Advice: Changes to QRIScloud instances relaying email via "smtp.uq.edu.au".

Follow

Following a couple of incidents in which hacked QRIScloud instances were used for SPAMing, UQ ITS has temporarily blocked all IP addresses in the Polaris public address range from connecting to the UQ SMTP service ("smtp.uq.edu.au").  The total block will be lifted in a day or so, but it will be replaced with the requirement (from UQ ITS) that SMTP connections are authenticated with a valid UQ account name and password.  Furthermore, email from is likely to be severely rate-limited.

UPDATE - 2017-03-20 - following recent incidents with hacked instances SPAMing, UQ ITS have reinstated the block.

If any of your QRIScloud instances currently use "smtp.uq.edu.au", then you will need to change the way you are sending email.  The options are as follows:

  • You can use a 3rd-party SMTP service (e.g. Google's "gmail") as your email relay. These services typically require connections to be authenticated using a username and password1, but you can (and should) set up a dedicated credentials for this2.  This is our recommended option.
  • If you have UQ credentials, you could continue to use "smtp.uq.edu.au" as your email relay.  However, this entails configuring the application or the instance's email service to use your UQ credentials. Since UQ uses single-sign-on, this would put your primary UQ login at risk. (Your UQ password needs to be available in clear on the instance at the point that you contact the UQ mail server.)  This option is not recommended for that reason.
  • You could set your system up with full mail server capability.  This is complicated and would most likely be an effort sink.  We strongly discourage users from doing this, in part because of the possibility that you might cause our IP ranges to be blocked (or worse) for accidental spamming.

1 - Other mail service providers may allow you to use SSL client certificates instead of passwords, but Gmail doesn't support this.  However, client certificates don't provide a significant improvement compared with (for example) Google App passwords.

2 - For Gmail, we recommend that you use an Google App password specifically generated for this purpose. This gives you the option of revoking the password quickly if you suspect that it has been compromised; e.g. if your instance is hacked..

Have more questions? Submit a request

Comments

  • Avatar
    Anthony Truskinger

    Hi - thanks for the notice. Is there any information on the date when authentication will be required for smtp.uq.edu.au?

  • Avatar
    Stephen Crawley

    Hi Anthony - we don't have a clear date from ITS, but it is likely to be "pretty soon".

Powered by Zendesk