Posted by RvdH under hMailserver  on Apr 24 2015

hMailServer by default allows any authenticated user to send email messages from any account, this might be a security risks. Especially if someone's account password is compromised or hijjacked and spammers are abusing your mailserver. Below you'll find three scripts that can be placed in hMailServer's EventHandlers.vbs

The first one allow only messages from the authenticated user domain, eg: in the username is info@domain.com it also is allowed to send messages from postmaster@domain.com

Limitation(s):

  • No domain alias or account alias checking

Sub OnSMTPData(oClient, oMessage)
' denies any mail not sent from the authenticated domain
	On Error Resume Next
	If oClient.Username <> "" And oMessage.FromAddress <> "" Then
		Dim authemail, fromemail
		authemail = Split(oClient.Username,"@")(1)
		fromemail = Split(oMessage.FromAddress,"@")(1)
		If LCase(authemail) <> LCase(fromemail) Then
			Result.Value = 2
			Result.Message = "BLOCKED: You are only allowed to send from your own domain." 
			EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not using authenticated user domain, eg: " & authemail)
		End If	
	End If
	Err.Clear
	On error goto 0
End Sub

This second one allow only messages from the authenticated user user, eg: If the username is info@domain.com it only is allowed to send messages from info@domain.com

Limitation(s):
  • No domain alias or account alias checking

Sub OnSMTPData(oClient, oMessage)
' denies any mail not sent from the authenticated account
	On Error Resume Next
	If oClient.Username <> "" Then
		If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
			Result.Value = 2
			Result.Message = "BLOCKED: You are only allowed to send from your own account."
			EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not is authenticated user , eg: " & oClient.Username)
		End If
	End If   
	Err.Clear
	On error goto 0
End Sub

This third script is the most advanced one, it also checks for domain aliases and account aliases

Limitation(s):
  • You cannot send e-mail from an alias of another alias that is linked to your account

Sub OnSMTPData(oClient, oMessage)
' denies any mail not sent from the authenticated account or alias
	On Error Resume Next
	If oClient.Username <> "" Then
		If LCase(oClient.Username) <> LCase(oMessage.FromAddress) Then
			Dim obBaseApp
			Set obBaseApp = CreateObject("hMailServer.Application")
			Call obBaseApp.Authenticate("Administrator","***************") 'PUT YOUR PASSWORD HERE 
			
			Dim StrClientDomain, StrFromDomain, StrFromAddress
			StrClientDomain = Split(oClient.Username,"@")(1) 
			StrFromDomain = Split(oMessage.FromAddress,"@")(1)
			
			Dim obDomain 
			Set obDomain = obBaseApp.Domains.ItemByName(StrClientDomain) 
			
			Dim obAliases
			Dim obAlias
			Dim AliasFound : AliasFound = False
			
			If LCase(StrClientDomain) <> LCase(StrFromDomain) Then
				Set obAliases = obDomain.DomainAliases
				For iAliases = 0 To (obAliases.Count - 1)
					Set obAlias = obAliases.Item(iAliases)
					If LCase(obAlias.AliasName) = LCase(StrFromDomain) Then
						AliasFound = True
						Exit For
					End If
				Next
				If AliasFound Then
					StrFromAddress = Split(oMessage.FromAddress,"@")(0) + "@" + StrClientDomain 
				End If
			Else 
				StrFromAddress = oMessage.FromAddress
				AliasFound = True
			End If
			
			If LCase(oClient.Username) <> LCase(StrFromAddress) Then
				If AliasFound Then
					Set obAliases = obDomain.Aliases
					AliasFound = False
					For iAliases = 0 To (obAliases.Count - 1)
						Set obAlias = obAliases.Item(iAliases)
						If (obAlias.Active) And (LCase(obAlias.Name) = LCase(StrFromAddress)) And (LCase(obAlias.Value) = LCase(oClient.UserName)) Then
							AliasFound = True
							Exit For
						End If 
					Next
				End If
				
				If Not AliasFound Then
					Result.Value = 2
					Result.Message = "BLOCKED: You are only allowed to send from your own account or any of its aliases."
					EventLog.Write("BLOCKED: Message from authenticated user: " & oClient.Username & " blocked because FROM address: " & oMessage.FromAddress & " not is authenticated user or alias , eg: " & oClient.Username)
				End If
			End If
		End If
	End If   
	Err.Clear
	On error goto 0
End Sub

Tagged VbScript  Hmailserver 
share the love!



comments

there are no comments for this post. be the first to post one!


post your comment

 (*) - required