Date: Sun, 16 Mar 2008 00:18:12 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Doug Poland" <doug@polands.org>, <questions@freebsd.org> Subject: RE: Best practice: sendmail and SMTP auth Message-ID: <BMEDLGAENEKCJFGODFOCGEHOCFAA.tedm@toybox.placo.com> In-Reply-To: <9587.208.49.58.254.1205349581.squirrel@email.polands.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Doug Poland > Sent: Wednesday, March 12, 2008 11:20 AM > To: questions@freebsd.org > Subject: Best practice: sendmail and SMTP auth > > > Hello, > > Not sure if this is the most appropriate place for this question, but > since all my servers are FreeBSD 6.x/7.x, I'll give it a go... > > I am considering setting up SMTP auth on a number of sendmail > instances that I control. After much googling and reading, it is not > clear to me that a server with SMTP auth configured/enabled can relay > mail in both auth and non-auth modes. > Some of the explanations posted have been Rube Goldberg in the extreme, greatly complicating what should have been a very simple response. A standard FreeBSD server determines relaying through use of the access.db file, as you probably already are aware. If you add in SMTP-auth then the ONLY change is that any client that authenticates in, is exempted from checking the access.db file - by default, they are allowed to relay. It is not necessary to turn on an encrypted channel for SMTP-auth. In fact, the most popular mail clients under Windows - Outlook, only support NTLM encryption on authentication which REQUIRES that the password be in cleartext on the mailserver. OR, you can use SSL encryption for Outlook - however it will require a (costly) commerically-rooted certificate on the server to do SSL or your mail clients won't encrypt without a lot of nasty mucking around on the user's side to install a self-signed root cert in their clients. As for 587, by default sendmail will allow auth on either port 25 or 587 and will allow non-encrypted auth on port 587. The fact of the matter is that the most secure way of running a production setup is to use a completely separate mailserver for AUTH-smtp and to use DIFFERENT userID's/passwords on that server than on the primary mailserver. That way spammers that discover the users e-mail address (which for most ISP's is the same as the userID account) cannot launch dictionary attacks against the SMTP-auth server. And, attackers that sniff a cleartext password on the SMTP-auth channel cannot use that userID to spam the mailserver. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BMEDLGAENEKCJFGODFOCGEHOCFAA.tedm>