From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 10:20:55 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5C1B628DF for ; Sun, 24 Mar 2013 10:20:55 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id C42721E2 for ; Sun, 24 Mar 2013 10:20:54 +0000 (UTC) Received: from gamma.local (unknown [192.168.1.2]) by mail.locolomo.org (Postfix) with ESMTPSA id 8F18C1C0841 for ; Sun, 24 Mar 2013 11:11:59 +0100 (CET) Message-ID: <514ED170.2090004@locolomo.org> Date: Sun, 24 Mar 2013 11:12:00 +0100 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Client Authentication References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 10:20:55 -0000 On 24/03/2013 05:22, Doug Hardie wrote: > Basically, my outgoing mail server is being systematically attacked to try passwords looking for one that works. Have you investigated to identify where these attacks originate from? Even if the IP is not fixed, they often belong to ranges assigned to a particular country or even a particular ISP. AFAIK best practice is to use port 25 for relaying mail between the servers, hence your server should only allow incomming mail on this port. This does not require authentication. Users should connect to port 587 on your server to send mail. This ofcourse requires authentication. If your users are not mobile, then you can simply block port 587 for external connections. Even if you have mobile users you can likely make some safe assumptions about where they will connect from, for example only national connections. > The situation is such that most of our users are older and their computer is a hand-me-down so they can talk to their grandchildren. Passwords are a great inconvenience for them and create numerous problems with remembering them even when they are simple. So, I assume that each user has a PC or laptop for personal use only? Do you need mail passwords to be the same as computer or network passwords? If not then help your users choose a strong mail password and enter it in the mail client's password manager. Writing down a password can actually be a better solution than bad passwords. If people have a private PC at home, it may even be acceptable to stick a post-it to the screen. Consider implementing a password policy that is enforced by technical means, requireing regular change and strength test before a new password is accepted. You may get heaps of user complaints with this though. But I think that users aversion for good passwords is that they have no idea of how to pick one that is easy to remember yet hard to guess, and that they may have to authenticate many times with many different passwords throughout the day. > This situation requires a technical solution. > I have been investigating the use of client authentication through SSL. With certificates you will likely encounter user problems as with passwords: You can install the certificates in the users keychain, with or without password protection or protected by the system password. This may actually be OK if that requires physical access to the user's computer. Or you can use some card reader as you mention, but if users have problem managing a piece of paper with a password, how will they do with a card? You will have to deal with lost cards in stead of forgotten passwords. From the description of your users I don't think this is a solution. In either case, whenever a certificate expire you will have to update it and help install the new certificate, and it becomes a hazle if the users gets a new computer. > Any ideas/suggestions on this will be appreciated. Thanks, I think, given user's abilities the best option is use port 587 for authenticated outgoing SMTP with STARTTLS and a server side certificate. Restrict external access to port 587. Use mail client's password manager to store mail password and help users choose a strong password which will only be used once. Or, you can make away with the mail client and offer a web interface. Then mail can only be relayed for connections from localhost. BR, Erik