2Mx0C%2FzsC9Kq5ARmAg%3D%3D> Papercut SMTP is designed to be used on LOCALHOST and bound to LOCALHOST:25. Why would it need security by default? I can look at supporting this but it's complex and gets outside the current scope of what the project is used for. It's obviously NOT an open relay so you could just ignore that too. — Reply to this email directly, view it on GitHub<#261 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFUBRM5NX3GAXGO3CRCIEODY6ZQATAVCNFSM6AAAAABCMHZ42GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZSGM2TAMBYHE>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>

[rwmnau]

@huwbart It sounds like the "security vulnerability" here is some security scanning software that sees an open SMTP server and makes the assumption that an open relay will forward mail without authentication (which this application doesn't do - it only receives and doesn't forward). I could see how the scanning software would make that assumption, but since it's more a development tool and not really server software, could the security software be set up to ignore this vulnerability? I've had development tools register as false positives before because of situations like this one - sometimes that infosec team is okay accepting that it's not actually a problem, and sometimes they press that it needs to be fixed (and adding security to this tool would be complicated).

It's possible that the tool could be set up to prompt for login details and then not actually care what they are? Like a fake prompt of some kind that you can enable that satisfies the scanning tool but doesn't actually verify anything?