Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 16 Mar 2008 00:18:12 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Doug Poland" <doug@polands.org>, <questions@freebsd.org>
Subject:   RE: Best practice:  sendmail and SMTP auth
Message-ID:  <BMEDLGAENEKCJFGODFOCGEHOCFAA.tedm@toybox.placo.com>
In-Reply-To: <9587.208.49.58.254.1205349581.squirrel@email.polands.org>

next in thread | previous in thread | raw e-mail | index | archive | help


> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Doug Poland
> Sent: Wednesday, March 12, 2008 11:20 AM
> To: questions@freebsd.org
> Subject: Best practice: sendmail and SMTP auth
> 
> 
> Hello,
> 
> Not sure if this is the most appropriate place for this question, but
> since all my servers are FreeBSD 6.x/7.x, I'll give it a go...
> 
> I am considering setting up SMTP auth on a number of sendmail
> instances that I control.  After much googling and reading, it is not
> clear to me that a server with SMTP auth configured/enabled can relay
> mail in both auth and non-auth modes.
> 

Some of the explanations posted have been Rube Goldberg in the
extreme, greatly complicating what should have been a very simple
response.

A standard FreeBSD server determines relaying through use of the
access.db file, as you probably already are aware.

If you add in SMTP-auth then the ONLY change is that any client
that authenticates in, is exempted from checking the access.db
file - by default, they are allowed to relay.

It is not necessary to turn on an encrypted channel for SMTP-auth.
In fact, the most popular mail clients under Windows - Outlook,
only support NTLM encryption on authentication which REQUIRES
that the password be in cleartext on the mailserver.  OR, you 
can use SSL encryption for Outlook - however it will require a
(costly) commerically-rooted certificate on the server to do SSL
or your mail clients won't encrypt without a lot of nasty mucking
around on the user's side to install a self-signed root cert in their
clients.

As for 587, by default sendmail will allow auth on either port 25
or 587 and will allow non-encrypted auth on port 587.

The fact of the matter is that the most secure way of running
a production setup is to use a completely separate mailserver
for AUTH-smtp and to use DIFFERENT userID's/passwords on that server
than on the primary mailserver.  That way spammers that discover
the users e-mail address (which for most ISP's is the same as
the userID account) cannot launch dictionary attacks against the
SMTP-auth server.  And, attackers that sniff a cleartext password
on the SMTP-auth channel cannot use that userID 
to spam the mailserver.

Ted



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BMEDLGAENEKCJFGODFOCGEHOCFAA.tedm>