Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Kopano - insecure default dagent (LMTP) configuration? Binds to all IPs.

    Kopano Groupware Core
    2
    3
    1051
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Gerald
      Gerald last edited by Gerald

      The default configuration file dagent.cfg contains the following (view on stash.kopano.io) default configuration:

      # binding address for LMTP daemon
      # change to the empty string if you require connections on other addresses
      #server_bind =
      

      I’m no expert in this, but as far as I understand the LMTP daemon does not require any authentication.
      So by default it binds to all interfaces and therefor if your Kopano Server is on a public IP anyone can deliver mail using port 2003!
      (even if not on a public IP, all LAN devices can deliver mail on Port 2003)

      Perhaps i misunderstand the implications, but this does not look like a good default configuration to me. Also the description of the setting sounds more like “server_bind = 127.0.01” should follow, without the “#”. Otherwise “change to the empty string” does not make any sense because this is already the default.

      fbartels 1 Reply Last reply Reply Quote 0
      • fbartels
        fbartels Kopano @Gerald last edited by

        Hello @Gerald ,

        the Zarafa 7.2.2 release announcement had the following on this matter:

        To facilitate use of IPv6 on a single socket, zarafa-dagent no longer binds to the IPv4-only 127.0.0.1 by default. It is advised to review your firewall settings and perhaps block port 2003 if applicable.

        So if you are running ipv4 only its indeed the easiest to bind to 127.0.0.1, but in mixed environments you cannot bind to two interfaces at the same time, therefore the recommendation to block the port with iptables or similar.

        And yes, if you open up the port to the network any service speaking lmtp would be able to deliver mails to you local users, but not relay them to a different service (so no open relay situation or similar).

        Regards Felix

        Resources:
        https://kopano.com/blog/how-to-get-kopano/
        https://documentation.kopano.io/
        https://kb.kopano.io/

        Support overview:
        https://kopano.com/support/

        Gerald 1 Reply Last reply Reply Quote 0
        • Gerald
          Gerald @fbartels last edited by

          @fbartels
          Thanks for the quick reply and the explanation. I guess I really should have noticed this in the changelog.
          Any new user coming to kopano does however not have a chance to notice it in the old changelogs.

          Perhaps you could include your excellent explanation in future dagent.cfg config files? Then at least anyone configuring it will be aware of the implications. I don’t think there is a warning anywhere else (like in the Kopano Administrators manual)…

          1 Reply Last reply Reply Quote 0
          • First post
            Last post