Kopano - insecure default dagent (LMTP) configuration? Binds to all IPs.
The default configuration file dagent.cfg contains the following (view on stash.kopano.io) default configuration:
# binding address for LMTP daemon # change to the empty string if you require connections on other addresses #server_bind =
I’m no expert in this, but as far as I understand the LMTP daemon does not require any authentication.
So by default it binds to all interfaces and therefor if your Kopano Server is on a public IP anyone can deliver mail using port 2003!
(even if not on a public IP, all LAN devices can deliver mail on Port 2003)
Perhaps i misunderstand the implications, but this does not look like a good default configuration to me. Also the description of the setting sounds more like “server_bind = 127.0.01” should follow, without the “#”. Otherwise “change to the empty string” does not make any sense because this is already the default.
Hello @Gerald ,
the Zarafa 7.2.2 release announcement had the following on this matter:
To facilitate use of IPv6 on a single socket, zarafa-dagent no longer binds to the IPv4-only 127.0.0.1 by default. It is advised to review your firewall settings and perhaps block port 2003 if applicable.
So if you are running ipv4 only its indeed the easiest to bind to 127.0.0.1, but in mixed environments you cannot bind to two interfaces at the same time, therefore the recommendation to block the port with iptables or similar.
And yes, if you open up the port to the network any service speaking lmtp would be able to deliver mails to you local users, but not relay them to a different service (so no open relay situation or similar).
Thanks for the quick reply and the explanation. I guess I really should have noticed this in the changelog.
Any new user coming to kopano does however not have a chance to notice it in the old changelogs.
Perhaps you could include your excellent explanation in future dagent.cfg config files? Then at least anyone configuring it will be aware of the implications. I don’t think there is a warning anywhere else (like in the Kopano Administrators manual)…