Simple and secure email server for scan-to-email function (w/o TLS/SSL)

ibds

Dabbler
Joined
Nov 17, 2019
Messages
14
Hi,

two of my multifunction printers do not support TLS/SSL email encryption for the scan-to-email function.

However, since I don't want to send my scanned documents unprotected over the Internet, I am now looking for a solution to this problem.

One idea is to install a simple and secure email server in freenas. Since printer and freenas server are located in the same local network, the data could be sent to the local email server without encryption. Once the scans have been sent to the local email server, the following two options would be feasible for me:
  • retrieve emails only locally from the local email server
or (if possible and not too maintenance intensive)
  • forward the scanned documents from the local email server to a specific email address at an external email provider (via TLS/SSL).
Following questions arises:
  1. Can anyone recommend a simple and up-to-date (= secure) email server for freenas (or in a jail or docker)?
  2. Is it at all possible to set up and operate such an email server safely as a non-expert? Only the emails from the printers in the local network should be received and - if possible - forwarded to a certain external email address.
Thanks in advance!
Dieter
 

Samuel Tai

Never underestimate your own stupidity
Moderator
Joined
Apr 24, 2020
Messages
5,399

ibds

Dabbler
Joined
Nov 17, 2019
Messages
14
Thanks, it sounds good and I will give it a try in the next days!
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Spin up a jail, Sendmail is included.
 

Andreas1202

Cadet
Joined
Jun 23, 2020
Messages
7
Hello,
can somone tell me about to install sophos intercept nfor server on Free NAS?
It is possible?

Andreas
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Do you mean this product?

If yes, that only runs on Linux and Windows. You can of course deploy a Windows or Linux server in a VM on FreeNAS and then run the Sophos product on that.
 

Andreas1202

Cadet
Joined
Jun 23, 2020
Messages
7
thx Patrick. :)

Yes, that is exactly what I mean.
However, if I run this in a VM, I don't secure the entire server with it, or?
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
What's to secure with respect to antivirus on a Unix based NAS system? I thought that product was an email scan gateway or something like that.
Your FreeNAS will not care if you save an infected file from a Windows client to an SMB share neither will the NAS be compromised or anything.

What precisely are you trying to achieve? "secure the server" is not specific enough ;)
 

Andreas1202

Cadet
Joined
Jun 23, 2020
Messages
7
I have a QNAP so far and it is very vulnerable to attack.
Therefore, I considered switching to a FreeNas system and then protecting it with the Sophos software (in conjunction with a Sophos firewall).
The software ensures that if a system is infected, it can no longer automatically communicate on the network. :smile:
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
In which way is the QNAP vulenerable to attack? You do not open your NAS system to the Internet, do you? That would not be recommended with FreeNAS either.

Seriously ... a NAS system sitting behind a firewall or at least packet filtering router in a company or SOHO LAN. Windows and possibly Mac and Linux clients put files on it. Where is the attack surface?
 

Andreas1202

Cadet
Joined
Jun 23, 2020
Messages
7
In which way is the QNAP vulenerable to attack? You do not open your NAS system to the Internet, do you? That would not be recommended with FreeNAS either.

Seriously ... a NAS system sitting behind a firewall or at least packet filtering router in a company or SOHO LAN. Windows and possibly Mac and Linux clients put files on it. Where is the attack surface?

I can't tell you that either, just know that the NAS itself was already infected, even though it is behind a pfsense :smile:
As far as I understand, there are always security holes that are open at QNAP, think that this will be the gateway for attacks.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
If the NAS cannot be reached from the "outside", how should it become infected? I don't count infected files saved on the NAS to that problem area or attack vector. What happened to your QNAP? Did someone install $malware for spam or bitcoin mining? These things have a really limited operating system so I wonder what "infected" in that context means.

I am a security professional @work so I can silence people by throwing things like "threat model" or "attack vector" at them ;) Seriously i am really interested how and with what one would infect a rather dumb network storage. A pfsense in front of your net should in theory prohibit anyone from connecting to the NAS. So I can only imagine: malicious website -> desktop system -> NAS ... and well, then what?
 

Andreas1202

Cadet
Joined
Jun 23, 2020
Messages
7
If the NAS cannot be reached from the "outside", how should it become infected? I don't count infected files saved on the NAS to that problem area or attack vector. What happened to your QNAP? Did someone install $malware for spam or bitcoin mining? These things have a really limited operating system so I wonder what "infected" in that context means.

I am a security professional @work so I can silence people by throwing things like "threat model" or "attack vector" at them ;) Seriously i am really interested how and with what one would infect a rather dumb network storage. A pfsense in front of your net should in theory prohibit anyone from connecting to the NAS. So I can only imagine: malicious website -> desktop system -> NAS ... and well, then what?
sry found it only quickly in germany

QNAP is often a malware attack, I don't know how, but it happens more and more often.
It may already be in the firmware itself and will only be discovered much later.


ahh here in english
 
Last edited:

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
Die beste Schutzmaßnahme gegen QSnatch dürfte somit sein, NAS gar nicht erst über das Internet erreichbar zu machen.
Translation: The best preventive measure is probably not to make your NAS accessible over the Internet in the first place.

Exactly my reasoning. No communication, no attack.
 
Top